fix: password-policy stack needs to run in us-east-1

org-formation / org-formation-reference

A reference architecture which aims to provide some best practices for any AWS Organization starting out using org-formation.

91 stars 23 forks source link

fix: password-policy stack needs to run in us-east-1 #32

Closed brianmyburgh closed 3 years ago

brianmyburgh commented 3 years ago

Password-policy stack needs to run in us-east-1. The corresponding register-type PasswordPolicy also needs to exist in us-east-1

OlafConijn commented 3 years ago

i somehow doubt this is the case. IIRC i have been using this resource in regions other than us-east-1. @eduardomourar?

eduardomourar commented 3 years ago

Yes, I can confirm that the password policy resource can be created in any region. Keep in mind that this is a global resource, so we are not allowed to specify the region to the underlying AWS API.

eduardomourar commented 3 years ago

It might be worth changing the reference architecture. Because, by setting to the primaryRegion, others might get the wrong impression that they can change it.

OlafConijn commented 3 years ago

good, so:

service/physical resource is global
cloudformation/logical resource is regional.
(logically writing from different regions will cause unintended overwrites)

Interesting suggestion to 'hardcode' the region to a specific region and advice not to change it. This however has the unintended side-effect that you might have a majority of your resources deployed to your primaryRegion and we would advice to deviate from that primaryRegion to not cause confusion if passwordPolicies are deployed to multiple regions with different values.

i personally think leaving it the way it is (stack/logical resource gets deployed to primaryRegion) is just fine.

still mysterious as to why deploying the passwordPolicy resource to eu-central-1 didnt work for @brianmyburgh

eduardomourar commented 3 years ago

FYI, it is also related to this issue created in the cloudformation roadmap: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/493

OlafConijn commented 3 years ago

Org-formation: !Ref allRegions? 🤣

eduardomourar commented 3 years ago

Org-formation: !Ref allRegions? 🤣

Yes, I know. Hahahaha!

My idea here was for the registry internal API to handle it instead of OrgFormation having to deploy (and manage) to all possible regions.

OlafConijn commented 3 years ago

yeah, obviously. i think StackSets is doing some good work.... i think that would be the path they are on...

...maybe we should get on a call with the cfn team to see where/how we can converge these two...

brianmyburgh commented 3 years ago

Yes, there is only one password policy per account, so in essence region should not matter. But why does eu-central-1 not work but us-east-1 does in our case?

Note that it was us evaluating Security hub to realise that this was not set as the cloudformation stack and the org-formation stack run successfully with no errors but without actually setting anything.