oliviergaumond
commented
9 months ago If you are deploying the solution using Control Tower, you need to make the changes documented in the installation steps for Control Tower. More specifically
If using Control Tower, review these specific settings:
In file
global-config.yaml:
- Update
managementAccountAccessRolevalue to AWSControlTowerExecution- Make sure
controlToweris set toenable: trueIn file
organization-config.yaml:
- Uncomment the proper configuration block under the
AWSAccelerator-Guardrails-Sensitive-Part-1configuration to have the following configuration
```
- name: AWSAccelerator-Guardrails-Sensitive-Part-1
description: >
LZA Guardrails Sensitive Environment Specific Part 1
policy: service-control-policies/LZA-Guardrails-Sensitive.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- Infrastructure
- Central
- Dev
- Test
- Prod
accounts:
- Audit
- LogArchive
```You can find the configuration block relevant to your error here: https://github.com/aws-samples/landing-zone-accelerator-on-aws-for-cccs-medium/blob/b721d245311dcb596c79ba3f4754939c64c9d339/config/organization-config.yaml#L47-L79
This was not an issue with version 1.5.1 (no Control tower)
See the error log below: The stack named LZA-PrepareStack-XXXXXXXXX-ca-central-1 failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: Max Allowed SCPs for ou "Security" is 5, found total 6 scps in updated list to attach. Updated list of scps for attachment is AWSAccelerator-Guardrails-Part-1,AWSAccelerator-Guardrails-Sensitive-Part-1,AWSAccelerator-Guardrails-Part-0-Core,aws-guardrails-TXguOM,aws-guardrails-osIYud,FullAWSAccess