search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
356 stars 205 forks source link

Unable to execute AWSUtility::CloudFormation::CommandRunner private registry in AWS Control Tower Customization Solution #76

Closed cjchrist777 closed 8 months ago

cjchrist777 commented 2 years ago

AWSUtility::CloudFormation::CommandRunner private registry is not recognised when executing as in AWS Control Tower Customization Solution

I'm trying to execute the AWS CloudFormation resource in one of the child accounts but it is not recognised the execution. I've installed the private registry in both the management account and the child account in which I actually execute the resource.

Here is the error returned in the corresponding AWS Step Functions' state machine,

{ "error": "ClientError", "cause": { "errorMessage": "An error occurred (ValidationError) when calling the UpdateStackSet operation: Template format error: Unrecognized resource types: [AWSUtility::CloudFormation::CommandRunner]\nGuidance: Enable cloudFormation:GetTemplateSummary to prevent validation failures on privately registered resources", "errorType": "ClientError", "stackTrace": [ " File \"/var/task/state_machine_router.py\", line 200, in lambda_handler\n return cloudformation(event, function_name)\n", " File \"/var/task/state_machine_router.py\", line 45, in cloudformation\n response = stack_set.update_stack_set()\n", " File \"/var/task/state_machine_handler.py\", line 624, in update_stack_set\n response = stack_set.update_stack_set(\n", " File \"/var/task/aws/services/cloudformation.py\", line 282, in update_stack_set\n response = self.cfn_client.update_stack_set(\n", " File \"/var/runtime/botocore/client.py\", line 386, in _api_call\n return self._make_api_call(operation_name, kwargs)\n", " File \"/var/runtime/botocore/client.py\", line 705, in _make_api_call\n raise error_class(parsed_response, operation_name)\n" ] } }

groverlalit commented 2 years ago

Thanks for raising this issue. We have added this to our backlog.

jdnurmi commented 2 years ago

For the next person that runs into this, it appears to be a resource issue - in this patch:

--- a/aws-control-tower-customizations/deployment/custom-control-tower-initiation.template
+++ b/aws-control-tower-customizations/deployment/custom-control-tower-initiation.template
@@ -1275,6 +1275,7 @@ Resources:
               - Effect: Allow
                 Action:
                   - cloudformation:ValidateTemplate
+                  - cloudformation:GetTemplateSummary
                 Resource: '*'
         - PolicyName: State-Machine-Lambda-Policy-SSM
           PolicyDocument:

I assume I just don't know the ARN that GetTemplateSummary needs, but this squelches the error. It makes me sad to put anything on Resource:* , but the risk seems low.

hkeeler commented 2 years ago

I am experience the same issue when trying to deploy the AWS CloudFormation Resource Types for Kubernetes. The proposed fix by @jdnurmi seems correct. Any estimates for when this could get incorporated into a release?

stumins commented 8 months ago

Hi @cjchrist777 @jdnurmi @hkeeler,

CFCT v2.7.0 enables the use of privately registered CloudFormation resources by adding the GetTemplateSummary permission for all templates.

Thank you for reporting this issue!