aws-resource-providers
aws-resource-providers copied to clipboard
org-formation
Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists
Despite #70, I've been unable to deploy my org-formation for a while. I've tried removing the SCP and redeploying, but I consistently get this error:
ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: asdf, HandlerErrorCode: AlreadyExists). ERROR: Stack example-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)
Do I need to do something in my account so that the delete_then_create starts working?
org-formation _task.yml
OrganizationsPolicyRp:
Type: register-type
ResourceType: 'Community::Organizations::Policy'
SchemaHandlerPackage: !Sub 's3://${catalogBucket}/community-organizations-policy-0.2.2.zip'
MaxConcurrentTasks: 100
OrganizationBinding:
IncludeMasterAccount: true
Region: us-east-1 # Only compatible to us-east-1 region
example-deny-large-ec2 template
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {},
"Resources": {
"Scp": {
"Type": "Community::Organizations::Policy",
"Properties": {
"Name": "DenyLargeEC2Instances",
"Description": "Deny running EC2 instances larger than 4xlarge",
"PolicyType": "SERVICE_CONTROL_POLICY",
"TargetIds": [
"account1",
"account2",
"account3",
"account4",
"account5",
"account6",
"account7",
"account8",
"account9",
"account10",
"account11"
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLargerThan4XLarge",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro",
"*.medium",
"*.large",
"*.xlarge",
"*.2xlarge",
"*.4xlarge"
]
}
}
}
]
}
}
}
},
"Outputs": {}
}
perhaps manually logging into the console and deleting the SCP called "DenyLargeEC2Instances", then trying again?
delete_then_create affects updates (when a resource is already managed in CloudFormation). if the resource is not managed in CloudFormation it is not an update but a create.
I've deleted the SCP and run the deployment again. Here's what's logged to the console:
>org-formation perform-tasks ./src/_tasks.yml --max-concurrent-stacks 50 --max-concurrent-tasks 1
...
INFO: Executing: include src/templates/010-scps/_tasks.yml.
INFO: Executing: update-stacks src/templates/010-scps/deny-unsupported-regions.yml primacy-deny-unsupported-regions.
INFO: Stack primacy-deny-unsupported-regions already up to date.
INFO: Task DenyUnsupportedRegions execute successful.
INFO: Executing: update-stacks src/templates/010-scps/deny-large-ec2.yml primacy-deny-large-ec2.
ERROR: error updating CloudFormation stack primacy-deny-large-ec2 in account 1234 (us-east-1).
Resource is not in the state stackCreateComplete (1234 = ManagementAccount)
ERROR: Resource Scp failed because Resource handler returned message: "AWS Organizations can't complete your request because another request is already in progress. Try again later." (RequestToken: asdf, HandlerErrorCode: InternalFailure).
ERROR: Stack primacy-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234 = ManagementAccount)
Resource is not in the state stackCreateComplete (use option --print-stack to print stack)
If that's not the logs you mean, what logs would help us here?