search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

Creation of organization CloudTrail from delegated admin account fails #1932

Open k-paulius opened 7 months ago

k-paulius commented 7 months ago

Name of the resource

AWS::CloudTrail::Trail

Resource Name

No response

Issue Description

I am trying to create an organization CloudTrail from a CloudTrail delegated administrator account, but it fails during deployment.

My setup contains a management account with id 111111111111 and another account 222222222222 that is registered as a delegated CloudTrail administrator account. CloudFormation template is being deployed in account 222222222222 and trail is named org-cloudtrail.

During deployment Cfn calls CreateTrail and receives a successful response. Trail is created in the management account, as expected, with Arn: arn:aws:cloudtrail:us-east-1:111111111111:trail/org-cloudtrail. Cfn then invokes StartLogging, using the trail name value org-cloudtrail as the name parameter instead of an Arn for CloudTrail. This call fails with TrailNotFoundException and Cfn then proceeds to roll-back the deployment.

{
    "eventVersion": "1.10",
    "userIdentity": {
        "type": "AssumedRole",
        "accountId": "222222222222",
        "accessKeyId": "ASIAXYKJWD7HLQEHAAAA",
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2024-02-24T23:18:13Z",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventName": "StartLogging",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "TrailNotFoundException",
    "errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:222222222222:trail/org-cloudtrail for the user: 222222222222",
    "requestParameters": {
        "name": "org-cloudtrail"
    },
    "responseElements": null,
    "requestID": "-",
    "eventID": "-",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "222222222222",
    "eventCategory": "Management"
}

Cfn resource:

  rOrgTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: 'org-cloudtrail'
      IsLogging: true
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
      IsOrganizationTrail: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: All
      S3BucketName: 'bucket-name'
      S3KeyPrefix: ''

Expected Behavior

Deploying Cfn template in the CloudTrail delegated administrator account should successfully create CloudTrail in the management account.

When invoking StartLogging Cfn needs to pass Arn instead of name of the trail as the name parameter.

CLI commands executed as 222222222222:

$ aws cloudtrail start-logging --name org-cloudtrail

An error occurred (TrailNotFoundException) when calling the StartLogging operation: Unknown trail: arn:aws:cloudtrail:us-east-1:222222222222:trail/org-cloudtrail for the user: 222222222222 

$ aws cloudtrail start-logging --name arn:aws:cloudtrail:us-east-1:111111111111:trail/org-cloudtrail

Observed Behavior

Organization trail is successfully created, but CloudFormation encounters an error when calling StartLogging and rolls back the deployment.

Test Cases

Other Details

This is also reported as CDK issue: https://github.com/aws/aws-cdk/issues/26840

jpSimkins commented 5 months ago

I can confirm this is happening. I can see the trail created in all the member accounts. I can also state that if you use a CMK, you will have the exact same thing happen but the error will be about the CMK KMS key not existing. Once you delete the stack, these trails also stay in the accounts.

My workaround was to deploy everything in the delegated admin account / logging account, then manually create the CloudTrail in the delegated admin account. This worked fine.