Issue #, if available:

Description of changes: Deploys the solution into a workload account instead of the organizations master account, and uses a least-privilege cross-account role as per AWS best practice.

Also adds AWS account name to alerts not just account ID.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

In the case of noisy alerts, looking for a way to reduce the noise by excluding some event types from generating alerts (e.g. AWS_VPN_SINGLE_TUNNEL_NOTIFICATION,AWS_VPN_REDUNDANCY_LOSS).

Forked the repo and added an attempt at: https://github.com/benrobinsonsonos/aws-health-aware/blob/b60138a73b8ba3dea2695eafa503b140324c190a/handler.py#L48 https://github.com/benrobinsonsonos/aws-health-aware/blob/b60138a73b8ba3dea2695eafa503b140324c190a/handler.py#L120

@jordanaroth @gmridula Lambda function is throwing a throttling exception, I think the issue is at L829, health_client = get_sts_token('health')

we could use config = Config( retries = { 'max_attempts': 10, 'mode': 'standard' } ) but this is not supported with get_sts_token

{
  "errorMessage": "An error occurred (ThrottlingException) when calling the DescribeAffectedAccountsForOrganization operation: Rate exceeded",
  "errorType": "ClientError",
  "stackTrace": [
    "  File \"/var/task/handler.py\", line 849, in main\n    describe_org_events(health_client)\n",
    "  File \"/var/task/handler.py\", line 742, in describe_org_events\n    affected_org_accounts = get_health_org_accounts(health_client, event, event_arn)\n",
    "  File \"/var/task/handler.py\", line 323, in get_health_org_accounts\n    for event_accounts_page in event_accounts_page_iterator:\n",
    "  File \"/var/runtime/botocore/paginate.py\", line 255, in __iter__\n    response = self._make_request(current_kwargs)\n",
    "  File \"/var/runtime/botocore/paginate.py\", line 332, in _make_request\n    return self._method(**current_kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 386, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 705, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}

Issue #, if available:

Some parameters that were required by some functions were not being passed

Description of changes:

Passed parameters to functions to successfully send notifications

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Policy statement must contain resources. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID:redacted ; Proxy: null)

I deployed AHA with Multi region option then I found my lambda function on Secondary region failed to run. The reason is misconfiguration of lambda Environment variables. ORG_STATUS value should be “No” but was “false” even though primary region lambda ORG_STATUS value is “No”. Are there anyone who faced same as me?

Hello

I have AHA deployed in my organisation master account and several member accounts. They have all been deployed with teams notifications enabled.

Early this morning there was an event for a direct connect issue in a member account. In the AWS console, there is one event listed (same if i query the API directly).

However I received 4 teams notifications, all seemingly identical. When the issue was resolved, I again received 4 notifications.

Logs for the function only show 'Sending the alert to Teams' occurring once. What is causing this notification to be spammed to Teams? I cannot see anything in the function that might explain it, so perhaps this is a teams issue?

Thanks

[ERROR] TypeError: send_email() takes 2 positional arguments but 4 were givenTraceback (most recent call last):  File "/var/task/handler.py", line 836, in main    describe_events(health_client)  File "/var/task/handler.py", line 686, in describe_events    update_ddb(event_arn, str_update, status_code, event_details, affected_accounts, affected_entities)  File "/var/task/handler.py", line 484, in update_ddb    send_alert(event_details, affected_accounts_details, affected_entities, event_type="create")  File "/var/task/handler.py", line 95, in send_alert    send_email(event_details, event_type, affected_accounts, affected_entities) | [ERROR] TypeError: send_email() takes 2 positional arguments but 4 were given Traceback (most recent call last):   File "/var/task/handler.py", line 836, in main     describe_events(health_client)   File "/var/task/handler.py", line 686, in describe_events     update_ddb(event_arn, str_update, status_code, event_details, affected_accounts, affected_entities)   File "/var/task/handler.py", line 484, in update_ddb     send_alert(event_details, affected_accounts_details, affected_entities, event_type="create")   File "/var/task/handler.py", line 95, in send_alert     send_email(event_details, event_type, affected_accounts, affected_entities) -- | --

To fix: change send_email function def send_email(event_details, eventType):

to match similar send_org_email def send_email(event_details, eventType, affected_accounts, affected_entities):

also need to update get_message_for_email(event_details, eventType, affected_accounts, affected_entities):

@gmridula I would create a fork but hope you can just fix from this

When updates are made to the Service Health Dashboard after an initial event has been opened (i.e. CloudFront goes from Green to Blue), they are not propagated or picked up by AHA and sent to the Slack webhook. Similarly, when a service/event goes back to green, that is not reflected in AHA. It appears that only the initial event notification sends out an alert via AHA but it requires the user to continue to monitor the SHD/PHD for further updates.

