search

org-formation / org-formation-cli

Better than landingzones!
MIT License
1.41k stars 131 forks source link

ERROR: no top level OrganizationBinding found.. #372

Open kaihendry opened 2 years ago

kaihendry commented 2 years ago

Might be related to https://github.com/org-formation/org-formation-cli/issues/195

My goal is to simply setup some Administrator rights on all accounts except the Management account.

Your environment

Steps to reproduce

Given

SsoAdministrator:
  Type: update-stacks
  Template: ./aws-sso.yml
  StackName: !Sub "${resourcePrefix}-${appName}-admin"
  StackDescription: "Full permission role used by Admin group within whole organization"
  TerminationProtection: false
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      Account: "*"
  Parameters:
    instanceArn: !Ref instanceArn
    principalId: !Ref adminGroup
    permissionSetName: "Administrator"
    managedPolicies: ["arn:aws:iam::aws:policy/AdministratorAccess"]
    sessionDuration: "PT1H"
    masterAccountId: !Ref ManagementAccount

Remove

  DefaultOrganizationBinding:
    IncludeMasterAccount: true

Expected behaviour

Bind to any account except Master account

Sidenote: The docs https://github.com/org-formation/org-formation-cli/blob/master/docs/cloudformation-resources.md#organizationbinding-where-to-create-which-resource say OrganizationBinding not OrganizationBindings. Perhaps the docs are not matching up?

Actual behaviour


ERROR: Task SsoAdministrator execute failed. reason: unable to load file 100-sso/aws-sso.yml.
--
62 | reason: Resource PermissionSet is missing OrganizationBinding attribute and no top level OrganizationBinding found..
63 | ERROR:
64 | ERROR: ==========================
65 | ERROR: Stopped performing task(s)
66 | ERROR: Following tasks failed:
67 | ERROR:  - Task SsoAdministrator
68 | ERROR: ==========================
69 | ERROR:
70 | ERROR: Task AWSSSO execute failed. reason: Number of failed tasks 1 exceeded tolerance for failed tasks 0.
71 | ERROR:
72 | ERROR: ==========================
73 | ERROR: Stopped performing task(s)
74 | ERROR: Following tasks completed:
75 | ERROR:  - Task OrganizationBuild
76 | ERROR:  - Task Types
77 | ERROR: Following tasks failed:
78 | ERROR:  - Task AWSSSO
79 | ERROR: ==========================
80 | ERROR:
81 | ERROR: Number of failed tasks 1 exceeded tolerance for failed tasks 0.
82 |  
83 | [Container] 2022/05/25 01:23:56 Command did not exit successfully org-formation perform-tasks ./organization-tasks.yml --no-color --state-bucket-name organization-formation-705671790868 --state-object state.json exit status 1
84 | [Container] 2022/05/25 01:23:56 Phase complete: BUILD State: FAILED
85 | [Container] 2022/05/25 01:23:56 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: org-formation perform-tasks ./organization-tasks.yml --no-color --state-bucket-name organization-formation-705671790868 --state-object state.json. Reason: exit status 1
OlafConijn commented 2 years ago

the error is correct/ the expactation is not.

From context, I understand that the aws-sso.yml contains at least 1 CloudFormation resource (PermissionSet) that does not have a OrganizationBinding. The DefaultOrganizationBinding value specifies where resources need to be deployed that do not declare this attribute.

If the intent is to deploy these resources to all accounts, use: 

#  any account except for the master account
DefaultOrganizationBinding:
  Account: * 
# only the master account
DefaultOrganizationBinding:
  IncludeMasterAccount: true
# any account including the master account
DefaultOrganizationBinding:
  Account: * 
  IncludeMasterAccount: true
# empty set (no accounts)
DefaultOrganizationBinding:
  IncludeMasterAccount: false

more information here

OlafConijn commented 2 years ago

how bindings are used depends on the template you are trying to deploy. it seems like TargetBinding is set to {Account: *}, which might be binding that you are looking for?

kaihendry commented 2 years ago

How do I know the template/schema for the SSO use case?

OlafConijn commented 2 years ago

My guess is that you came across a template for implementing AWS SSO somewhere and copied this in your project. example:

in this example targetBinding is used to specify where the administrator permission set needs to be deployed. for the administratorRole this is {Account: *} (see here)

long story short: a lot of people copy/paste and then modify examples found on the internet. understanding how the example works typically depends on reading the template