search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
356 stars 205 forks source link

Execution fails if non-existing OU in manifest #54

Closed trevorlatson closed 3 years ago

trevorlatson commented 3 years ago

I've found execution fails at the SCP stage, and never continues on to the Stack Set build, if it encounters an OU listed in the manifest.yaml that does not exist. This prevents a use-case we are interested in, where we are planning to build multiple new OU's so add them all to the manifest preemptively. Ideally the stack would continue on to the OU's that do exist at the time instead of failing completely. This would also apply to the Stack Set build pipeline; if it doesn't find the account, log an error but continue on with the accounts that do exist at the time.

`Error

ValueError Cause

{ "errorMessage": "OU id is not found for NTI", "errorType": "ValueError", "stackTrace": [ " File \"/var/task/state_machine_router.py\", line 204, in lambda_handler\n return service_control_policy(event, function_name)\n", " File \"/var/task/state_machine_router.py\", line 69, in service_control_policy\n response = scp.list_policies_for_ou()\n", " File \"/var/task/state_machine_handler.py\", line 940, in list_policies_for_ou\n raise ValueError(\"OU id is not found for {}\".format(ou_name))\n" ] }`

groverlalit commented 3 years ago

@trevorlatson The creation of the OU is a prerequisite before adding it to the manifest. In version 2.0 we added the capability to add empty OUs in the manifest. In this case, it only creates the stack set and not stack instances.