Closed jo-koe closed 2 years ago
@jo-koe can you give us a copy of your manifest.yml, scrubbing any sensitive data? It would help us reproduce this error. Thanks!
Here you go (very much simplified):
manifest.yaml:
---
region: eu-central-1
version: 2021-03-15
resources:
- name: TestSsm
resource_file: templates/test.yaml
parameter_file: parameters/test.json
deploy_method: stack_set
deployment_targets:
accounts:
- Management
parameters/test.json:
[
{
"ParameterKey": "TestSsmParameter",
"ParameterValue": "$[alfred_ssm_/cloud-landing-zone/test]"
}
]
Thanks for the extra info here! I am actually unable to reproduce this bug, the SSM integration works the test environment, and updates the CFN parameter accordingly using the value stored in SSM. I would suggest you reach out to AWS Premium Support to dive deeper into your deployment and why your CodeBuild role needed modification to function as expected.
Not sure if this is related or not, but I am getting this error trying to set the SSM Params from Manifest.
Account ###### should have 'AWSControlTowerExecution' role with trust relationship to Role 'service-role/AWSControlTowerStackSetRole'.
@schwinbp typically that is a StackSet deployment error due to IAM permissions issues. I would recommend either opening a new issue here if there's an issue with CfCT, but for troubleshooting your deployment/environment, I'd recommend reaching out to AWS Premium Support as well.
@jo-koe I'm going to close this issue due to inactivity, but please feel free to open new issues if you have additional problems.
I've seen this permission error as well. In my case, it occurred because the SSM parameter it was looking for did not exist.
The reason it did not exist was a side-effect of #25. I had changed the name of a parameter in the manifest, but the update did not take, so the parameter was never actually renamed in SSM.
Describe the bug The
control-tower-customizations-StackSetCodeBuildRole
can't access SSM parameters which results in the following error message inCustom-Control-Tower-StackSet-CodeBuild
job:The policy
Custom-Control-Tower-StackSet-CodeBuild-Policy-SSM
attached to the role looks like this:If we remove
parameter/
from the resource it works!To Reproduce Use a parameter from SSM in manifest.yaml.
Expected behavior No error.
Please complete the following information about the solution:
Screenshots N/A
Additional context N/A