org-formation-cli icon indicating copy to clipboard operation
org-formation-cli copied to clipboard
verified publisher icon org-formation

Failure to update org after succesfull init without making any changes

Open k-paulius opened this issue 2 years ago • 4 comments

Failure to update org after successful init

I have the following org structure:

<Root>
├── Infrastructure
│   └── Prod
├── Sandbox
│       └── sandbox-01 (account)
├── Security      
│   └── Prod
│       └── log-archive-prod (account)
│       └── security-tooling-prod (account)
├── Workloads
│   └── Prod
│       └── workload-a-prod
└── management (account)

org-formation init successfully generated organization.yml and state file.

AWSTemplateFormatVersion: '2010-09-09-OC'
Description: default template generated for organization with master account 1111

Organization:
  ManagementAccount:
    Type: OC::ORG::MasterAccount
    Properties:
      AccountName: management
      AccountId: '111'
      RootEmail: [email protected]

  OrganizationRoot:
    Type: OC::ORG::OrganizationRoot
    Properties:
      DefaultOrganizationAccessRoleName: OrganizationAccountAccessRole
  
  InfrastructureOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Infrastructure
      OrganizationalUnits: !Ref ProdOU

  ProdOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Prod

  ProdOU2:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Prod
      Accounts: !Ref WorkloadAProd

  ProdOU3:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Prod
      Accounts:
        - !Ref LogArchiveProdAccount
        - !Ref SecurityToolingProdAccount

  SandboxOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Sandbox
      Accounts: !Ref Sandbox_01Account

  SecurityOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Security
      OrganizationalUnits: !Ref ProdOU3

  WorkloadsOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Workloads
      OrganizationalUnits: !Ref ProdOU2

  WorkloadAProd:
    Type: OC::ORG::Account
    Properties:
      AccountName: workload-a-prod
      AccountId: '222'
      RootEmail: [email protected]

  LogArchiveProdAccount:
    Type: OC::ORG::Account
    Properties:
      AccountName: log-archive-prod
      AccountId: '333'
      RootEmail: [email protected]

  Sandbox_01Account:
    Type: OC::ORG::Account
    Properties:
      AccountName: sandbox-01
      AccountId: '444'
      RootEmail: [email protected]

  SecurityToolingProdAccount:
    Type: OC::ORG::Account
    Properties:
      AccountName: security-tooling-prod
      AccountId: '555'
      RootEmail: [email protected]

But when I ran org-formation update organization.yml without making any changes to the org structure or yml file it failed.

