[Guidance] Enabling a new region

[julian-price]

The Question

I previously enabled 2 regions - us-west-1 and ap-southeast-4 - into my control tower, which I had originally set up with us-east-1 (my home region) and ap-southeast-2. At the time of enabling the new regions, I ran the sra-common-prerequisites-management-account-parameters stack again and also updated the sra-member-account-parameters stackset to roll it out to the new region. Bar some issues with ap-southeast-4 being opt-in and not enabling by default (#211), it all went smoothly.

Now I am enabling us-west-2 in my Control Tower and following the same steps I documented previously, however this time, running the sra-common-prerequisites-management-account-parameters stack as follows suggests that there are no changes:

aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml --stack-name sra-common-prerequisites-management-account-parameters --capabilities CAPABILITY_NAMED_IAM --profile <my profile>

Waiting for changeset to be created..

No changes to deploy. Stack sra-common-prerequisites-management-account-parameters is up to date

I believe the output is because there have been no changes to the template since the last time I ran it, whereas the previous time when I enabled 2 regions there had been changes. I tried forcing changes through by modifying the parameters or including the --force-upload parameter to CloudFormation, none of which had any effect.

The result is that my management account now does not have the new region included in any of the /sra/regions/customer-control-tower-regions SSM Parameters in any region, although the parameter does exist in my newly enabled us-west-2 region (that parameter got created in us-west-2 when I originally set up the SRA and was updated following the addition of the us-west-1 and ap-southeast-4 regions).

I was able to update the sra-member-account-parameters stackset to add the new region in to all the member accounts. That updated without any issues.

So my question is what is the correct way for me to enable a new region and what stacks am I supposed to be running? If my steps that I outlined above are correct, then how can I properly get the sra-common-prerequisites-management-account-parameters stack to update?

Environment

Everything is deployed using Stacks and StackSets and this is only looking at the common prerequisites stage.
I noted that Inspector, GuardDuty, etc., which I have enabled via the SRA and CfCT are not enabled in the new region, I'm guessing because of the missing params in the management account.

Other information

I looked at the Python Lambda that creates the SSM parameters in the management account - I seems to loop through the StackSet instances for AWSControlTowerBP-BASELINE-CLOUDWATCH and grab the regions that way. While this stackset does exist, all bar one account (not the management account) has a PENDING state on the update. I'm not sure if this is related, but I did find some info about it here: https://repost.aws/questions/QU3owsbrUoQpKpz0_RWWnH6w/awscontroltowerbp-baseline-cloudwatch.

[julian-price]

A quick update - I ended up deleting the sra-common-prerequisites-management-account-parameters stack and then recreating it, at which point the SSM parameters were successfully recreated to include my new region. I'm not sure if this is the intented way to force an update, but it worked in my case.