Issue with Lucidscale cloudformation import with an AWS Org with multiple OU's

i’m trying to run the cloudformation ‘configure permissions with cloudformation’ to deploy the necessary resources in my AWS organization. I have a single account as the master payer and then over 30 accounts in various OU’s. I need to be able to use Lucidscale to create documentation of each account in these multiple OU’s.

I’m getting a failure on the deployment of this initial stackset. “Properties validation failed for resource MemberRoleStackSet with message: c#/StackInstancesGroup/0/DeploymentTargets/OrganizationalUnitIds/0: string ausedmyorgnazitional ID] does not match pattern ^(ou- a-z0-9]{4,32}-^a-z0-9]{8,32}|r-2a-z0-9]{4,32})$]

I need to discover all accounts which reside in multiple OU’s. Nothing i’ve tried has helped with this. Any help? What should go in the parameters for

BastionRootOrOrganizationalUnitId\
MembersRootOrOrganizationalUnitId

Page 1 / 1

Hi @sean.kaminsk

This could be because of an invalid Organizational Unit / Root ID format in the OrganizationalUnitIds section of your StackSet

AWS works best in the below shown formats
Organizational Unit ID:
Example: ou-abcd-12345678

Root ID:
Example: r-1a2b

Can you give a try and let me know the outcome.

To learn more on the Lucidscale + CloudFormation StackSet make use of this article - Deploying StackSets to OUs with nested OUs | AWS re:Post
Also am sure youa re referring to this page which clearly reinforces that you must provide valid OU or root IDs in the correct format - Import and manage AWS infrastructure data in Lucidscale – Lucid

Hope this helps - Happy to help further!!
Thank you very much and have a great one!
Warm regards

I retried this and it got further. but now getting this on the MemberRoleStackSet

Resource handler returned message: "Resource of type 'Stack set operation oc2a9493d-2572-410f-8104-0682f1cf48d3] was unexpectedly stopped or failed. status reason(s): )ResourceLogicalId:MemberAccountRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws:iam::190816833194:role/lucid-import-bastion-role" (Service: Iam, Status Code: 400, Request ID: 8da5851e-8193-46a0-9b73-89f011a17fae) (SDK Attempt Count: 1)" (RequestToken: 6579d9aa-9598-09bf-5e7b-5fe23b3c5337, HandlerErrorCode: InvalidRequest).]' with identifier 'LucidOrgImportMemberAccountStackSet:f7307430-1aae-4dd9-83e0-fc5381c12c3a' did not stabilize." (RequestToken: d7c30b3e-2c2c-264f-851b-284c961e8972, HandlerErrorCode: NotStabilized)

Hi @sean.kaminsk

The error sounds from an invalid or missing IAM role principal in the trust policy.

Kindly ensure the referenced role exists in the correct account, has fully propagated, and that trust relationships are configured according to Lucidscale’s workflow rules listed.

This is a usual us what i see with in multi-account, multi-OU AWS Organization setups.

Best Regards

From what this says, the first cloudformation should create the roles in all the accounts?

below are the parameters I used.

BastionAccountId	1xxxxxxxx33194	-
BastionRoleName	lucid-import-bastion-role	-
BastionRootOrOrganizationalUnitId	r-9xxn	-
LucidAccountId	799803075172	-
LucidExternalId	866b1b06-60a8-4909-842e-a20560724f9f	-
MemberRoleName	lucid-import-account-role	-
MembersRootOrOrganizationalUnitId	r-9xxn

Nothing I’ve been able to do will let the organizational initial cloudformation to run. Its complaining about the role being missing however, based on teh documentation, the first step’s goal is to create the roles. Am I missing something?

After trying a few things, it looks like the first Cloudformation template which clearly says “Configure Permissions with Cloudformation” doesn’t create the bastion permission??? Seems kind of strange?

What I did was run a single account cloudformation which created the role. I then used the role that was created there as the role for my “bastion” role in the Organizational Cloudformation template. That seems to have worked as the Cloudformation and all the stacksets in the member accounts are running successfully.

Please update the cloudformation to create the initial role or improve the documentation so that its clear that the role needs to exist ahead of time.

well.. unfortunately, when trying to import, all of the accounts fail. So i’m still looking into this.

Hi @sean.kaminsk, thank you for posting in the community and sorry to hear you’re experiencing issues with Lucidscale cloudformation import. I see you have already submitted support ticket for this and someone from our team is assisting you there. Please continue referring to the ticket for further correspondence. If you have any questions, please let us know. Thanks!

Hi Sean, hi Leianne.

I am having the same problem. It is possible that the problem is that the template is using an array for a single value and it is also using the Fn::Sub function inside that array?

