Closed RobBrazier closed 2 years ago
sorry for the delay on this. I can confirm there is a defect.
GetOrCreatePolicyTask contains:
with self.hub_regional_client("organizations") as orgs:
which only works if the puppet hub account is the org management account.
DoExecuteServiceControlPoliciesTask also contains this.
issue is also present in tag policies tasks
no worries! was just testing out a fix in https://github.com/RobBrazier/aws-service-catalog-puppet/blob/scp-assume-role/servicecatalog_puppet/workflow/service_control_policies/get_or_create_policy_task.py#L39 but doesn't seem to be working yet
https://github.com/awslabs/aws-service-catalog-puppet/releases/tag/0.148.0 resolves this. The template https://service-catalog-tools.s3.eu-west-2.amazonaws.com/puppet/latest/servicecatalog-puppet-scp-master.template.yaml has been updated to add two missing actions.
Please include a link to your expanded manifest, the full contents of your AWS CodeBuild output (see https://aws-service-catalog-puppet.readthedocs.io/en/latest/puppet/using_the_cli.html#export-puppet-pipeline-logs)
Please ensure you are using the latest version and have run a validate command on your manifest file see (https://aws-service-catalog-puppet.readthedocs.io/en/latest/puppet/using_the_cli.html#validate)
I'm trying to configure puppet to deploy SCPs (currently to a single account as a trial run, but would be going wider later on)
I was following the docs on https://service-catalog-tools-workshop.com/every-day-use/800-applying-service-control-policies.html - I've launched the CFN stack in the Organization Master account and created a SSM Param referencing the role that was created in the Puppet account
It looks the SSM parameter referencing the role in the org master is used in ServiceControlPolicySectionTask, however this task doesn't look to be executed (can't find any references in the code either that use it).
Looks like the only task that's being executed is GetOrCreatePolicyTask - I'm wondering whether ServiceControlPolicySectionTask might be an old variant with code that needs to be replicated across to GetOrCreatePolicyTask, as I see it's referencing 'policies', which don't look like that key exists anymore (according to the docs)
I'm going through the code to try and determine where ServiceControlPolicySectionTask would fit in, or whether GetOrCreatePolicyTask needs updating (I'm suspecting the latter)
Steps to reproduce
Expected results
New SCP created and attached to individual account
Actual results
AccessDeniedException when calling CreatePolicy within GetOrCreatePolicyTask (being attempted within the Puppet account which doesn't have that permission)