search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
542 stars 431 forks source link

AWSAccelerator-OrganizationStack: AuditManagerEnableOrganizationAdminAccount Error #370

Open adeolaolawuyi opened 9 months ago

adeolaolawuyi commented 9 months ago

Describe the bug Deploying AWS LZA using AWS Organizations with a pre-existing CodeCommit repository, the OrganizationStack is failing when attempting to execute AuditManagerEnableOrganizationAdminAccount. The failure is due to the following reason:

AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 | 43/63 | 2:16:11 PM | CREATE_FAILED | Custom::AuditManagerEnableOrganizationAdminAccount | AuditManagerEnableOrganizationAdminAccount/Resource/Default (AuditManagerEnableOrganizationAdminAccount9070BCC2) Received response status [FAILED] from custom resource. Message returned: ValidationException: AWS Organizations can't complete your request because it conflicts with another attempt to modify the same entity. Try again later. (Service: AWSOrganizations; Status Code: 400; Error Code: ConcurrentModificationException; Request ID: fc1f4036-e407-4d69-bad2-e4a0a538abca; Proxy: null)

Received response status [FAILED] from custom resource. Message returned: ValidationException: AWS Organizations can't complete your request because it conflicts with another attempt to modify the same entity. Try again later. (Service: AWSOrganizations; Status Code: 400; Error Code: ConcurrentModificationException; Request ID: fc1f4036-e407-4d69-bad2-e4a0a538abca; Proxy: null) at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12) at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: fff87462-785f-466e-9ff8-71084b4b6fa3)

Retrying the Organization Pipeline stage after manually deleting the OrganizationStack gave another error:

AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 | 38/63 | 3:43:13 PM | CREATE_FAILED | Custom::AuditManagerEnableOrganizationAdminAccount | AuditManagerEnableOrganizationAdminAccount/Resource/Default (AuditManagerEnableOrganizationAdminAccount9070BCC2) Received response status [FAILED] from custom resource. Message returned: ValidationException: Cannot change delegated Admin for an active account 111111111111 from null to [AuditAccountID]

Received response status [FAILED] from custom resource. Message returned: ValidationException: Cannot change delegated Admin for an active account 111111111111 from null to [AuditAccountID] at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12) at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: cca345ab-90c2-4979-b9b5-745dacb14ee2)

To Reproduce Deploy AWS LZA using AWS Organizations with a pre-existing codecommit repository. It's important to clarify that our setup does not involve AWS Control Tower.

Expected behavior Pipeline to run successfully with no errors.

Please complete the following information about the solution:

Screenshots Screenshot attached.

Additional context N/A Screenshot from 2024-01-02 14-34-29 Screenshot from 2024-01-02 14-36-04 Screenshot from 2024-01-02 15-32-02 Screenshot from 2024-01-02 15-33-07

alexhaycock commented 9 months ago

I've just been testing a bit more on this issue and not sure if looking at the logs if its the following resources trying to create at the same time causing the issue

Custom::OrganizationsRegisterDelegatedAdministrator | RegisterConfigDelegatedAdministrator/Resource/Default Custom::AuditManagerEnableOrganizationAdminAccount | AuditManagerEnableOrganizationAdminAccount/Resource/Default

In order to get round this I had to do the following:

  1. Empty cost and usage report bucket
  2. Delete cost and usage report bucket
  3. Disable termination protection
  4. Delete OrganizationsStack
  5. Retry Organization stage of pipeline