"Principal": {
  "AWS":  
    {"Fn::Sub": "arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}"}
  ]
}

If I launch a custom Cloud Formation without the array, the Stack works, but Lucid still does not connect. I understand that custom Cloud Formation deployments are not supported by Lucid, so I would like to be part of the solution.

For some reason, it seems that the Bastion Role stackset doesn’t deploy the role which causes the other stackset to fail.

I had a call with Lucid this week and we opted to create the bastion role (in the bastion account) manually. Then re-ran the full cloudformation and it worked.

If the LucidOrgImportBastionAccountStackSet fails to deploy the bastion role, one can be created manually on the bastion account with the following policies.

Permission Policy

{

"Version": "2012-10-17",

"Statement": �

{

"Action": p

"organizations:DescribeAccount",

"organizations:DescribeOrganization",

"organizations:DescribeOrganizationalUnit",

"organizations:ListAccounts",

"organizations:ListAccountsForParent",

"organizations:ListChildren",

"organizations:ListOrganizationalUnitsForParent",

"organizations:ListParents",

"organizations:ListRoots"

"Resource": "*",

"Effect": "Allow"

{

"Action": �

"sts:AssumeRole"

"Resource": "arn:aws:iam::*:role/lucid-import-account-role",

"Effect": "Allow"

}

]

}

Trust Policy

{

"Version": "2012-10-17",

"Statement": <

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::799803075172:root"

"Action": "sts:AssumeRole",

"Condition": {

"StringEquals": {

"sts:ExternalId": "EXTERNAL_ID_HERE"

}

]

}

After this policy is deployed, the LucidOrgImportMemberAccountStackSet stackset can be redeployed and should no longer fail due to an invalid principal.

Hi Sean, we also used a workaround. We use YAML for our CloudFormation deployments so we had to recreate everything (LucidOrgImportMemberAccountStackSet, BastionRoleStackSet, MemberRoleStackSet and the ResourcePolicy stack).

Seems like the problem is in the array containing the principal, indeed.

The YAMLs are adapted to our pipelines. They work, but need more parameters.

Import

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  LucidAccountId:
    Description: The Lucid AWS account that will assume the role for resource imports
    Type: String
  LucidExternalId:
    Description: The externalId generated by Lucid
    Type: String
  BastionRootOrOrganizationalUnitId:
    Description: The id of the organizational unit or root containing the bastion account.
    Type: String
  MembersRootOrOrganizationalUnitId:
    Description: The id of the organizational unit or root containing the member accounts.
    Type: String
  BastionAccountId:
    Description: The account acting as the main entrypoint for cloud import
    Type: String
  BastionRoleName:
    Description: The name of the role that will be assumed in the bastion account
    Type: String
    Default: lucid-import-bastion-role
  MemberRoleName:
    Description: The name of the role that will be assumed in member accounts
    Type: String
    Default: lucid-import-account-role
  ArtifactsUrl:
    Type: String
    Description: '(Required) The URL for the artifacts source'
    AllowedPattern: "https?:\\/\\/((\a-zA-Z0-9]0a-zA-Z0-9\\-]*\a-zA-Z0-9])\\.){0,}(0A-Za-z0-9]|-A-Za-z0-9]0A-Za-z0-9\\-]*\A-Za-z0-9]){1,}(:,0-9]{1,5})?((\\/(a-zA-Z0-9]0a-zA-Z0-9\\-]*\a-zA-Z0-9]))*"
  Release:
    Type: String
    Description: Release identifier
    AllowedPattern: "(develop|master)|(((feat\\/)|((((rls\\/rc?_)|(hf\\/)|(mnto\\/))(/0-9]+\\.){1,2}10-9])+_?))(?A-Za-z0-9_\\-]+)?)"
    ConstraintDescription: 'Must specity release identifier, for example: master, develop, 1.0.5-rc, 1.0.5 or 1.0.5.1'
Resources:
  BastionRoleStackSet:
    Type: AWS::CloudFormation::StackSet
    DeletionPolicy: Retain
    Properties:
      StackSetName: !Sub 'LucidOrgImportBastionAccountStackSet-${Release}'
      Description: Lucid stackset for importing resources from multiple AWS accounts in an organization.
      PermissionModel: SERVICE_MANAGED
      Capabilities:
        - CAPABILITY_NAMED_IAM
      CallAs: DELEGATED_ADMIN
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: true
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref BastionRootOrOrganizationalUnitId
            AccountFilterType: INTERSECTION
            Accounts:
              - !Ref BastionAccountId
          Regions:
            - us-east-1
      ManagedExecution:
        Active: true
      Tags:
        - Key: Lucid
          Value: CloudImport
      Parameters:
        - ParameterKey: LucidAccountId
          ParameterValue: !Ref LucidAccountId
        - ParameterKey: LucidExternalId
          ParameterValue: !Ref LucidExternalId
        - ParameterKey: BastionRoleName
          ParameterValue: !Ref BastionRoleName
        - ParameterKey: MemberRoleName
          ParameterValue: !Ref MemberRoleName
      TemplateURL: !Sub '${ArtifactsUrl}/AWS_Lucidscale/${Release}/cloudformation/bastion.yaml'
  MemberRoleStackSet:
    Type: AWS::CloudFormation::StackSet
    DeletionPolicy: Retain
    DependsOn: BastionRoleStackSet
    Properties:
      StackSetName: !Sub 'LucidOrgImportMemberAccountStackSet-${Release}'
      Description: Lucid stackset set for importing resources from multiple AWS accounts in an organization.
      PermissionModel: SERVICE_MANAGED
      Capabilities:
        - CAPABILITY_NAMED_IAM
      CallAs: DELEGATED_ADMIN
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: true
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref MembersRootOrOrganizationalUnitId
          Regions:
            - us-east-1
      ManagedExecution:
        Active: true
      Tags:
        - Key: Lucid
          Value: CloudImport
      Parameters:
        - ParameterKey: BastionAccountId
          ParameterValue: !Ref BastionAccountId
        - ParameterKey: BastionRoleName
          ParameterValue: !Ref BastionRoleName
        - ParameterKey: MemberRoleName
          ParameterValue: !Ref MemberRoleName
      TemplateURL: !Sub '${ArtifactsUrl}/AWS_Lucidscale/${Release}/cloudformation/member.yaml'

