Error Deploying Managed AWS Config Rule EFS_ENCRYPTED_CHECK to New Account in OU

[jmundia-rackspace]

trafficstars

Describe the bug

When deploying an AWS Managed Config Rule (EFS_ENCRYPTED_CHECK), with the resouce_file set as the standard location for the CFn template (http://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template), there is an error in the CloudformationResource stage of the pipeline related to the deployment of the rule:

Could not connect to the endpoint URL: "https://s3.com.amazonaws.com/s3/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template".

The URL we are using in the manifest file is accurate, however in the log, the url provided is HTTPS and the s3 url syntax is incorrect in the above error message (s3.com.amazonaws.com).

Another instance of the error message in the Codebuild logs, for reference:

{"time_stamp": "2022-10-19 23:36:05,892","log_level": "ERROR","log_message": Unhandled Exception: Could not connect to the endpoint URL: "https://s3.com.amazonaws.com/s3/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template"

This occurred when a new account was added to the OU that the manifest file targets as a destination for Config Rules.

To Reproduce

Create CfCT pipeline via AWS CFn template. Deploy resources to the OU via the manifest file. Add a new account to the OU target named in the manifest file. After the inital phases of the pipeline, manually approve the deployment steps. Observe the pipeline for errors in the CloudformationResource stage.

Expected behavior

The expected behavior is that the new account would receive the CFn resources named in the manifest file, in this case the EFS_ENCRYPTED_CHECK Config Rule.

Please complete the following information about the solution:

• Version: v2.4.0

• Region: [e.g. us-east-2]

• Was the solution modified from the version published on this repository? No

• If the answer to the previous question was yes, are the changes available on GitHub? N/A

• Have you checked your service quotas for the sevices this solution uses? N/A

• Were there any errors in the CloudWatch Logs? Yes, attached

Screenshots

Manifest file entry for the Rule:

The "create" request for the Config rule from Codebuild logs, note that it is using the proper URL here"

Additional context

This rule deployed without issue to the other account in the OU, and the manifest file has stayed consistent since that deployment.

CW Logs: efs-encrypted-check-errors.csv

[stumins]

Hi @jmundia-rackspace,

Thanks for reaching out. CFCT expects any S3 HTTPS URLs to be provided in regional format, e.g. http://<bucket-name>.s3.<region>.amazonaws.com/<path>/<object-key>.

For the template you linked, this would be: http://aws-configservice-us-east-1.s3.us-east-1.amazonaws.com/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template.

I was able to deploy this Config Rule in my CFCT test environment using the regional format - please try using the above resource link and kindly let us know if that works.

The documentation does indicate that this format is required, however, I think it could be more clear that this format is required rather than just an example. I've created a backlog item for our team to improve the documentation in this area.