OC::ORG::ServiceControlPolicy | DenyLeaveOrganizationSCP      | Create (p-evtg9bae)
OC::ORG::ServiceControlPolicy | DenyLeaveOrganizationSCP      | CommitHash
OC::ORG::ServiceControlPolicy | DenyOrgTrailKmsKeyDeletionSCP | Create (p-e3tv85fg)
OC::ORG::ServiceControlPolicy | DenyOrgTrailKmsKeyDeletionSCP | CommitHash
OC::ORG::ServiceControlPolicy | DenyRootUserActionsSCP        | Create (p-fubllui4)
OC::ORG::ServiceControlPolicy | DenyRootUserActionsSCP        | CommitHash
OC::ORG::ServiceControlPolicy | RestrictRegionSCP             | Create (p-68q3d4cq)
OC::ORG::ServiceControlPolicy | RestrictRegionSCP             | CommitHash
OC::ORG::Account              | WorkloadAProd                 | Create (bbb)
OC::ORG::Account              | WorkloadAProd                 | CommitHash
OC::ORG::Account              | LogArchiveProdAccount         | Create (bbb)
OC::ORG::Account              | LogArchiveProdAccount         | CommitHash
OC::ORG::Account              | Sandbox_01Account             | Create (bbb)
OC::ORG::Account              | Sandbox_01Account             | CommitHash
OC::ORG::Account              | SecurityToolingProdAccount    | Create (bbb)
OC::ORG::Account              | SecurityToolingProdAccount    | CommitHash
OC::ORG::OrganizationalUnit   | InfrastructureOU              | Create (ou-g0qz-ko3t1zsu)
OC::ORG::OrganizationalUnit   | ProdOU                        | Create (ou-g0qz-sxolqy99)
OC::ORG::OrganizationalUnit   | InfrastructureOU              | Attach OU (ProdOU)
OC::ORG::OrganizationalUnit   | InfrastructureOU              | CommitHash
OC::ORG::OrganizationalUnit   | ProdOU                        | CommitHash
OC::ORG::OrganizationalUnit   | ProdOU2                       | Create (ou-g0qz-7mm1apwu)
OC::ORG::OrganizationalUnit   | ProdOU2                       | Attach Account (WorkloadAProd)
OC::ORG::OrganizationalUnit   | ProdOU2                       | CommitHash
OC::ORG::OrganizationalUnit   | ProdOU3                       | Create (ou-g0qz-7mm1apwu)
OC::ORG::OrganizationalUnit   | ProdOU3                       | Attach Account (LogArchiveProdAccount)
OC::ORG::OrganizationalUnit   | ProdOU3                       | Attach Account (SecurityToolingProdAccount)
OC::ORG::OrganizationalUnit   | ProdOU3                       | CommitHash
OC::ORG::OrganizationalUnit   | SandboxOU                     | Create (ou-g0qz-2e1q2vhm)
OC::ORG::OrganizationalUnit   | SandboxOU                     | Attach Account (Sandbox_01Account)
OC::ORG::OrganizationalUnit   | SandboxOU                     | CommitHash
OC::ORG::OrganizationalUnit   | SecurityOU                    | Create (ou-g0qz-m9l7l7h6)
ERROR: failed executing task: Attach OU (ProdOU3) OC::ORG::OrganizationalUnit SecurityOU DuplicateOrganizationalUnitException: An organizational unit with the specified name already exists under the specified parent.
ERROR: error: DuplicateOrganizationalUnitException, aws-request-id: 85cdc567-15ab-4f06-9a75-a7cc614c6313
ERROR: An organizational unit with the specified name already exists under the specified parent.

What is even worse it altered my org structure:

<Root>
├── Infrastructure
│   └── Prod                               <-- this OU was re-created, but new physicalId is not in the state file
├── Prod_tmp                               <-- new OU
│    └── workload-a-prod                   <-- account moved
│    └── log-archive-prod (account)        <-- account moved
│    └── security-tooling-prod (account)   <-- account moved
├── Sandbox
│       └── sandbox-01 (account)
├── Security      
│   └── Prod
├── Workloads
│   └── Prod
└── management (account)

Your environment

  • version of org-foramtion (ofn --version): 1.0.11
  • version of node (node --version): v18.16.1
  • which OS/distro: Ubuntu 22.04.2 LTS

Expected behaviour

ofn update should run successfully after ofn init and no changes made

k-paulius avatar Jul 08 '23 19:07 k-paulius

I did some experimenting and was able to work-around the issue.

I manually reset my org structure to how it is supposed to look. Generated new organization.yml and state files. Then renamed logical names as per below in both yml and state files:

ProdOU -> InfrastructureProdOU
ProdOU2 -> WorkloadsProdOU
ProdOU3 -> SecurityProdOU

Then ran org-formation update and it was successful.

k-paulius avatar Jul 08 '23 19:07 k-paulius

@k-paulius , how did you update your state file?

KarlCF avatar Aug 09 '23 10:08 KarlCF

@KarlCF state file is store in the S3 bucket that you specify with --state-bucket-name. I simply downloaded the file from S3, modified it, uploaded it back to S3 and then ran org-formation

k-paulius avatar Aug 10 '23 17:08 k-paulius

thx a lot @k-paulius , will give it a try!

KarlCF avatar Aug 11 '23 10:08 KarlCF