Open troyfactor4 opened 1 year ago
QQ - does it get through security stack OK? We saw a logfile that it enabled idc .. but we assume because of the delegation from security-config.yaml
the documentation for iam idc is poor - e.g. https://catalog.workshops.aws/landing-zone-accelerator/en-US/lza-administrators/initial-customization/aws-sso-setup/aws-sso-overview
.. which doesn't tell you which file the config is IN..
@farmerbean - we've found the best documentation is the source code itself :joy:
Yes, it got past the Security stack. It was failing on the Operations stack at:
new IdentityCenterGetInstanceId (/codebuild/output/src251/src/s3/00/source/packages/@aws-accelerator/constructs/lib/aws-identity-center/identity-center-get-instance-id.ts:48:21)
Yeah we're also enjoying the "3 layers of documentation" here! 😂
Still not sure where to put that config, so need to open another ticket.
Actually have just worked it out from your post @troyfactor4 - you have to look at each class and work out the breadcrumb trail from the documentation..
Hi @troyfactor4 , thank you for your interest in Landing Zone Accelerator and for identifying this bug. I was able to reproduce this behavior in my own environment.
We are unfortunately unable to resolve this bug as the AWS Identity Center API does not yet support enabling AWS Identity Center programmatically. I will keep this issue open until the API becomes available to us and we can properly implement automatic setup. In the meantime I will update our documentation to highlight this point for customers deploying LZA without Control Tower enabled.
For the time being, as you correctly identified, AWS Identity Center should be enabled manually before configuring LZA to create AWS Identity Center resources.
Hi All,
We've hit this issue recently and just wanted to add that enabling AWS Identity Center has to be done before the initial deployment of LZA if delegatedAdminAccount
is set within the security-cofig.yaml file. We tried to deploy identity center after the initial deployment with the delegatedAdminAccount set to the audit account and kept seeing the following errors.
Failed resources:
--
AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 \| 7:09:30 PM \| CREATE_FAILED \| Custom::SsmPutParameterValue \| IdentityCenter1InstanceMetadataParameters/Resource/Default (IdentityCenter1InstanceMetadataParametersDA71A26A) CustomResource attribute error: Vendor response doesn't contain instanceArn key in object arn:aws:cloudformation:eu-west-2:111111111111:stack/AWSAccelerator-OrganizationsStack-111111111111-eu-west-2/1a882a60-9def-11ee-b68a-02e28898eae2\|IdentityCenterInstanceIdentityCenterGetInstanceIdIdentityCenterGetInstanceIdResourceE2BD9B5B\|640031af-9503-4aff-9471-350385d92468 in S3 bucket cloudformation-custom-resource-storage-euwest2
new CustomResource (/codebuild/output/src4285/src/s3/00/source/node_modules/aws-cdk-lib/core/lib/custom-resource.js:1:823)
\_ new PutSsmParameter (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/constructs/lib/aws-ssm/put-ssm-parameter.ts:102:22)
\_ OrganizationsStack.createIdentityCenterIdSsmParameter (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/organizations-stack.ts:849:7)
\_ OrganizationsStack.enableIdentityCenterDelegatedAdminAccount (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/organizations-stack.ts:711:10)
\_ new OrganizationsStack (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/organizations-stack.ts:150:12)
\_ createOrganizationsStack (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/utils/stack-utils.ts:462:31)
\_ createSingleAccountMultiRegionStacks (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:126:29)
\_ main (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:229:5)
\_ processTicksAndRejections (node:internal/process/task_queues:96:5)
\_ async /codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:240:5
AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 failed: Error: The stack named AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 failed to deploy: UPDATE_ROLLBACK_COMPLETE: CustomResource attribute error: Vendor response doesn't contain instanceArn key in object arn:aws:cloudformation:eu-west-2:111111111111:stack/AWSAccelerator-OrganizationsStack-111111111111-eu-west-2/1a882a60-9def-11ee-b68a-02e28898eae2\|IdentityCenterInstanceIdentityCenterGetInstanceIdIdentityCenterGetInstanceIdResourceE2BD9B5B\|640031af-9503-4aff-9471-350385d92468 in S3 bucket cloudformation-custom-resource-storage-euwest2
To get round this we had to the following:
aws organizations deregister-delegated-administrator --account-id 2222222222222 --service-principal sso.amazonaws.com
Describe the bug On a fresh deploy of LZA 1.3.0 on a new Organization the deploy will fail. The only workaround is to enable AWS Identity Center manually and deploy again.
To Reproduce
Enabling AWS Identity Center manually and redeploying fixed the issue. All of the Pipeline and Lambda logs show that LZA was able to successfully turn on AWS Identity center as well as successfully set the delegate admin to the proper account.
We set up a few sample users/roles/permissions in the accounts in question and used the AWS CLI to test. Sure enough, running
list-instances
was met with the same permissions error as the pipeline.We believe that even though APIs claim to enable AWS Identity center and will return some values that correlate to this, it is actually not fully enabled.
Expected behavior AWS LZA should be able to turn on AWS Identity Center through APIs and deploy successfully on fresh accounts where AWS Identity Center has not yet been manually enabled.
Please complete the following information about the solution:
Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context Add any other context about the problem here.
We have all logs, and can assist in debugging.