search

awslabs / aws-service-catalog-puppet

This is a framework where you list your AWS accounts with tags and your AWS Service Catalog products with tags or target accounts. The framework works through your lists, dedupes and spots collisions and then provisions the products into your AWS accounts for you. It handles the Portfolio sharing, its acceptance and can provision products cross account and cross region.
Apache License 2.0
76 stars 42 forks source link

SCP deployments: /servicecatalog-puppet/org-scp-role-arn doesn't seem to be used #468

Closed RobBrazier closed 2 years ago

RobBrazier commented 2 years ago

Please include a link to your expanded manifest, the full contents of your AWS CodeBuild output (see https://aws-service-catalog-puppet.readthedocs.io/en/latest/puppet/using_the_cli.html#export-puppet-pipeline-logs)

Please ensure you are using the latest version and have run a validate command on your manifest file see (https://aws-service-catalog-puppet.readthedocs.io/en/latest/puppet/using_the_cli.html#validate)

I'm trying to configure puppet to deploy SCPs (currently to a single account as a trial run, but would be going wider later on)

I was following the docs on https://service-catalog-tools-workshop.com/every-day-use/800-applying-service-control-policies.html - I've launched the CFN stack in the Organization Master account and created a SSM Param referencing the role that was created in the Puppet account

It looks the SSM parameter referencing the role in the org master is used in ServiceControlPolicySectionTask, however this task doesn't look to be executed (can't find any references in the code either that use it).

Looks like the only task that's being executed is GetOrCreatePolicyTask - I'm wondering whether ServiceControlPolicySectionTask might be an old variant with code that needs to be replicated across to GetOrCreatePolicyTask, as I see it's referencing 'policies', which don't look like that key exists anymore (according to the docs)

I'm going through the code to try and determine where ServiceControlPolicySectionTask would fit in, or whether GetOrCreatePolicyTask needs updating (I'm suspecting the latter)

Steps to reproduce

  1. Set up puppet-organizations-service-control-policies-stack on Org Master
  2. Create SSM param for org master role on puppet account https://service-catalog-tools-workshop.com/every-day-use/800-applying-service-control-policies.html#setting-the-org-iam-role-arn
  3. Configure service-control-policy in puppet configuration (using example from https://service-catalog-tools-workshop.com/every-day-use/800-applying-service-control-policies.html#applying-an-scp-to-a-specific-account for specific account) within the Puppet account within an organization
  4. Run puppet (version 0.143.0)

Expected results

New SCP created and attached to individual account

Actual results

AccessDeniedException when calling CreatePolicy within GetOrCreatePolicyTask (being attempted within the Puppet account which doesn't have that permission)

eamonnfaherty commented 2 years ago

sorry for the delay on this. I can confirm there is a defect.

GetOrCreatePolicyTask contains:

with self.hub_regional_client("organizations") as orgs:

which only works if the puppet hub account is the org management account.

eamonnfaherty commented 2 years ago

DoExecuteServiceControlPoliciesTask also contains this.

eamonnfaherty commented 2 years ago

issue is also present in tag policies tasks

RobBrazier commented 2 years ago

no worries! was just testing out a fix in https://github.com/RobBrazier/aws-service-catalog-puppet/blob/scp-assume-role/servicecatalog_puppet/workflow/service_control_policies/get_or_create_policy_task.py#L39 but doesn't seem to be working yet

eamonnfaherty commented 2 years ago

https://github.com/awslabs/aws-service-catalog-puppet/releases/tag/0.148.0 resolves this. The template https://service-catalog-tools.s3.eu-west-2.amazonaws.com/puppet/latest/servicecatalog-puppet-scp-master.template.yaml has been updated to add two missing actions.