New AWS account deployment fails to enable AWS Identity Center

[troyfactor4]

Describe the bug On a fresh deploy of LZA 1.3.0 on a new Organization the deploy will fail. The only workaround is to enable AWS Identity Center manually and deploy again.

To Reproduce

1. Open a new account.
2. Follow steps to create required LZA accounts and OUs
3. Enable a config that uses AWS Identity Center
4. Deploy the config without manually enabling AWS Identity Center
5. The pipeline fails at the Operations stage with the following message:

   AWSAccelerator-OperationsStack-111111111111-us-east-1 | 23/39 | 8:24:20 PM | CREATE_FAILED        | AWS::CloudFormation::CustomResource | IdentityCenterGetInstanceId/getIdentityCenter/Default (IdentityCenterGetInstanceIdgetIdentityCenter6DD43AEE) Received response status [FAILED] from custom resource. Message returned: User: arn:aws:sts::111111111111:assumed-role/AWSAccelerator-Operations-IdentityCenterGetInstanc-1EHZOAZIG3WSD/AWSAccelerator-Operations-IdentityCenterGetInstanc-QNbJM4xRuVU3 is not authorized to perform: sso:ListInstances

   Enabling AWS Identity Center manually and redeploying fixed the issue. All of the Pipeline and Lambda logs show that LZA was able to successfully turn on AWS Identity center as well as successfully set the delegate admin to the proper account.

We set up a few sample users/roles/permissions in the accounts in question and used the AWS CLI to test. Sure enough, running list-instances was met with the same permissions error as the pipeline.

$ AWS_REGION=us-east-1 aws sso-admin list-instances

An error occurred (AccessDeniedException) when calling the ListInstances operation: User: arn:aws:iam::111111111111:user/testingssoDELETEME is not authorized to perform: sso:ListInstances

We believe that even though APIs claim to enable AWS Identity center and will return some values that correlate to this, it is actually not fully enabled.

Expected behavior AWS LZA should be able to turn on AWS Identity Center through APIs and deploy successfully on fresh accounts where AWS Identity Center has not yet been manually enabled.

Please complete the following information about the solution:

• [ ] Version: 1.3.0
• [ ] Region: us-east-1
• [ ] Was the solution modified from the version published on this repository? No
• [ ] If the answer to the previous question was yes, are the changes available on GitHub? N/A
• [ ] Have you checked your service quotas for the sevices this solution uses? N/A
• [ ] Were there any errors in the CloudWatch Logs? Yes, noted above.

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

We have all logs, and can assist in debugging.

[farmerbean]

QQ - does it get through security stack OK? We saw a logfile that it enabled idc .. but we assume because of the delegation from security-config.yaml

[farmerbean]

the documentation for iam idc is poor - e.g. https://catalog.workshops.aws/landing-zone-accelerator/en-US/lza-administrators/initial-customization/aws-sso-setup/aws-sso-overview

.. which doesn't tell you which file the config is IN..

[troyfactor4]

@farmerbean - we've found the best documentation is the source code itself :joy:

Also here: https://awslabs.github.io/landing-zone-accelerator-on-aws/classes/_aws_accelerator_config.IamConfig.html

Yes, it got past the Security stack. It was failing on the Operations stack at:

new IdentityCenterGetInstanceId (/codebuild/output/src251/src/s3/00/source/packages/@aws-accelerator/constructs/lib/aws-identity-center/identity-center-get-instance-id.ts:48:21)

[farmerbean]

Yeah we're also enjoying the "3 layers of documentation" here! 😂

Still not sure where to put that config, so need to open another ticket.

[farmerbean]

Actually have just worked it out from your post @troyfactor4 - you have to look at each class and work out the breadcrumb trail from the documentation..

[erwaxler]

Hi @troyfactor4 , thank you for your interest in Landing Zone Accelerator and for identifying this bug. I was able to reproduce this behavior in my own environment.

We are unfortunately unable to resolve this bug as the AWS Identity Center API does not yet support enabling AWS Identity Center programmatically. I will keep this issue open until the API becomes available to us and we can properly implement automatic setup. In the meantime I will update our documentation to highlight this point for customers deploying LZA without Control Tower enabled.

For the time being, as you correctly identified, AWS Identity Center should be enabled manually before configuring LZA to create AWS Identity Center resources.

[alexhaycock]

Hi All,

We've hit this issue recently and just wanted to add that enabling AWS Identity Center has to be done before the initial deployment of LZA if delegatedAdminAccount is set within the security-cofig.yaml file. We tried to deploy identity center after the initial deployment with the delegatedAdminAccount set to the audit account and kept seeing the following errors.

Failed   resources:
--
AWSAccelerator-OrganizationsStack-111111111111-eu-west-2   \| 7:09:30 PM \| CREATE_FAILED \| Custom::SsmPutParameterValue \|   IdentityCenter1InstanceMetadataParameters/Resource/Default   (IdentityCenter1InstanceMetadataParametersDA71A26A) CustomResource attribute   error: Vendor response doesn't contain instanceArn key in object   arn:aws:cloudformation:eu-west-2:111111111111:stack/AWSAccelerator-OrganizationsStack-111111111111-eu-west-2/1a882a60-9def-11ee-b68a-02e28898eae2\|IdentityCenterInstanceIdentityCenterGetInstanceIdIdentityCenterGetInstanceIdResourceE2BD9B5B\|640031af-9503-4aff-9471-350385d92468   in S3 bucket cloudformation-custom-resource-storage-euwest2
new   CustomResource   (/codebuild/output/src4285/src/s3/00/source/node_modules/aws-cdk-lib/core/lib/custom-resource.js:1:823)
\_   new PutSsmParameter   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/constructs/lib/aws-ssm/put-ssm-parameter.ts:102:22)
\_   OrganizationsStack.createIdentityCenterIdSsmParameter   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/organizations-stack.ts:849:7)
\_   OrganizationsStack.enableIdentityCenterDelegatedAdminAccount   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/organizations-stack.ts:711:10)
\_   new OrganizationsStack   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/organizations-stack.ts:150:12)
\_   createOrganizationsStack   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/utils/stack-utils.ts:462:31)
\_   createSingleAccountMultiRegionStacks   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:126:29)
\_   main   (/codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:229:5)
\_   processTicksAndRejections (node:internal/process/task_queues:96:5)
\_   async   /codebuild/output/src4285/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:240:5
 
 AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 failed: Error: The stack named   AWSAccelerator-OrganizationsStack-111111111111-eu-west-2 failed to deploy:   UPDATE_ROLLBACK_COMPLETE: CustomResource attribute error: Vendor response   doesn't contain instanceArn key in object   arn:aws:cloudformation:eu-west-2:111111111111:stack/AWSAccelerator-OrganizationsStack-111111111111-eu-west-2/1a882a60-9def-11ee-b68a-02e28898eae2\|IdentityCenterInstanceIdentityCenterGetInstanceIdIdentityCenterGetInstanceIdResourceE2BD9B5B\|640031af-9503-4aff-9471-350385d92468   in S3 bucket cloudformation-custom-resource-storage-euwest2

To get round this we had to the following:

1. Deregister the audit account as the delegated admin by running the following command in the management account aws organizations deregister-delegated-administrator --account-id 2222222222222 --service-principal sso.amazonaws.com
2. Enable IAM Identity Center in the management account within the console.