Bastion

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  LucidAccountId:
    Description: The Lucid AWS account that will assume the role for resource imports
    Type: String
  LucidExternalId:
    Description: The externalId generated by Lucid
    Type: String
  BastionRoleName:
    Description: The name of the role that will be assumed in the bastion account
    Type: String
    Default: lucid-import-bastion-role
  MemberRoleName:
    Description: The name of the role that will be assumed in member accounts
    Type: String
    Default: lucid-import-account-role
Resources:
  BastionAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref BastionRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AssumeRolePolicy
            Effect: Allow
            Principal:
              AWS: !Ref LucidAccountId
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref LucidExternalId
      Path: '/'
  BastionAccountRolePolicy:
    Type: AWS::IAM::Policy
    DependsOn: BastionAccountRole
    Properties:
      PolicyName: LucidImportBastionPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'organizations:DescribeAccount'
              - 'organizations:DescribeOrganization'
              - 'organizations:DescribeOrganizationalUnit'
              - 'organizations:ListAccounts'
              - 'organizations:ListAccountsForParent'
              - 'organizations:ListChildren'
              - 'organizations:ListOrganizationalUnitsForParent'
              - 'organizations:ListParents'
              - 'organizations:ListRoots'
            Resource: '*'
          - Effect: Allow
            Action:
              - 'sts:AssumeRole'
            Resource: !Sub 'arn:aws:iam::*:role/${MemberRoleName}'
      Roles:
        - !Ref BastionRoleName

Member

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  BastionAccountId:
    Description: The account acting as the main entrypoint for cloud import
    Type: String
  BastionRoleName:
    Description: The name of the role that will be assumed in the bastion account
    Type: String
  MemberRoleName:
    Description: The name of the role that will be assumed in member accounts
    Type: String
    Default: lucid-import-account-role
Resources:
  MemberAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref MemberRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AssumeRolePolicy
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}'
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      Path: '/'

Policy

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  BastionAccountId:
    Description: The account acting as the main entrypoint for cloud import
    Type: String
Resources:
  ResourcePolicy:
    DeletionPolicy: Retain
    Type: AWS::Organizations::ResourcePolicy
    Properties:
      Content:
        Version: '2012-10-17'
        Statement:
          - Sid: DelegatedOrganizationsRead
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${BastionAccountId}:root'
            Action:
              - 'organizations:ListAccounts'
              - 'organizations:ListAccountsForParent'
              - 'organizations:ListChildren'
              - 'organizations:ListParents'
              - 'organizations:ListRoots'
              - 'organizations:DescribePolicy'
              - 'organizations:DescribeOrganizationalUnit'
              - 'organizations:DescribeOrganization'
              - 'organizations:DescribeAccount'
              - 'organizations:ListOrganizationalUnitsForParent'
            Resource: '*'

Hi @sean.kaminsk @Nicolas S., thank you for taking the time to share your workarounds. We have passed this information on to our engineering team and will update this thread if we have any additional information.

Please let us know if you have any questions in the meantime -- we are happy to help!

Create an account in the community

Log in to the community

Scanning file for viruses.

This file cannot be downloaded