Unable to update targetIds in Organizations policy

[eduardomourar]

If you try to update any of the target identifiers, the following error happens in Community::Organizations::Policy resource type v0.1.0:

A policy with the specified name and type already exists.

We need to change the replacement strategy to delete_then_create.

[NickDarvey]

@eduardomourar, is this likely the same issue? Is there a workaround until the linked PR is merged and released?

Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: 1234, HandlerErrorCode: AlreadyExists)

I'm running in to it while trying to add a new account to our AWS organization using an essentially unchanged org-formation-reference.

Emitted CloudFormation template:

{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": {}, "Resources": { "Scp": { "Type": "Community::Organizations::Policy", "Properties": { "Name": "DenyLargeEC2Instances", "Description": "Deny running EC2 instances larger than 4xlarge", "PolicyType": "SERVICE_CONTROL_POLICY", "TargetIds": [ "445521234015", "458174002426", "240246288762", "093648824663", "806040480563", "486048804713", "117821871365", "332360687646", "777477276342", "897099069464" ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLargerThan4XLarge", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "ForAnyValue:StringNotLike": { "ec2:InstanceType": [ "*.nano", "*.small", "*.micro", "*.medium", "*.large", "*.xlarge", "*.2xlarge", "*.4xlarge" ] } } } ] } } } }, "Outputs": {} }

[eduardomourar]

@NickDarvey, yes, it looks like the same issue. The only workaround for this is to delete the stack and recreate again. The problem is only in the update operation of the resource Provider

[NickDarvey]

I deleted the stack, but the same error occurs.

INFO: Executing: update-stacks src/templates/010-scps/deny-large-ec2.yml primacy-deny-large-ec2.
ERROR: error updating CloudFormation stack xyz-deny-large-ec2 in account 467661948439 (us-east-1). 
Resource is not in the state stackCreateComplete (467661948439 = ManagementAccount)
ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: 1234, HandlerErrorCode: AlreadyExists).
ERROR: Stack xyz-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)
Resource is not in the state stackCreateComplete (use option --print-stack to print stack)

If I look in the console I can see the stack rolled back itself anyway so I'm not sure deleting the stack would have much effect.

xyz-deny-large-ec2 ROLLBACK_COMPLETE
      Community::Organizations::Policy | DELETE_COMPLETE

Is there a way to manual delete a Community::Organizations::Policy?

Edit: Looks like I might be able to use deregister-type...?

[eduardomourar]

I would not advise to deregister the type because it might leave the stack using it in limbo state.

You should be able to manually delete the SCP through the AWS Organization console: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#aws-management-console

[NickDarvey]

I've (detached and) deleted the DenyLargeEC2Instances SCP manually and redeployed but get the same result. Do you have any other suggestions?

[OlafConijn]

@eduardomourar, should we not just update the replacement strategy? would that fix the issue and would updating to a new version with the right replacement strategy fix the issue for @NickDarvey ?

thanks

[eduardomourar]

Yes, it will most likely fix it. I will have a look tomorrow to rebase that previous PR and see if we can merge it.

[eduardomourar]

A new version of the resource provider has been released here: s3://community-resource-provider-catalog/community-organizations-policy-0.2.2.zip. I tested myself and the update operation now works with the delete_then_create replacement strategy.

[NickDarvey]

It worked, thank you @eduardomourar and @OlafConijn

[NickDarvey]

I just ran into this again when provisioning a new account using org-formation.

ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: asdf, HandlerErrorCode: AlreadyExists). ERROR: Stack example-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)

Do I need to do something in my account so that the delete_then_create starts working?

org-formation _task.yml

```yml OrganizationsPolicyRp: Type: register-type ResourceType: 'Community::Organizations::Policy' SchemaHandlerPackage: !Sub 's3://${catalogBucket}/community-organizations-policy-0.2.2.zip' MaxConcurrentTasks: 100 OrganizationBinding: IncludeMasterAccount: true Region: us-east-1 # Only compatible to us-east-1 region ```

example-deny-large-ec2 template

```json { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": {}, "Resources": { "Scp": { "Type": "Community::Organizations::Policy", "Properties": { "Name": "DenyLargeEC2Instances", "Description": "Deny running EC2 instances larger than 4xlarge", "PolicyType": "SERVICE_CONTROL_POLICY", "TargetIds": [ "account1", "account2", "account3", "account4", "account5", "account6", "account7", "account8", "account9", "account10", "account11" ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLargerThan4XLarge", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "ForAnyValue:StringNotLike": { "ec2:InstanceType": [ "*.nano", "*.small", "*.micro", "*.medium", "*.large", "*.xlarge", "*.2xlarge", "*.4xlarge" ] } } } ] } } } }, "Outputs": {} } ```