Using centralized logging for cloudtrail in me-central-1 causes the pipeline to fail

[Faisal-Suhail]

Describe the bug After the first successful run of the "AWSAccelerator-Pipeline". I changed the configuration files to have centralized logging of cloudtrail in the me-central-1 region. However this change causes the pipeline to throw the error:

AWSAccelerator-LoggingStack--me-central-1 | 33/57 | 11:00:02 AM | CREATE_FAILED | AWS::IAM::Role | CentralLogsBucket/CrossAccountCentralBucketKMSArnSsmParamAccessRole (CentralLogsBucketCrossAccountCentralBucketKMSArnSsmParamAccessRole83E55C59) AWSAccelerator-CentralBucket-KeyArnParam-Role already exists

I tried to delete this role, and re-ran the failed stage, which is the Logging stage. However, this just causes more problems with already existing resources, and deleting the resources and re-running turns into a never-ending loop.

To Reproduce 1- Have the first pipeline run complete successfully. 2- Modify the global config file as following:

homeRegion: eu-west-1
enabledRegions:
  - eu-west-1
  - me-central-1
managementAccountAccessRole: OrganizationAccountAccessRole
cloudwatchLogRetentionInDays: 3653
centralizeCdkBuckets:
  enable: true
terminationProtection: true
controlTower:
  enable: false
logging:
  account: LogArchive
  centralizedLoggingRegion: me-central-1
  cloudtrail:
    enable: true
    organizationTrail: true
    organizationTrailSettings:
      multiRegionTrail: true
      globalServiceEvents: true
      managementEvents: true
      s3DataEvents: true
      lambdaDataEvents: true
      sendToCloudWatchLogs: true
      apiErrorRateInsight: false
      apiCallRateInsight: false
    accountTrails: []
    lifecycleRules: []

  sessionManager:
    sendToCloudWatchLogs: false
    sendToS3: false
    excludeRegions: []
    excludeAccounts: []
    lifecycleRules: []
    attachPolicyToIamRoles: []

3- then modify the security config file as following:

centralSecurityServices:
  delegatedAdminAccount: Audit
  ebsDefaultVolumeEncryption:
    enable: false
    excludeRegions: []
  s3PublicAccessBlock:
    enable: false
    excludeAccounts: []
  scpRevertChangesConfig:
    enable: false
  snsSubscriptions: []
  macie:
    enable: false
    excludeRegions: []
    policyFindingsPublishingFrequency: FIFTEEN_MINUTES
    publishSensitiveDataFindings: true
  guardduty:
    enable: false
    excludeRegions: []
    s3Protection:
      enable: false
      excludeRegions: []
    exportConfiguration:
      enable: false
      overrideExisting: false
      destinationType: S3
      exportFrequency: FIFTEEN_MINUTES
  securityHub:
    enable: true
    regionAggregation: false
    excludeRegions: []
    standards:
    - name: AWS Foundational Security Best Practices v1.0.0
      enable: true
    - name: PCI DSS v3.2.1
      enable: true
    - name: CIS AWS Foundations Benchmark v1.2.0
      enable: true
    - name: CIS AWS Foundations Benchmark v1.4.0
      enable: true
  ssmAutomation:
    excludeRegions: []
    documentSets: []
accessAnalyzer:
  enable: false
iamPasswordPolicy:
  allowUsersToChangePassword: true
  hardExpiry: false
  requireUppercaseCharacters: true
  requireLowercaseCharacters: true
  requireSymbols: true
  requireNumbers: true
  minimumPasswordLength: 14
  passwordReusePrevention: 24
  maxPasswordAge: 90
awsConfig:
  enableConfigurationRecorder: true
  enableDeliveryChannel: true
  ruleSets: []
cloudWatch:
  metricSets: []
  alarmSets: []
keyManagementService:
  keySets: []

4- re-run the pipeline Expected behavior The Accelerator configures cloudtrail to create an organization level trail in the audit account, and creates a bucket in the archive (logging) account in the region "me-central-1" and have the organization level trail send its logs to this s3 bucket.

Please complete the following information about the solution:

• [x] Version: 1.3.2

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0021) - Video On Demand workflow with AWS Step Functions, MediaConvert, MediaPackage, S3, CloudFront and DynamoDB. Version v5.0.0". If the description does not contain the version information, you can look at the mappings section of the template:

Mappings:
  SourceCode:
    General:
      S3Bucket: "solutions"
      KeyPrefix: "video-on-demand-on-aws/v5.0.0"

• [x] Region: [eu-west-1, me-centarl-1]
• [x] Was the solution modified from the version published on this repository? no
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [x] Have you checked your service quotas for the sevices this solution uses? yes
• [x] Were there any errors in the CloudWatch Logs? yes

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

For our internal reference: (kindly ignore this) @zeina99 is following this issue as well.

[padebnat]

Hello @Faisal-Suhail , Thank you for reaching out to the Landing Zone Accelerator team! I wanted to let you know that we have added an item in our backlog to look into this issue.

Thank you for your support and interest of the LZA solution! I will leave this issue open should you have any follow-ups for the team, and we will update you when the issue is fixed.

[bo1984]

Hello @Faisal-Suhail ! Thank you for your patience, this issue has been addressed in our 1.5.0 release. I will be closing this issue out at this time.