Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] PatchMgmt - Maintenance Window Rollout via SRA aborts #288

Open
janahockenberger opened this issue Feb 21, 2025 · 1 comment
Open

[BUG] PatchMgmt - Maintenance Window Rollout via SRA aborts #288

janahockenberger opened this issue Feb 21, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@janahockenberger
Copy link

Describe the bug

Deployment of Maintenance Windows aborts.

When the deployment of PatchMgmt is enabled, the rollout of the Maintenance Windows in the Custom Lambda Resource fails at one point. One of the maintenance windows fails to get created and when trying to register the task to it, the maintenance window can't be found. In the CloudTrail Logs the CreateMaintenanceWindow returns a mw-id but the creation is not being executed.

An error occurred (DoesNotExistException) when calling the RegisterTaskWithMaintenanceWindow operation: Maintenance window mw-xxxxxxxx does not exist""}"

Underneath you can find the corresponding CloudTrail logs we got:

{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxxxxxxxxxxx:sra-patch-mgmt-lambda",
"arn": "arn:aws:sts::xxxxxxxxxxxxx:assumed-role/sra-patch-mgmt-configuration/sra-patch-mgmt-lambda",
"accountId": "xxxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"arn": "arn:aws:iam::xxxxxxxxxxxxx:role/sra-patch-mgmt-configuration",
"accountId": "xxxxxxxxxxxxx",
"userName": "sra-patch-mgmt-configuration"
},
"attributes": {
"creationDate": "2025-02-13T08:22:46Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-02-13T08:22:47Z",
"eventSource": "ssm.amazonaws.com",
"eventName": "CreateMaintenanceWindow",
"awsRegion": "eu-central-1",
"userAgent": "xxxxxxxxxxxxx",
"requestParameters": {
"name": "sra_ssm_agent_update",
"description": "HIDDEN_DUE_TO_SECURITY_REASONS",
"schedule": "cron(0 0 1 ? * THU *)",
"scheduleTimezone": "America/New_York",
"duration": 6,
"cutoff": 1,
"allowUnassociatedTargets": false,
"tags": [
{
"key": "createdBy",
"value": "SRA_Patch_Management"
}
],
},
"responseElements": {
"windowId": "mw-xxxxxxxxxxxxx"
},
"requestID": "xxxxxxxxxxxxx",
"eventID": "xxxxxxxxxxxxx",
"readOnly": false,
"resources": [
{
"accountId": "xxxxxxxxxxxxx",
"ARN": "arn:aws:ssm:eu-central-1:xxxxxxxxxxxxx:maintenancewindow/mw-xxxxxxxxxxxxx"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "280102879678",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.eu-central-1.amazonaws.com"
}
}

And then Delete:

{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxxxxxxxxxxx:sra-patch-mgmt-cleanup",
"arn": "arn:aws:sts::xxxxxxxxxxxxx:assumed-role/sra-patch-mgmt-configuration/sra-patch-mgmt-cleanup",
"accountId": "xxxxxxxxxxxxx",
"accessKeyId": "xxxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "xxxxxxxxxxxxx",
"arn": "arn:aws:iam::xxxxxxxxxxxxx:role/sra-patch-mgmt-configuration",
"accountId": "xxxxxxxxxxxxx",
"userName": "sra-patch-mgmt-configuration"
},
"attributes": {
"creationDate": "2025-02-13T08:22:54Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-02-13T08:22:55Z",
"eventSource": "ssm.amazonaws.com",
"eventName": "DeleteMaintenanceWindow",
"awsRegion": "eu-central-1",
"sourceIPAddress": "xxxxxxxxxxxxx",
"userAgent": "xxxxxxxxxxxxx",
"requestParameters": {
"windowId": "mw-xxxxxxxxxxxxx"
},
"responseElements": {
"windowId": "mw-xxxxxxxxxxxxx"
},
"requestID": "xxxxxxxxxxxxx",
"eventID": "xxxxxxxxxxxxx",
"readOnly": false,
"resources": [
{
"accountId": "xxxxxxxxxxxxx",
"ARN": "arn:aws:ssm:eu-central-1:xxxxxxxxxxxxx:maintenancewindow/mw-xxxxxxxxxxxxx"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "xxxxxxxxxxxxx",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.eu-central-1.amazonaws.com"
}
}

There are no quota limits which are reached. The deployment worked fine in our test environment but failed in our prod environment.
@janahockenberger janahockenberger added the bug Something isn't working label Feb 21, 2025
@IevIe
Copy link
Contributor

IevIe commented Feb 24, 2025

Hi @janahockenberger! To help us better diagnose your deployment error, please provide the following details about your deployment environment and configuration:

  1. Deployment Framework
    Please specify which framework you're using:
    • AWS Control Tower Customizations (specify version)
    • Easy Setup
    • Manual
  2. Deployment Scope
    Number of AWS accounts targeted: ___
    List of AWS regions involved: ___
  3. Additional Solutions (if using Easy Setup)
    Are other solutions being deployed simultaneously?
    • No
    • Yes (please list concurrent deployments)

Please provide as much detail as possible for each section to help us better understand your deployment environment and troubleshoot the error effectively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janahockenberger @IevIe