Closed eduardomourar closed 2 years ago
@eduardomourar, is this likely the same issue? Is there a workaround until the linked PR is merged and released?
Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: 1234, HandlerErrorCode: AlreadyExists)
I'm running in to it while trying to add a new account to our AWS organization using an essentially unchanged org-formation-reference.
Emitted CloudFormation template:
@NickDarvey, yes, it looks like the same issue. The only workaround for this is to delete the stack and recreate again. The problem is only in the update operation of the resource Provider
I deleted the stack, but the same error occurs.
INFO: Executing: update-stacks src/templates/010-scps/deny-large-ec2.yml primacy-deny-large-ec2.
ERROR: error updating CloudFormation stack xyz-deny-large-ec2 in account 467661948439 (us-east-1).
Resource is not in the state stackCreateComplete (467661948439 = ManagementAccount)
ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: 1234, HandlerErrorCode: AlreadyExists).
ERROR: Stack xyz-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)
Resource is not in the state stackCreateComplete (use option --print-stack to print stack)
If I look in the console I can see the stack rolled back itself anyway so I'm not sure deleting the stack would have much effect.
xyz-deny-large-ec2 ROLLBACK_COMPLETE
Community::Organizations::Policy | DELETE_COMPLETE
Is there a way to manual delete a Community::Organizations::Policy
?
Edit: Looks like I might be able to use deregister-type
...?
I would not advise to deregister the type because it might leave the stack using it in limbo state.
You should be able to manually delete the SCP through the AWS Organization console: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#aws-management-console
I've (detached and) deleted the DenyLargeEC2Instances
SCP manually and redeployed but get the same result. Do you have any other suggestions?
@eduardomourar, should we not just update the replacement strategy? would that fix the issue and would updating to a new version with the right replacement strategy fix the issue for @NickDarvey ?
thanks
Yes, it will most likely fix it. I will have a look tomorrow to rebase that previous PR and see if we can merge it.
A new version of the resource provider has been released here: s3://community-resource-provider-catalog/community-organizations-policy-0.2.2.zip
. I tested myself and the update operation now works with the delete_then_create
replacement strategy.
It worked, thank you @eduardomourar and @OlafConijn
I just ran into this again when provisioning a new account using org-formation.
ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: asdf, HandlerErrorCode: AlreadyExists). ERROR: Stack example-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)
Do I need to do something in my account so that the delete_then_create
starts working?
If you try to update any of the target identifiers, the following error happens in
Community::Organizations::Policy
resource type v0.1.0:We need to change the replacement strategy to
delete_then_create
.