aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

[Bug]: Fresh installation of v3.2.0 fails to bootstrap the deployment account (upgrades work)

Open sbkok opened this issue 2 years ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Describe the bug

When ADF v3.2.0 is installed fresh, in a new account that did not have ADF installed, it will create a new global-iam.yml file in the adf-bootstrap folder of the aws-deployment-framework-bootstrap repository.

This template, however, requires the deployment_account_id parameter to be present in the account. For the deployment account itself, it is not present.

Expected Behavior

The deployment account should be bootstrapped correctly too.

Current Behavior

In the management account, the AccountBootstrappingStateMachine in us-east-1 fails to bootstrap the deployment account.

The step that fails is: CreateOrUpdateBaseStack.

The error it throws:

{
  "error": "GenericAccountConfigureError",
  "cause": {
    "errorMessage": "An error occurred (ValidationError) when calling the CreateChangeSet operation: Unable to fetch parameters [deployment_account_id] from parameter store for this account.",
    "errorType": "GenericAccountConfigureError",
    "requestId": "12345678-9abc-def0-1234-56789abcdef0",
    "stackTrace": [
      "  File \"/var/task/account_bootstrap.py\", line 117, in lambda_handler\n    return _lambda_handler(event, context)\n",
      "  File \"/var/task/account_bootstrap.py\", line 192, in _lambda_handler\n    cloudformation.create_iam_stack()\n",
      "  File \"/opt/python/cloudformation.py\", line 453, in create_iam_stack\n    create_change_set = self._create_change_set()\n",
      "  File \"/opt/python/cloudformation.py\", line 358, in _create_change_set\n    raise GenericAccountConfigureError(error) from error\n"
    ]
  }
}

Steps To Reproduce

  1. Install ADF in a new AWS organization where ADF was not installed before.
  2. Wait until it kicks-off the deployment account bootstrapping process, see the AccountBootstrappingStateMachine.

Possible Solution

The deployment_account_id should be created in the deployment account too. Such that the same template can be applied to all accounts.

Additionally, we need to create a specific global-iam.yml file for the deployment ou as well. In the same way that happens for the root one. Copying the example-global-iam.yml to the global-iam.yml. At the moment this is not configured, however, that implies that the global one gets applied in the deployment account too. While the deployment account most likely is not a target for our pipelines. And if it is, the permissions need to be carefully checked anyway.

These changes don't have impact on any of the ADF installations out there today. As the deployment_account_id is not used in those, as the global-iam.yml file is not updated with a new release. Additionally, the deployment/global-iam.yml file would only get created upon a new install.

Please note: I am working on a fix, will open the PR for that soon.

Additional Information/Context

For anyone who runs into this issue:

There are two workarounds if you run into this:

  1. Create the deployment_account_id parameter in the deployment account, specifying its own account id.

  2. Copy the adf-bootstrap/deployment/example-global-iam.yml file to the adf-bootstrap/deployment/global-iam.yml file in the aws-deployment-framework-bootstrap repository.

ADF Version

v3.2.0

sbkok avatar Jan 27 '23 16:01 sbkok