aws-sharr-deploy.template fails to deploy the product catalog resource (Nested CF fails) #24
Comments
|
Check the logs for the embedded stack that failed (PlaybookServiceCatalog). Why did SHARRCatalogAdminPolicy fail to create? |
|
I see from the second issue you opened that it's failing because the service catalog stack can't find the template for the CIS playbook. What buckets are you uploading to? List the contents of the aws-security-hub-automated-response-and-remediation folder for the version you are installing. We need to figure out why the playbook templates are missing. |
|
@mobri2a , Here is the issue . |
|
|
Hi @mobri2a , thanks for quick reply . I am still using version 1.1.0 . here is the content of the global bucket Since due to this issue (CF deployments from custom buckets failed for aws-sharr-deploy.template . #23) . The Playbook template was not called hence while debugging i found that the aws-sharr-deploy.template has the reference to As the template refered in above code (aws-sharr-portolio-deploy.template) is in the global bucket defined by me so the arn should not be like (-reference.s3.amazonaws.com/*) rather (.s3.eu-central-1.amazonaws.com/) . Hence i adapted this and aws-sharr-portolio-deploy.template was called . But then i got current issue. |
|
You need 2 buckets: <mybucket>-reference and <mybucket>-<region>. You should not need to make any changes to the templates. Use "build-s3-dist.sh <mybucket> <version>" to create the templates and upload with "upload_s3_dist.sh <region>". If you do choose to use different bucket names then you'll either need to modify the CDK code or the templates that it creates to match your bucket names. Release v1.2.0 came out last week. I recommend that you switch to that version. (it doesn't fix your issue, but gets you on a newer version - above still applies). |
|
@mobri2a , In that case i will create the -reference and will repeat the build and upload process. But i am not sure how this is going to fix my issue.Just to add to the context . I have also checked the playbooks/ folder in my global bucket and i find that the CIS template is uploaded but seems like it is with 0 byte. It seems to fishy. |
|
If it's 0 bytes then your build was not successful. The bucket name is definitely an issue, but your build-s3-dist.sh appears to be failing. Again, recommend using v1.2.0, as you need to rerun build-s3-dist anyway. |
|
Hi @mobri2a , I had extended the solution to add the Jira ticket creation via custom action in version 1.1.0. While looking into the latest version it appears to me that this Jira ticktet creation feature is still not available. My goal is to somehow work with the v.1.1.0 first then merge my changes to latest version. |
|
I'm curious about your Jira implementation. I would create a Lambda to handle Jira communications, and subscribe the Lambda to the SHARR SNS topic. Then add a custom action in the core solution (not in a playbook) such that user can select a finding and a "Create Jira Ticket" custom action, independent of remediation. |
|
@mobri2a , This is what i have exactly done. A custom action --> event --> lambda --> SSM JIRA playbook. Hence my changes produces new python lambda playbook and changes in cis*.ts files . |
|
Closing this issue. As a side note, the nested Service Catalog template has been removed in v1.3+ |
Below is the error while deploying the aws-sharr-deploy.template from my custom bucket and the code build from the clone repo.
Error:
The text was updated successfully, but these errors were encountered: