Account Role Status Unknown

[BQuinn-Assured]

If your issue relates to the Discovery Process, please first follow the steps described in the implementation guide Debugging the Discovery Component

---

I have completed the above. Cluster health yellow but I am told that all single node clusters start in health yellow.

Describe the bug I do not know if my account and region will ever be discovered.

To Reproduce Deployed Cloud Formation Template successfully Deployed Global Resource successfully Deployed Regional Resource Successfully Selected Import from Form Account ID Name and Region selected

Account Management shows: Account Role Status: "Unknown" in Blue with i in circle sign Account Last Discovered: "Awaiting Discovery" in Blue with i in circle sign Region Resources: "Not Discovered" in Red with Bang in Triangle sign None of these informational or warning messages provide any further detail. Expected behavior I expect My Region and Account to be discovered and/or to receive some indication of why they are not or when they first will be.

Screenshots

Browser (please complete the following information):

• Chrome
• Version 121.0.6167.162 (Official Build) (64-bit)

Additional context Deployed with the following non default configs in the Cloud formation Template NeptuneInstanceClass: db.serverless OpensearchInstanceType: t3small.search IPAllowListedRanges: <Contains a single /32>

[BQuinn-Assured]

{ "msg": "[{\"errorType\":\"WAFForbiddenException\",\"message\":\"403 Forbidden\"}]", "stack": "Error: [{\"errorType\":\"WAFForbiddenException\",\"message\":\"403 Forbidden\"}]\n at /code/src/lib/apiClient/appSync.js:57:33\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async Object.getAccounts (/code/src/lib/utils.js:174:24)\n at async Promise.all (index 0)\n at async discoverResources (/code/src/lib/index.js:19:69)\n at async discover (/code/src/index.js:14:3)", "level": "error", "message": "Error in Discovery process.", "timestamp": "2024-02-17T19:31:31.667Z" }

What other CIDR Blocks do I need to allow in the WAF? All of my public and private VPC's?

[svozza]

The issue is the the ApiAllowListedRanges value. It is not used to control access to the UI, it is only for accessing the AppSync API. The discovery process needs to be able to access it so if you set it to a value that stops the ECS tasks in the private subnet being able to access the API you will see that error. Set the parameter back to the default value (0.0.0.0/1,128.0.0.0/1) and the process will start running successfully. I realise the parameter is confusing and I am going to remove it in the next release.

[BQuinn-Assured]

Attempting that now but I am getting CREATE_FAILED Status reason Embedded stack arn:aws:cloudformation:us-east-1:x:stack/DemoV2-Disco-OpenSearchRoleStack-1OESR206WF0QS/071de720-cf69-11ee-a18b-0a5a41998387 was not successfully created: The following resource(s) failed to create: [ElasticSearchServiceLinkedRole]

[BQuinn-Assured]

FIgured it out. Failed Delete Stack process.

[svozza]

Btw, I've realised there is a way to lock down access to the AppSync API so that the discovery process is able to access it but it's not open to the whole internet. You can do this by adding the IP addresses of both NAT gateways provisioned by the VPC stack (you can find them in the stack named <wd-stack-name>-VpcStack-<ID-string>) to the ApiAllowListedRanges parameter. Remember though that it needs to be a valid CIDR so if the IP address of your NAT gateway is 3.3.3.3 then it needs to be entered as 3.3.3.3/32. I will add this information to the documentation.