Superwerker AWS Control Tower deployment fails with invalid AWS Regions

I’m trying to spin up IAC using Superwerker on a new aws account and it keeps failing when creating Control Tower. I’m getting the following error on repeat until it ultimately fails. This is a completely fresh aws account and I have no references to those regions anywhere.

I’ve tried using the v0.16.0 and v0.15.0 templates from the release section of the github and then I’ve also tried using the template from the following s3 bucket https://aws-ia-us-east-1.s3.us-east-1.amazonaws.com/cfn-ps-superwerker/templates/superwerker.template.yaml that you can access from the AWS QuickStart page here https://aws.amazon.com/solutions/partners/superwerker/.

Any help pointing me in the right direction of even how to diag this would be greatly appreciated.

    "__type": "InvalidParametersException",
    "Message": "AWS Control Tower detected '1' validation errors:The region list you provided contains one or more invalid AWS Regions: [us-gov-west-1, us-gov-east-1]."
}"still have 1 retries will wait for 5 seconds```

Hi . I tried Superwerker though I don’t run it production. I’ve worked a bit with Control Tower and in general I spend a lot of time building and maintaining landing zones so I’m happy to help you to try to fix this.

First I’ll say that <https://github.com/superwerker/superwerker|Superwerker is an open-source project hosted on GitHub>. So to get help directly from the authors you may want to post an issue there if we can’t solve it here

It looks like you are trying to set up Control Tower in the GovCloud (US) regions us-gov-west-1 and us-gov-east-1. I haven’t worked with GovCloud, so I have to guess a bit here.

Which region did you use to create the superwerker stack? Was it GovCloud region or a commercial region?

This is the slack that was in their github.

Thats the thing, I’m not trying to set it up in any GovCloud region. I’m trying to set up my entire stack in us-west-2.

You said you tried two releases from GitHub and one version in an S3 bucket. Do all give you the same error?

The S3 bucket from from the aws partners page actually doesnt spin up control tower at all, and fails when setting up root mail. Since it doesnt include control tower for some reason I passed on it.

Yes, both releases from superwerkers github fail for the same reason.

I’m not sure who owns the S3 bucket. If it’s owned by AWS rather than the Superwerker maintainers then it could be a very old version of the template, before they based the solution on Control Tower.

I’ll check the v.0.16.0 release template to see if I can figure out why it might complain about GovCloud regions.

Did you set any parameters that I should know about? I don’t remember what input it requires.

Yeah I’ve looked over both templates and couldnt find anything.

I did not set any region params. Only domain and notification email.

The main template refers to this template to deploy Control Tower.

<s3://superwerker-assets-us-west-2/0.0.0-DEVELOPMENT/b563e090565f2c2b3190521a2fe6bd6448c780dad1351fbd5d7197e4ec3cf27d.json>

I don’t see anything in there, so I think I might have to dig deeper. I think the SuperwerkerBootstrapFunction might handle it.

The thing is that Control Tower has no public API to set it up. It’s one of the main things that puts me off the service. Superwerker behind the scenes must be doing gnarly, fragile stuff to automate its setup.

The Control Tower template refers to this Lambda code payload to bootstrap the service.

<s3://superwerker-assets-us-west-2/0.0.0-DEVELOPMENT/1e32876a493d84a96a1ac9887a099aa1916424e5dd332c7af1fb29ae74704aac.zip>

That contains an index.js file. Looks like the source of a Lambda function using a Node.js runtime.

All 13,500 lines of it :joy:

I think most of that code is just a vendored library. There’s just one small mention of Control Tower at the end.

I think I was looking at the wrong code. The are three Lambda functions in the Control Tower template. Another one is called “EnableControlTowerCustomResource”.