search

aws-samples / aws-security-reference-architecture-examples

Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
982 stars 248 forks source link

[BUG] AWSControlTowerExecution gets created in the Management Account #271

Closed gcasilva closed 1 week ago

gcasilva commented 1 week ago

Describe the bug

The AWSControlTowerExecution (https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/313ea9d549fa445da102ae681e65a5174d8bc525/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-control-tower-execution-role.yaml#L34) is being created also in the Management Account in a Control Tower environment when using SRA even if the role already exists in the Management Account. Ideally there should be a parameter in the CloudFormation if the customer already has this role pre-deployed in the management account beforehand, else the SRA CloudFormation could fail.

To Reproduce

Steps to reproduce the behavior: Deploy SRA in a Control Tower environment where the AWSControlTowerExecution was already created before deploying SRA

Expected behavior

Ideally there should be a parameter in the CloudFormation if the customer already has this role pre-deployed in the management account beforehand, else the SRA CloudFormation could fail.

Screenshots

Screenshot of the AWSControlTowerExecution role created by SRA common prerequisites

Deployment Environment (please complete the following information)

Additional context

Add any other context about the problem here.

gcasilva commented 1 week ago

Screenshot of the bug: image

liamschn commented 1 week ago

Hi @gcasilva, please try to set the pCreateAWSControlTowerExecutionRole to 'false'.