Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
965
stars
235
forks
source link
[BUG] Terraform_stack.py fails setting up workspace on suspended AWS accounts #218
Describe the bug
Terraform_stack.py fails setting up workspace on suspended AWS accounts
To Reproduce
Steps to reproduce the behavior:
Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 8342b965-a2de-4cab-89e2-0c324cbfade6, api error AccessDenied: User: arn:aws:sts::632617325597:assumed-role/Admin/tantonjt-Isengard is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::654654472939:role/sra-execution
Expected behavior
Workspace is created and plan is created /updated.
Screenshots
If applicable, add screenshots to help explain your problem.
Deployment Environment (please complete the following information)
Additional context
The solution to the problem is to filter the list of accounts in the python script.
aws-security-reference-architecture-examples/aws_sra_examples/terraform/solutions/terraform_stack.py
Existing line of code : accounts = [account["Id"] for page in paginator.paginate() for account in page["Accounts"]] https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/aa58485aec5470afc577db750e3c5a3b8a860679/aws_sra_examples/terraform/solutions/terraform_stack.py#L71
Updated line should be accounts = [account["Id"] for page in paginator.paginate() for account in page["Accounts"] if account['Status'] == 'ACTIVE' ]
Add any other context about the problem here.