Workload Discovery on AWS is a solution to visualize AWS Cloud workloads. With it you can build, customize, and share architecture diagrams of your workloads based on live data from AWS. The solution maintains an inventory of the AWS resources across your accounts and regions, mapping their relationships and displaying them in the user interface.
AWS Organizations and the CloudFormation StackSets SERVICE_MANAGED permission model doesn't deploy the WorkloadDiscoveryRole IAM role to the management account #559
If your issue relates to the Discovery Process, please first follow the steps described in the implementation guide Debugging the Discovery Component
Describe the bug
When the solution is deployed with AWS Organizations and the CloudFormation StackSets SERVICE_MANAGED permission model the WdGlobalResources CloudFormation StackSet doesn't deploy a stack instance to the management account. This is expected according to CloudFormation StackSet design, please see resource [1].
Considerations when creating a stack set with service-managed permissions
Before you create a stack set with service-managed permissions, consider the following:
...
StackSets doesn't deploy stack instances to the organization's management account, even if the management account is in your organization or in an OU in your organization.
This means the required WorkloadDiscoveryRole IAM role isn't deployed automatically in the management account. When the WorkloadDiscoveryRole IAM role isn't deployed to the management account the ECS task which runs the discovery activity reports the following error;
{"message":"Access denied assuming role: arn:aws:iam::<Management Account ID>:role/WorkloadDiscoveryRole-XXXXXXXXXXXX. This is the management account, ensure the global resources template has been deployed to the account.","level":"error","timestamp":"YYYY-MM-DDTHH:MM:SS.XXXZ"}
The Workload Discovery on AWS Implementation Guide doesn't provide clear guidance that the WorkloadDiscoveryRole IAM role is required to be deployed to the management account. Only when you log into the web UI under the configure -> accounts section is a warning displayed advising to deploy a CloudFormation stack to the management account to create the required role.
The Workload Discovery on AWS Implementation Guide provides a section called AWS Organizations account discovery mode, please see resource [2], with the following details;
When Workload Discovery on AWS is deployed in an AWS Organization, the discovery of accounts is no longer managed through the solution’s web UI. In this case, you don’t need to manage the deployment of CloudFormation templates to discover accounts.
Instead, the solution uses an AWS Organization-wide AWS Config aggregator to discover resources in all accounts in the organization that have AWS Config enabled.
For resource types that aren’t supported by AWS Config, the solution automatically deploys an IAM role in each account in the organization using AWS CloudFormation StackSets. This role allows the discovery process to make SDK calls in all the organization’s accounts to discover these supplementary resources.
This StackSet is configured to automatically deploy the role in any new accounts that are added to the organization and delete the role from any accounts removed from the organization.
The Import a Region section, please see resource [3], contains the following;
Note
The following section only applies when the solution’s account discovery mode is self-managed. For information on how account discovery works in AWS Organizations mode, see the AWS Organizations Account Discovery Mode section.
Importing a Region requires certain infrastructure to be deployed. This infrastructure consists of Global and Regional resources:
Global – Resources that are deployed once in an account and reused for each Region imported.
An IAM role (WorkloadDiscoveryRole)
Regional – Resources that are deployed in each Region imported.
An AWS Config Delivery Channel
An Amazon S3 bucket for AWS Config
An IAM role (ConfigRole)
There are two options to deploy this infrastructure:
AWS CloudFormation StackSets (recommended)
AWS CloudFormation
The Import a RegionUse CloudFormation StackSets to provision Global resources across accounts section, please see resource [4], contains some details on using StackSets but doesn't provide information regarding StackSets and the required role for the management account.
Could you update the implementation guide to provide clear guidance for this deployment scenario please.
svozza
commented
4 days ago
If your issue relates to the Discovery Process, please first follow the steps described in the implementation guide Debugging the Discovery Component
Describe the bug
When the solution is deployed with AWS Organizations and the CloudFormation StackSets SERVICE_MANAGED permission model the WdGlobalResources CloudFormation StackSet doesn't deploy a stack instance to the management account. This is expected according to CloudFormation StackSet design, please see resource [1].
This means the required WorkloadDiscoveryRole IAM role isn't deployed automatically in the management account. When the WorkloadDiscoveryRole IAM role isn't deployed to the management account the ECS task which runs the discovery activity reports the following error;
The Workload Discovery on AWS Implementation Guide doesn't provide clear guidance that the WorkloadDiscoveryRole IAM role is required to be deployed to the management account. Only when you log into the web UI under the configure -> accounts section is a warning displayed advising to deploy a CloudFormation stack to the management account to create the required role.
The Workload Discovery on AWS Implementation Guide provides a section called
AWS Organizations account discovery mode, please see resource [2], with the following details;The
Import a Regionsection, please see resource [3], contains the following;The
Import a RegionUse CloudFormation StackSets to provision Global resources across accountssection, please see resource [4], contains some details on using StackSets but doesn't provide information regarding StackSets and the required role for the management account.Could you update the implementation guide to provide clear guidance for this deployment scenario please.
Resources: [1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org [2] https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/aws-organizations-account-discovery-mode.html [3] https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/import-a-region.html [4] https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/import-a-region.html#use-cloudformation-stacksets-to-provision-global-resources-across-accounts