Identity Center Configuration

[farmerbean]

Describe the bug When deploying LZA into a brownfield AWS environment (with IDC already in main account) we see a line in the Operations stage that says:

We have not configured IDC in any of the yaml config, so where/how do we change this setting and put IDC in a delegated account that we specify, as the documentation does not give a working example of this

To Reproduce Run LZA with IDC already configured in main

Expected behavior LZA should take no action if IDC delegation isn't specified in the yaml configs

Please complete the following information about the solution:

• [ 1.3.0] Version: [e.g. v1.1.0]

• [ eu-west-1] Region: [e.g. us-east-1]

• [No ] Was the solution modified from the version published on this repository?

• [ ] If the answer to the previous question was yes, are the changes available on GitHub?

• [ ] Have you checked your service quotas for the sevices this solution uses?

• [ ] Were there any errors in the CloudWatch Logs?

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

[erwaxler]

@farmerbean Hello, thank you for identifying this bug! This behavior is expected based on the current design in LZA 1.3.0. Currently, the account set as the delegatedAdminAccount in the security-config.yaml configuration file is used as the delegated administrator for AWS Identity Center.

We've received some similar customer feedback and agree that this behavior is unclear. Additionally, we understand customers may want to use a different account for Identity Center administration. Because of this, we've implemented a separate property in the iam-config.yaml to explicitly set the delegated administrator for AWS Identity Center.

We expect to release this feature in the upcoming v1.3.1 release, I will keep this issue open until that has launched.

[supervirginia]

Hello! I can confirm that with LZA v1.4.3 this is still happening. I thought that it was a manual change that we carried out when having enabled IC in our organization, manually, but even if I unset the delegated admin in the IC settings manually in the console, when LZA runs again, it re-sets it, just because we have the delegated admin set in the security-config.yaml. Please fix this issue, since it only causes confusion and breaks the LZA Deploy stage. I am still struggling with the AWS support to try and fix this :/ Thanks in advance! Br, Virginia

[ariggs-hf]

I can also confirm that this is happening on a fresh installation of V1.5.1, in a greenfield AWS landing zone, and would really love some clear guidance here.

For now I'm considering forgoing management of Identity Center resources in LZA until this is addressed, but I'd really prefer to be using LZA for as much of this central landing zone management as possible.

[ardens-jw]

Just to add some more weight to this issue - is there any fix for this in v1.6.1 - I see the same behaviour as other commentators here - whereby despite not setting a delegatedAdminAccount in iam-config.yml I'm still seeing Identity Centre deployed in the 'Audit' account as per the config in security-config.yaml