Deployment failed at Logging stage

[JimToupet]

We deployed the CCCS Medium LZA and when we run the pipeline for modification (ex. adding workload account) the deployment failed by access denied from SCP with the following error :

Resource handler returned message: "User: arn:aws:sts::XXXXXXXX:assumed-role/AWSControlTowerExecution/cdk-assume-role-plugin is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:ca-central-1:XXXXXXXX:function:AWSAccelerator-LoggingSta-CustomS3PutPublicAccessB-qVf24HMYcEfF with an explicit deny in a service control policy (Service: Lambda, Status Code: 403, Request ID: 880204be-292a-4fe7-9c7c-a3ddb64b63e5)" (RequestToken: 49174451-b352-2886-479f-788ca3e0d7f7, HandlerErrorCode: AccessDenied)

As state, the AWSControlTowerExecution is denied for creating the Lambda Function.

The SCP file is LZA-Guardrails-Part1.json and we can see that the ControlTowerExecution role is not in the exclusion for the deny.

"Resource": ["arn:${PARTITION}:lambda:*:*:function:${ACCELERATOR_PREFIX}*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN": ["arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}*"] } } }

We had the same kind of problem with the KMS::PutKey and SNS:CreateTopic from the LZA-Guardrails-Part0-CoreOUs.json when we first deploy the LZA. We finally be able to deploy it be detaching SCP.

The AWSControlTowerExecution role seems missing from some exclusion. Can be a configuration problem somewhere ?

Anyclue ?

LZA version use 1.6.2

[oliviergaumond]

You can check if you have a customDeploymentRole specified in the global-config.yaml file.

In the sample configuration it uses AWSAccelerator-PipelineRole and the SCPs allow this role with the ${ACCELERATOR_PREFIX}* condition.

[JimToupet]

Good catch, the line was commented. I uncommented it and it run smoothly. I'll be attentive for next deployment but I'm pretty sure you point it right.

Merci Olivier!