Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Community::Organizations::Policy is not reliable. Errors out on creation, resources get created, but CFN in bad state #121

Open
dyangelo-grullon opened this issue Jan 29, 2023 · 1 comment
Open

Community::Organizations::Policy is not reliable. Errors out on creation, resources get created, but CFN in bad state #121

dyangelo-grullon opened this issue Jan 29, 2023 · 1 comment

Comments

@dyangelo-grullon
Copy link

Community::Organizations::Policy v 0.2.2 is exhibiting a non-functional sequence of events when deployed. Specifically it:

  1. Attempts to create the SCP by handling the cloudformation create event.
  2. AWS organizations responds with the following error:

ERROR: Resource Scp failed because Resource handler returned message: "AWS Organizations can't complete your request because another request is already in progress. Try again later."
3. The resources do get created, regardless.
4. On CFN re-recreate (via org-formation cli), the following error causes the CFN and org formation cli to fail:

Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyRootAccess' already exists."

Note: A CFN create event happens as the initial create did not succeed.

OrganizationsPolicyRp:
  Type: register-type
  ResourceType: "Community::Organizations::Policy"
  SchemaHandlerPackage: !Sub "s3://${catalogBucket}/community-organizations-policy-0.2.2.zip"
  MaxConcurrentTasks: 100
  OrganizationBinding:
    IncludeMasterAccount: true
    Region: us-east-1 # Only compatible to us-east-1 region

DenyRootAccess:
  Type: update-stacks
  Template: ./deny-root-access.yml
  StackName: !Sub "${resourcePrefix}-deny-root-access"
  DefaultOrganizationBindingRegion: us-east-1
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
    # you can use the following to exclude accounts from this SCP, either temporarily or permanently
    # ExcludeAccount: !Ref myAccount
  OrganizationBindings:
    TargetBinding:
      Account: "*"

AWSTemplateFormatVersion: "2010-09-09-OC"

Resources:
  Scp:
    Type: Community::Organizations::Policy
    Properties:
      Description: Restricts the use of the Root account
      Name: DenyRootAccess
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds:
        - Fn::EnumTargetAccounts TargetBinding ${account}
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyRootUser
            Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              StringLike:
                "aws:PrincipalArn": "arn:aws:iam::*:root"

This is the only task being executed at the time of failure, so I am not aware of why AWS organizations is throwing this throttling error in the first place. Regardless, the resources do get created. I wonder if the initial create can be a tad more resilient and re-discover the resource that was created, despite the error response from AWS organizations.
@dyangelo-grullon
Copy link
Author

org-formation v1.0.6

@dyangelo-grullon dyangelo-grullon changed the title Community::Organizations::Policy is not reliable. Errors out on creation, resources get created, but recreation Community::Organizations::Policy is not reliable. Errors out on creation, resources get created, but CFN in bad state Jan 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dyangelo-grullon