org-formation-cli icon indicating copy to clipboard operation
org-formation-cli copied to clipboard

Published 20 hours ago verified publisher icon org-formation

ERROR: no top level OrganizationBinding found..

Open kaihendry opened this issue 3 years ago • 4 comments
trafficstars

Might be related to https://github.com/org-formation/org-formation-cli/issues/195

My goal is to simply setup some Administrator rights on all accounts except the Management account.

Your environment

  • 0.9.19
  • AWS code pipeline

Steps to reproduce

Given

SsoAdministrator:
  Type: update-stacks
  Template: ./aws-sso.yml
  StackName: !Sub "${resourcePrefix}-${appName}-admin"
  StackDescription: "Full permission role used by Admin group within whole organization"
  TerminationProtection: false
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      Account: "*"
  Parameters:
    instanceArn: !Ref instanceArn
    principalId: !Ref adminGroup
    permissionSetName: "Administrator"
    managedPolicies: ["arn:aws:iam::aws:policy/AdministratorAccess"]
    sessionDuration: "PT1H"
    masterAccountId: !Ref ManagementAccount

Remove

  DefaultOrganizationBinding:
    IncludeMasterAccount: true

Expected behaviour

Bind to any account except Master account

Sidenote: The docs https://github.com/org-formation/org-formation-cli/blob/master/docs/cloudformation-resources.md#organizationbinding-where-to-create-which-resource say OrganizationBinding not OrganizationBindings. Perhaps the docs are not matching up?

Actual behaviour


ERROR: Task SsoAdministrator execute failed. reason: unable to load file 100-sso/aws-sso.yml.
--
62 | reason: Resource PermissionSet is missing OrganizationBinding attribute and no top level OrganizationBinding found..
63 | ERROR:
64 | ERROR: ==========================
65 | ERROR: Stopped performing task(s)
66 | ERROR: Following tasks failed:
67 | ERROR:  - Task SsoAdministrator
68 | ERROR: ==========================
69 | ERROR:
70 | ERROR: Task AWSSSO execute failed. reason: Number of failed tasks 1 exceeded tolerance for failed tasks 0.
71 | ERROR:
72 | ERROR: ==========================
73 | ERROR: Stopped performing task(s)
74 | ERROR: Following tasks completed:
75 | ERROR:  - Task OrganizationBuild
76 | ERROR:  - Task Types
77 | ERROR: Following tasks failed:
78 | ERROR:  - Task AWSSSO
79 | ERROR: ==========================
80 | ERROR:
81 | ERROR: Number of failed tasks 1 exceeded tolerance for failed tasks 0.
82 |  
83 | [Container] 2022/05/25 01:23:56 Command did not exit successfully org-formation perform-tasks ./organization-tasks.yml --no-color --state-bucket-name organization-formation-705671790868 --state-object state.json exit status 1
84 | [Container] 2022/05/25 01:23:56 Phase complete: BUILD State: FAILED
85 | [Container] 2022/05/25 01:23:56 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: org-formation perform-tasks ./organization-tasks.yml --no-color --state-bucket-name organization-formation-705671790868 --state-object state.json. Reason: exit status 1

kaihendry avatar May 25 '22 01:05 kaihendry

the error is correct/ the expactation is not.

From context, I understand that the aws-sso.yml contains at least 1 CloudFormation resource (PermissionSet) that does not have a OrganizationBinding. The DefaultOrganizationBinding value specifies where resources need to be deployed that do not declare this attribute.

If the intent is to deploy these resources to all accounts, use:

#  any account except for the master account
DefaultOrganizationBinding:
  Account: * 

# only the master account
DefaultOrganizationBinding:
  IncludeMasterAccount: true

# any account including the master account
DefaultOrganizationBinding:
  Account: * 
  IncludeMasterAccount: true

# empty set (no accounts)
DefaultOrganizationBinding:
  IncludeMasterAccount: false

more information here

OlafConijn avatar May 25 '22 06:05 OlafConijn

how bindings are used depends on the template you are trying to deploy. it seems like TargetBinding is set to {Account: *}, which might be binding that you are looking for?

OlafConijn avatar May 25 '22 07:05 OlafConijn

How do I know the template/schema for the SSO use case?

kaihendry avatar May 25 '22 07:05 kaihendry

My guess is that you came across a template for implementing AWS SSO somewhere and copied this in your project. example:

in this example targetBinding is used to specify where the administrator permission set needs to be deployed. for the administratorRole this is {Account: *} (see here)

long story short: a lot of people copy/paste and then modify examples found on the internet. understanding how the example works typically depends on reading the template

OlafConijn avatar May 25 '22 08:05 OlafConijn