External Pipeline - failure on fresh account

[Zangror]

Describe the bug When deploying LZA in an external pipeline deployment (see there), pipeline fails in the prepare stage due to non-existing bucket.

$ /codebuild/output/src4266/src/s3/00/source/packages/@aws-accelerator/accelerator/node_modules/.bin/ts-node --transpile-only cdk.ts --require-approval never deploy --stage prepare --config-dir /codebuild/output/src4266/src/s3/01 --partition aws --app cdk.out
✨  Synthesis time: 0.06s
AWSAccelerator-PrepareStack-ROOT-ACCOUNT-ID-HOME-REGION:  start: Building 08b9b3477ed07b0660a4948e5c50ec29b386ca2d4634870c9f553e18090993a5:ROOT-ACCOUNT-ID-HOME-REGION
AWSAccelerator-PrepareStack-ROOT-ACCOUNT-ID-HOME-REGION:  success: Built 08b9b3477ed07b0660a4948e5c50ec29b386ca2d4634870c9f553e18090993a5:ROOT-ACCOUNT-ID-HOME-REGION
AWSAccelerator-PrepareStack-ROOT-ACCOUNT-ID-HOME-REGION:  start: Publishing 08b9b3477ed07b0660a4948e5c50ec29b386ca2d4634870c9f553e18090993a5:ROOT-ACCOUNT-ID-HOME-REGION
.....
AWSAccelerator-PrepareStack-ROOT-ACCOUNT-ID-HOME-REGION:  fail: No bucket named 'cdk-accel-assets-ROOT-ACCOUNT-ID-HOME-REGION'. Is account ROOT-ACCOUNT-ID bootstrapped?

It seems that the account id of the pipeline account is no took over the account id of the root account.

Seems that the issue is located here;

• https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/b37c5c13e3458f6bd991f4cc92c6b218c0a884c1/source/packages/%40aws-accelerator/accelerator/utils/stack-utils.ts#L72
• https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/b37c5c13e3458f6bd991f4cc92c6b218c0a884c1/source/packages/%40aws-accelerator/accelerator/utils/stack-utils.ts#L128

In place of the managementAccountId, it should be either the root Account ID, or the Pipeline Account ID.

To Reproduce Follow procedure at this link to create AWSAccelerator-InstallerStack.template.json for external deployment account. Create the installer pipeline. Modify the config codecommit repository to match your organization (aka add the deployment account and the Organizational Unit to the account-configs.yaml and organization-configs.yaml respectfully). Relaunch the pipeline.

Expected behavior CDK assets should be stored in the pipeline account and not in the root account

Please complete the following information about the solution:

• [X] Version: v1.8.1
• [X] Region: eu-west-1
• [X] Was the solution modified from the version published on this repository? No
• [X] If the answer to the previous question was yes, are the changes available on GitHub? /
• [X] Have you checked your service quotas for the services this solution uses? Yes
• [X] Were there any errors in the CloudWatch Logs? No

Additional context Add any other context about the problem here.

[Zangror]

I've made progress by bootstrapping manually the bucket in the root account (even if this is not our expected behavior).

But after in the "Logging" stage and in the "key" action, I have the following error in the deployment of "key" templates;

/codebuild/output/src11/src/s3/00/source/packages/@aws-accelerator/accelerator/node_modules/.bin/ts-node --transpile-only cdk.ts --require-approval never deploy --stage key --config-dir /codebuild/output/src11/src/s3/01 --partition aws --app cdk.out
✨ Synthesis time: 0.04s 
...
✅ AWSAccelerator-KeyStack-ROOT-ACCOUNT-ID-HOME-REGION 
...
✅ AWSAccelerator-DependenciesStack-ROOT-ACCOUNT-ID-HOME-REGION
...
AWSAccelerator-KeyStack-PIPELINE-ACCOUNT-ID-HOME-REGION:  start: Building f25da16f29976e2036767349989daa9407391f24b21b456e459db489a1e6cc81:PIPELINE-ACCOUNT-ID-HOME-REGION
AWSAccelerator-KeyStack-PIPELINE-ACCOUNT-ID-HOME-REGION:  success: Built f25da16f29976e2036767349989daa9407391f24b21b456e459db489a1e6cc81:PIPELINE-ACCOUNT-ID-HOME-REGION
AWSAccelerator-KeyStack-PIPELINE-ACCOUNT-ID-HOME-REGION:  start: Publishing f25da16f29976e2036767349989daa9407391f24b21b456e459db489a1e6cc81:PIPELINE-ACCOUNT-ID-HOME-REGION
... more logs ...
AWSAccelerator-KeyStack-PIPELINE-ACCOUNT-ID-HOME-REGION:  fail: Bucket named 'cdk-accel-assets-ROOT-ACCOUNT-ID-HOME-REGION' exists, but not in account PIPELINE-ACCOUNT-ID. Wrong account?

[cfromm1911]

Having the same or similar issue with 1.9.0. Pipeline is referencing a us-east-1 bucket when the homeRegion is set to us-east-2.

AWSAccelerator-AccountsStack-ACCOUNTID-us-east-1: fail: No bucket named 'cdk-accel-assets-ACCOUNTID-us-east-1'. Is account ACCOUNTID bootstrapped?

@Zangror Could you give some advice on how you were able bootstrap the bucket? I think it would help my situation

[Zangror]

Simply CDK Boostrap

I used the following command

cdk bootstrap --toolkitStackName AWSAccelerator-CDKToolkit aws://ACCOUNT_ID/us-east-1 --qualifier accel

[erwaxler]

Hi @Zangror , thank you for raising this issue with the Landing Zone Accelerator team!

I have taken a closer look at this issue, and I believe this is a side-effect of the cdk bootstrap operation failing in the Installer Pipeline during the initial run. I've created an issue internally to track this work and have prioritized it for an upcoming release. I will keep this ticket updated as the team works toward a resolution.

Thank you for your continued support of the Landing Zone Accelerator!