search

org-formation / aws-resource-providers

A community driven repository where you can find AWS Resource Type Providers for different purposes (including org-formation ones).
MIT License
85 stars 21 forks source link

Community::Organizations::Policy is not reliable. Errors out on creation, resources get created, but CFN in bad state #121

Open dyangelo-grullon opened 1 year ago

dyangelo-grullon commented 1 year ago

Community::Organizations::Policy v 0.2.2 is exhibiting a non-functional sequence of events when deployed. Specifically it:

  1. Attempts to create the SCP by handling the cloudformation create event.
  2. AWS organizations responds with the following error:

ERROR: Resource Scp failed because Resource handler returned message: "AWS Organizations can't complete your request because another request is already in progress. Try again later."

  1. The resources do get created, regardless.
  2. On CFN re-recreate (via org-formation cli), the following error causes the CFN and org formation cli to fail:
Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyRootAccess' already exists."

Note: A CFN create event happens as the initial create did not succeed. 

OrganizationsPolicyRp:
  Type: register-type
  ResourceType: "Community::Organizations::Policy"
  SchemaHandlerPackage: !Sub "s3://${catalogBucket}/community-organizations-policy-0.2.2.zip"
  MaxConcurrentTasks: 100
  OrganizationBinding:
    IncludeMasterAccount: true
    Region: us-east-1 # Only compatible to us-east-1 region
DenyRootAccess:
  Type: update-stacks
  Template: ./deny-root-access.yml
  StackName: !Sub "${resourcePrefix}-deny-root-access"
  DefaultOrganizationBindingRegion: us-east-1
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
    # you can use the following to exclude accounts from this SCP, either temporarily or permanently
    # ExcludeAccount: !Ref myAccount
  OrganizationBindings:
    TargetBinding:
      Account: "*"
AWSTemplateFormatVersion: "2010-09-09-OC"

Resources:
  Scp:
    Type: Community::Organizations::Policy
    Properties:
      Description: Restricts the use of the Root account
      Name: DenyRootAccess
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds:
        - Fn::EnumTargetAccounts TargetBinding ${account}
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyRootUser
            Effect: Deny
            Action: "*"
            Resource: "*"
            Condition:
              StringLike:
                "aws:PrincipalArn": "arn:aws:iam::*:root"

This is the only task being executed at the time of failure, so I am not aware of why AWS organizations is throwing this throttling error in the first place. Regardless, the resources do get created. I wonder if the initial create can be a tad more resilient and re-discover the resource that was created, despite the error response from AWS organizations.

dyangelo-grullon commented 1 year ago

org-formation v1.0.6