aws-security-reference-architecture-examples
aws-security-reference-architecture-examples copied to clipboard
aws-samples
[BUG] Terraform_stack.py fails setting up workspace on suspended AWS accounts
Describe the bug
Terraform_stack.py fails setting up workspace on suspended AWS accounts
To Reproduce
Steps to reproduce the behavior:
- Go to: /aws-security-reference-architecture-examples/aws_sra_examples/terraform/solutions
- Run: python3python3 terraform_stack.py plan
- See Error if the AWS Account is Suspended.
Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 8342b965-a2de-4cab-89e2-0c324cbfade6, api error AccessDenied: User: arn:aws:sts::632617325597:assumed-role/Admin/tantonjt-Isengard is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::654654472939:role/sra-execution
Expected behavior
Workspace is created and plan is created /updated.
Screenshots
If applicable, add screenshots to help explain your problem.
Deployment Environment (please complete the following information)
- Deployment Framework [e.g. ]: Using Terraform installation process with Control Tower
- Deployment Framework Version [e.g. 1.0, 2.0]:
Additional context
The solution to the problem is to filter the list of accounts in the python script.
aws-security-reference-architecture-examples/aws_sra_examples/terraform/solutions/terraform_stack.py
Existing line of code : accounts = [account["Id"] for page in paginator.paginate() for account in page["Accounts"]] https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/aa58485aec5470afc577db750e3c5a3b8a860679/aws_sra_examples/terraform/solutions/terraform_stack.py#L71
Updated line should be accounts = [account["Id"] for page in paginator.paginate() for account in page["Accounts"] if account['Status'] == 'ACTIVE' ]
Add any other context about the problem here.
