i’m trying to run the cloudformation ‘configure permissions with cloudformation’ to deploy the necessary resources in my AWS organization. I have a single account as the master payer and then over 30 accounts in various OU’s. I need to be able to use Lucidscale to create documentation of each account in these multiple OU’s.
I’m getting a failure on the deployment of this initial stackset. “Properties validation failed for resource MemberRoleStackSet with message: c#/StackInstancesGroup/0/DeploymentTargets/OrganizationalUnitIds/0: string ausedmyorgnazitional ID] does not match pattern ^(ou- a-z0-9]{4,32}-^a-z0-9]{8,32}|r-2a-z0-9]{4,32})$]
I need to discover all accounts which reside in multiple OU’s. Nothing i’ve tried has helped with this. Any help? What should go in the parameters for
- BastionRootOrOrganizationalUnitId\
- MembersRootOrOrganizationalUnitId
Hi @sean.kaminsk
This could be because of an invalid Organizational Unit / Root ID format in the OrganizationalUnitIds section of your StackSet
AWS works best in the below shown formats
Organizational Unit ID:
Example: ou-abcd-12345678
Root ID:
Example: r-1a2b
Can you give a try and let me know the outcome.
Hope this helps - Happy to help further!!
Thank you very much and have a great one!
Warm regards
I retried this and it got further. but now getting this on the MemberRoleStackSet
Resource handler returned message: "Resource of type 'Stack set operation oc2a9493d-2572-410f-8104-0682f1cf48d3] was unexpectedly stopped or failed. status reason(s): )ResourceLogicalId:MemberAccountRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws:iam::190816833194:role/lucid-import-bastion-role" (Service: Iam, Status Code: 400, Request ID: 8da5851e-8193-46a0-9b73-89f011a17fae) (SDK Attempt Count: 1)" (RequestToken: 6579d9aa-9598-09bf-5e7b-5fe23b3c5337, HandlerErrorCode: InvalidRequest).]' with identifier 'LucidOrgImportMemberAccountStackSet:f7307430-1aae-4dd9-83e0-fc5381c12c3a' did not stabilize." (RequestToken: d7c30b3e-2c2c-264f-851b-284c961e8972, HandlerErrorCode: NotStabilized)
Hi @sean.kaminsk
The error sounds from an invalid or missing IAM role principal in the trust policy.
Kindly ensure the referenced role exists in the correct account, has fully propagated, and that trust relationships are configured according to Lucidscale’s workflow rules listed.
This is a usual us what i see with in multi-account, multi-OU AWS Organization setups.
Best Regards
From what this says, the first cloudformation should create the roles in all the accounts?
below are the parameters I used.
| BastionAccountId | 1xxxxxxxx33194 | - |
| BastionRoleName | lucid-import-bastion-role | - |
| BastionRootOrOrganizationalUnitId | r-9xxn | - |
| LucidAccountId | 799803075172 | - |
| LucidExternalId | 866b1b06-60a8-4909-842e-a20560724f9f | - |
| MemberRoleName | lucid-import-account-role | - |
| MembersRootOrOrganizationalUnitId | r-9xxn |
Nothing I’ve been able to do will let the organizational initial cloudformation to run. Its complaining about the role being missing however, based on teh documentation, the first step’s goal is to create the roles. Am I missing something?
After trying a few things, it looks like the first Cloudformation template which clearly says “Configure Permissions with Cloudformation” doesn’t create the bastion permission??? Seems kind of strange?
What I did was run a single account cloudformation which created the role. I then used the role that was created there as the role for my “bastion” role in the Organizational Cloudformation template. That seems to have worked as the Cloudformation and all the stacksets in the member accounts are running successfully.
Please update the cloudformation to create the initial role or improve the documentation so that its clear that the role needs to exist ahead of time.
well.. unfortunately, when trying to import, all of the accounts fail. So i’m still looking into this.
Hi @sean.kaminsk, thank you for posting in the community and sorry to hear you’re experiencing issues with Lucidscale cloudformation import. I see you have already submitted support ticket for this and someone from our team is assisting you there. Please continue referring to the ticket for further correspondence. If you have any questions, please let us know. Thanks!
Hi Sean, hi Leianne.
I am having the same problem. It is possible that the problem is that the template is using an array for a single value and it is also using the Fn::Sub function inside that array?
"Principal": {
"AWS":
{"Fn::Sub": "arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}"}
]
}
If I launch a custom Cloud Formation without the array, the Stack works, but Lucid still does not connect. I understand that custom Cloud Formation deployments are not supported by Lucid, so I would like to be part of the solution.
For some reason, it seems that the Bastion Role stackset doesn’t deploy the role which causes the other stackset to fail.
I had a call with Lucid this week and we opted to create the bastion role (in the bastion account) manually. Then re-ran the full cloudformation and it worked.
If the LucidOrgImportBastionAccountStackSet fails to deploy the bastion role, one can be created manually on the bastion account with the following policies.
Permission Policy
| { "Version": "2012-10-17", "Statement": { "Action": p "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListRoots" ], "Resource": "*", "Effect": "Allow" }, { "Action": "sts:AssumeRole" ], "Resource": "arn:aws:iam::*:role/lucid-import-account-role", "Effect": "Allow" } ] } |
Trust Policy
| { "Version": "2012-10-17", "Statement": < { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::799803075172:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "EXTERNAL_ID_HERE" } } } ] } |
After this policy is deployed, the LucidOrgImportMemberAccountStackSet stackset can be redeployed and should no longer fail due to an invalid principal.
