aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

[Bug]: Upgrade to ADF 3.2.0 fails due to non-existing cross-account-role in child OUs

Open ghost opened this issue 2 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Describe the bug

We are trying to upgrade our ADF installation to 3.2.0 but the enablecrossaccountaccess lambda fails for account in a child OU.

When reviewing the code, it looks like the role adf-update-cross-account-access-role exists in the adf-bootstrap/global.yml of the installation and all accounts using this yml seems to work.

However, we also have a subdir at adf-bootstrap/child-ou/global.yml which is not updated by the ADF upgrade. This file does not contain adf-update-cross-account-access-role which means that all accounts in this OU fails in the step function and eventually the upgrade times out and fails.

Should we be adding the adf-update-cross-account-access-role manually for child OUs before upgrading? If so maybe this should be part of the installation/upgrade instructions?

When adding the role manually in the sub-OU global.yml, we fail instead on that the CloudFormationPolicyS3 is missing, should this be added also?

We are also a bit confused since we have inputted the AWSControlTowerExecution role as the crossaccount role, but this one is not used for this step for some reason?

Thanks a lot for your support!

BR Gustav

Expected Behavior

ADF Upgrade succeeds and uses the AWSControlTowerExecution role for crossaccount access

Current Behavior

The ADF upgrade fails because the step function for cross-account-access times out with fails on accounts in child OU

Steps To Reproduce

No response

Possible Solution

No response

Additional Information/Context

No response

ADF Version

3.2.0

ghost avatar Mar 07 '23 10:03 ghost

If we rework our file structure in the repo and get rid of the global.yml in the child ou folders (instead use only global-iam.yml) it seems to work better. This way we inherit the global.yml from the root instead

ghost avatar Mar 07 '23 13:03 ghost

Apologies for the delayed response.

Thank you for sharing how you resolved the issue. You're correct; when creating new child Organizational Unit (OU) folders, the global.yml file should not be copied over. Instead, it will default to the main adf-bootstrap/global.yml file. The exception is the adf-bootstrap/deployment/global.yml file, which should be present.

The two global.yml files mentioned above are automatically updated by ADF. Any copies of these files will not be updated, which is the root cause of the issue you experienced. I've submitted a pull request to clarify this behavior in the admin guide. Please review the updated documentation and let me know if it provides better clarity on this aspect.

sbkok avatar May 17 '24 18:05 sbkok