search

org-formation / org-formation-cli

Better than landingzones!
MIT License
1.4k stars 129 forks source link

Use !Sub in organizations file #541

Open nlang opened 9 months ago

nlang commented 9 months ago

Subject of the issue

I want to tighten some SCPs in my organization.yml. Unfortunately, as soon as I start using !Sub and parameters it fails with an error that just says: MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type

Your environment

Steps to reproduce

AWSTemplateFormatVersion: '2010-09-09-OC'

Organization:

  ManagementAccount:
    Type: OC::ORG::MasterAccount
    Properties:
      AccountName: Organisation
      AccountId: '11111111111'
      RootEmail: aws+organisation@example.com
      Alias: my-organisation

  RestrictUnusedRegionsSCP:
    Type: OC::ORG::ServiceControlPolicy
    Properties:
      PolicyName: RestrictUnusedRegions
      Description: Restrict Unused regions
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyUnsupportedRegions
            Effect: Deny
            NotAction:
              - 'cloudfront:*'
              - 'iam:*'
              - 'route53:*'
              - 'support:*'
              - 'budgets:*'
              - 'acm:*'
            Resource: "*"
            Condition:
              StringNotEquals:
                "aws:RequestedRegion":
                  - !Sub '${primaryRegion}'

Expected behaviour

It should replace the template string with the primary region as defined in organization-parameters.yml

Actual behaviour

MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type`

I also tried to use a lot more in other SCPs, none of them worked. Here are a few examples:

- !Sub '${ManagementAccount.AccountId}'
- !Sub '${AWS::Region}'
- !Sub '${CurrentAccount.AccountId}

What am I doing wrong or how can I circumvent the issue if this is not supported? Are there any docs that clearify where I can use what and when?

Any help is greatly appreciated :)