Conversely, an RSS feed for Slack picks up all updates to the SHD (including after a service is not green).

It strikes me as quite inefficient that this lambda is triggered on a schedule of every minute. Is there a reason this is the case, rather than executing on every Health event received that matches an event pattern?

At the moment the data sent to Eventbridge contains the account information as one field, in this format:

account-name (012345678) - That is account_name (account_id)

References:

https://github.com/aws-samples/aws-health-aware/blob/main/handler.py#L480-L481 https://github.com/aws-samples/aws-health-aware/blob/main/messagegenerator.py#L136

In order to action these events downstream using eventbridge we're having to pull the account id out of that field. It'd be nicer to keep these separate for example two fields: "Account name" and "Account ID"

This comment suggests some upcoming changes to eventbus structure: https://github.com/aws-samples/aws-health-aware/issues/29#issuecomment-1049847491

Are there any updates?

• Issue 52

Description of changes:

• Added .gitignore containing ignore rules for terraform and for generated file lambda_function.zip during terraform plan/apply.
• Added missing count expression in Terraform_DEPLOY_AHA.tf for resource "aws_s3_bucket_acl" "AHA-S3Bucket-PrimaryRegion"
• Fixed for_each condition for aha_secondary_region to have proper empty value if secondary_region is not set on dynamic replica value in resource "aws_secretsmanager_secret" "AssumeRoleArn"
• Updated source_code_hash variable on both Lambda Functions to use the newly available value of output_base64sha256 from datasource on the archive_file resource instead of the filebase64sha256 terraform function.

Please Note: This PR would also PR-32 on this repo.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

The current state of the main branch of this repo is not deployable using terraform provided in this repo.

When deploying to an Organisation member account, in a single region, using Terraform there are 2 errors:

Error 1:

Error: error creating Secrets Manager Secret: InvalidParameterException: Invalid replica region.

   with aws_secretsmanager_secret.AssumeRoleArn[0],
   on Terraform_DEPLOY_AHA.tf line 416, in resource "aws_secretsmanager_secret" "AssumeRoleArn":
  416: resource "aws_secretsmanager_secret" "AssumeRoleArn" {

Error 2:

 Error: Invalid index
 
   on Terraform_DEPLOY_AHA.tf line 207, in resource "aws_s3_bucket_acl" "AHA-S3Bucket-PrimaryRegion":
  207:     bucket = aws_s3_bucket.AHA-S3Bucket-PrimaryRegion[0].id
     ├────────────────
     │ aws_s3_bucket.AHA-S3Bucket-PrimaryRegion is empty tuple
 
 The given key does not identify an element in this collection value: the
 collection has no elements.

Please Note: Error 1 was already attempted to be fixed in this PR-32 of this project

because *.py scripts are in the root folder i cannot use terraform code as a module: source github.com/aws-samples/aws-health-aware//terraform/Terraform_DEPLOY_AHA?ref=v2.01 so i cant store configuration in my source code - need to fork/dowoad and update code manually

if you can change this that would be great

Would it be possible to have a way to easily customize the delivery based on custom metadata or perhaps AWS Organizations Account Tags to send emails to custom addresses on a per account basis?

Use case is to deliver appropriate notifications to: Custom Account Owners, Tenant Application Owners or specific resource owners based on metadata / tags not really supported by AWS today.

I suspect it would be possible to custom code something off EventBridge and Dynamo by accountId, but I get concerned about the API limits for querying Account Tags in organizations. It would be better to have a solution to register/subscribe custom destinations in the DynamoDB.

Dear Folks,

I have a question regarding the following Terraform resources:

resource "aws_s3_bucket" "AHA-S3Bucket-PrimaryRegion" {
    count      = "${var.ExcludeAccountIDs != "" ? 1 : 0}"
    bucket     = "aha-bucket-${var.aha_primary_region}-${random_string.resource_code.result}"
    tags = {
      Name        = "aha-bucket"
    }
}

resource "aws_s3_bucket" "AHA-S3Bucket-SecondaryRegion" {
    count      = "${var.aha_secondary_region != "" && var.ExcludeAccountIDs != "" ? 1 : 0}"
    provider   = aws.secondary_region
    bucket     = "aha-bucket-${var.aha_secondary_region}-${random_string.resource_code.result}"
    tags = {
      Name        = "aha-bucket"
    }
}

I was not able to figure out what they are used for.

I think they are used for a CSV file holding data about excluded accounts if so I do not see a reason to create these buckets if I were just to pass the excluded accounts as a list in Terraform that is interpreted in python as a string and parsed.

If someone could tell me what these buckets are used for that would be great.

Many thanks.