Open richardkeit opened 3 weeks ago
👍
Hey @richardkeit , thanks for writing this up. I know you mentioned in the linked issue that you narrowed this down to not setting the strategy
for the SCP explicitly. I'm reviewing the code, and still am unsure of why that would be occurring.
Specifically I'm looking at this code:
// if SCP strategy is allow-list, then FullAWSAccess policy should be detached
if (strategy === 'allow-list' && fullAwsAccessPolicyAttached) {
console.log('detaching FullAWSAccess policy because the strategy is allow-list');
await detachSpecificPolicy(organizationsClient, 'p-FullAWSAccess', targetId);
}
// if SCP strategy is changed from allow-list to deny list, then FullAWSAccess policy should be attached
if (strategy === 'deny-list' && !fullAwsAccessPolicyAttached) {
console.log('attaching FullAWSAccess policy because the strategy is deny-list');
await attachSpecificPolicy(organizationsClient, 'p-FullAWSAccess', targetId);
}
This is where I would expect the bug to exist. Can you share the logs of the AWSAccelerator-AccountsSt-CustomOrganizationsAttac-cxRdNSFHLylv Lambda function? They may provide more insight on what is leading to the detachment of that policy.
Describe the bug Bootstrap fails with:
To Reproduce Upgrade to 1.7.0
Expected behavior Bootstrap doesnt fail
Please complete the following information about the solution:
[x] Version: v1.7.0
[x] Region: ap-southeast-2
[ ] Was the solution modified from the version published on this repository?
[ ] If the answer to the previous question was yes, are the changes available on GitHub?
[ ] Have you checked your service quotas for the services this solution uses?
[ ] Were there any errors in the CloudWatch Logs?
Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context Debugging found the custom resource remove the AWSFullAccess which is required at each OU: