Skip to content

'CREATE_FAILED' on 'SecurityHub_to_AWSChatBot.yml' during creations after the 2nd time on another regions #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
o2346 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

'CREATE_FAILED' on 'SecurityHub_to_AWSChatBot.yml' during creations after the 2nd time on another regions #11

o2346 wants to merge 1 commit into from

Conversation

@o2346
Copy link

@o2346 o2346 commented Jul 2, 2020
edited
Loading

Issue #, if available:

Description of changes:

CREATE_FAILED have been observed with Events like shown below

2020-07-02 13:56:12 UTC+0900 SecurityHubToAWSChatBot ROLLBACK_IN_PROGRESS The following resource(s) failed to create: [EventRuleCustomAction, SlackChannelConfig, LambdaIAMPolicy]. . Rollback requested by user.
2020-07-02 13:56:11 UTC+0900 LambdaIAMPolicy CREATE_FAILED Resource creation cancelled
2020-07-02 13:56:11 UTC+0900 EventRuleCustomAction CREATE_FAILED Resource creation cancelled
2020-07-02 13:56:11 UTC+0900 SlackChannelConfig CREATE_FAILED Invalid request provided: The chat configuration with the name securityhubnotification already exists. Retry with a unique configuration name. (Service: AWSChatbot; Status Code: 400; Error Code: InvalidParameterException; Request ID: f6aXXXXX-XXXX-XXXX-XXXXXXXXXXXXXXXXX; Proxy: null)

It does not happen when a region was the first one(assuming us-east-1 here) on a AWS accunt.
Thereafter failure then happens on further creations on another regions such as us-east-2 or whatever else.
In my understanding, since AWS Chatbot is a global service, 'SlackChannelConfig' would also not be dedicated for a particular region neither cannot be defined idempotently on CloudFormation. It simply disallows duplication. Therefore in order to deploy among multiple regions, an option should be present NOT to attempt to duplicate 'SlackChannelConfig' needlessly.

With this pr, user would unfortunately have to work additional steps as follows(if he wanted create-stack after the 2nd regions):

  1. provide explicit false as a parameter of Cloudformation stack, to supress 'SlackChannelConfig'
  2. After CREATE_COMPLETE, Go to AWS Chatbot console > Configured clients > Slack workspace: YOURWORKSPACE > securityhubnotification
  3. On securityhubnotification, press Edit button on top-right
  4. Navigate to bottom of the page, press 'Add another Region', Choose appropreate Region and SNS Topic which supposed to appear

Then finally user would be able to obtain cross-region findings automatically on his slack channel.
I know this is not very smart but this is the best I could come up with for now.
If there was more reasonable way, I would like it.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@o2346 o2346 marked this pull request as ready for review July 2, 2020 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@o2346