Open adeolaolawuyi opened 9 months ago
I've just been testing a bit more on this issue and not sure if looking at the logs if its the following resources trying to create at the same time causing the issue
Custom::OrganizationsRegisterDelegatedAdministrator | RegisterConfigDelegatedAdministrator/Resource/Default Custom::AuditManagerEnableOrganizationAdminAccount | AuditManagerEnableOrganizationAdminAccount/Resource/Default
In order to get round this I had to do the following:
Describe the bug Deploying AWS LZA using AWS Organizations with a pre-existing CodeCommit repository, the OrganizationStack is failing when attempting to execute AuditManagerEnableOrganizationAdminAccount. The failure is due to the following reason:
AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 | 43/63 | 2:16:11 PM | CREATE_FAILED | Custom::AuditManagerEnableOrganizationAdminAccount | AuditManagerEnableOrganizationAdminAccount/Resource/Default (AuditManagerEnableOrganizationAdminAccount9070BCC2) Received response status [FAILED] from custom resource. Message returned: ValidationException: AWS Organizations can't complete your request because it conflicts with another attempt to modify the same entity. Try again later. (Service: AWSOrganizations; Status Code: 400; Error Code: ConcurrentModificationException; Request ID: fc1f4036-e407-4d69-bad2-e4a0a538abca; Proxy: null)
Received response status [FAILED] from custom resource. Message returned: ValidationException: AWS Organizations can't complete your request because it conflicts with another attempt to modify the same entity. Try again later. (Service: AWSOrganizations; Status Code: 400; Error Code: ConcurrentModificationException; Request ID: fc1f4036-e407-4d69-bad2-e4a0a538abca; Proxy: null) at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12) at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: fff87462-785f-466e-9ff8-71084b4b6fa3)
Retrying the Organization Pipeline stage after manually deleting the OrganizationStack gave another error:
AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 | 38/63 | 3:43:13 PM | CREATE_FAILED | Custom::AuditManagerEnableOrganizationAdminAccount | AuditManagerEnableOrganizationAdminAccount/Resource/Default (AuditManagerEnableOrganizationAdminAccount9070BCC2) Received response status [FAILED] from custom resource. Message returned: ValidationException: Cannot change delegated Admin for an active account 111111111111 from null to [AuditAccountID]
Received response status [FAILED] from custom resource. Message returned: ValidationException: Cannot change delegated Admin for an active account 111111111111 from null to [AuditAccountID] at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12) at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: cca345ab-90c2-4979-b9b5-745dacb14ee2)
To Reproduce Deploy AWS LZA using AWS Organizations with a pre-existing codecommit repository. It's important to clarify that our setup does not involve AWS Control Tower.
Expected behavior Pipeline to run successfully with no errors.
Please complete the following information about the solution:
Screenshots Screenshot attached.
Additional context N/A