aws-control-tower-customizations icon indicating copy to clipboard operation
aws-control-tower-customizations copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

export_outputs should create unique SSM parameter store keys for every account/region target

Open felipe1982 opened this issue 4 years ago • 3 comments
trafficstars

Describe the bug

When deploying a stackset to 2+ accounts, the export_outputs section does not create unique values for every account/region target. Instead, it overwrites the previous value with the next value.

example

  - name: vpc-pattern-b
    resource_file: templates/networking/vpc-pattern-b.cfn.yaml
    parameter_file: parameters/networking/vpc-pattern-b.json
    deploy_method: stack_set
    regions:
      - ap-southeast-2
    deployment_targets:
      accounts:
        - "Shared-Services-Non-Prod"
        - "Shared-Services-Prod"
    export_outputs:
      - name: /shared-services/VPCId
        value: $[output_VPCId]

To Reproduce

Deploy a VPC to 2+ accounts, and use export_outputs. You will find only a single value, instead of a list of values (or list of parameters), one for each target account/region

Expected behavior

I would expect a variable to be used inside of manifest.yaml which can be used to distinguish different parameter store keys. example

  - name: vpc-pattern-b
    resource_file: templates/networking/vpc-pattern-b.cfn.yaml
    parameter_file: parameters/networking/vpc-pattern-b.json
    deploy_method: stack_set
    regions:
      - ap-southeast-2
    deployment_targets:
      accounts:
        - "Shared-Services-Non-Prod"
        - "Shared-Services-Prod"
    export_outputs:
      - name: /{{ACCOUNT_ID}}/VPCId
        value: $[output_VPCId]

Other variables would be useful, too, such as OU name (i.e. Workloads), or Account Name/Alias (i.e. Banking-Prod), Region code (ap-southeast-2)

  • [x] Version: SO0089

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0158) - The AWS CloudFormation template for deployment of the Amazon CloudWatch Monitoring Framework. Version v1.0.0". You can also find the version from releases

  • [x] Region: [e.g. ap-southeast-2]
  • [x] Was the solution modified from the version published on this repository? NO
  • [x] If the answer to the previous question was yes, are the changes available on GitHub?
  • [x] Have you checked your service quotas for the sevices this solution uses? NOT A QUOTA ISSUE
  • [x] Were there any errors in the CloudWatch Logs? [How to enable debug mode?] NO ERRORS (https://docs.aws.amazon.com/solutions/latest/amazon-cloudwatch-monitoring-framework/troubleshooting.html)

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

felipe1982 avatar Oct 08 '21 03:10 felipe1982

I initially assumed that export_outputs would write to Parameter Store of the executing account and then this problem wouldn't exist; the docs should be clear that it uses the Parameter Store of the Control Tower admin account.

Any update on this issue as the op says it is almost useless if you cannot put a unique identifier in the name

richturner avatar Mar 16 '22 00:03 richturner

Same issue, hope that manifest.yaml can support variables

Galvin-wjw avatar Sep 27 '22 01:09 Galvin-wjw