Hi @sean.kaminsk
This could be because of an invalid Organizational Unit / Root ID format in the OrganizationalUnitIds section of your StackSet
AWS works best in the below shown formats
Organizational Unit ID:
Example: ou-abcd-12345678
Root ID:
Example: r-1a2b
Can you give a try and let me know the outcome.
Hope this helps - Happy to help further!!
Thank you very much and have a great one!
Warm regards
I retried this and it got further. but now getting this on the MemberRoleStackSet
Resource handler returned message: "Resource of type 'Stack set operation oc2a9493d-2572-410f-8104-0682f1cf48d3] was unexpectedly stopped or failed. status reason(s): )ResourceLogicalId:MemberAccountRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws:iam::190816833194:role/lucid-import-bastion-role" (Service: Iam, Status Code: 400, Request ID: 8da5851e-8193-46a0-9b73-89f011a17fae) (SDK Attempt Count: 1)" (RequestToken: 6579d9aa-9598-09bf-5e7b-5fe23b3c5337, HandlerErrorCode: InvalidRequest).]' with identifier 'LucidOrgImportMemberAccountStackSet:f7307430-1aae-4dd9-83e0-fc5381c12c3a' did not stabilize." (RequestToken: d7c30b3e-2c2c-264f-851b-284c961e8972, HandlerErrorCode: NotStabilized)
Hi @sean.kaminsk
The error sounds from an invalid or missing IAM role principal in the trust policy.
Kindly ensure the referenced role exists in the correct account, has fully propagated, and that trust relationships are configured according to Lucidscale’s workflow rules listed.
This is a usual us what i see with in multi-account, multi-OU AWS Organization setups.
Best Regards
From what this says, the first cloudformation should create the roles in all the accounts?
below are the parameters I used.
BastionAccountId | 1xxxxxxxx33194 | - |
BastionRoleName | lucid-import-bastion-role | - |
BastionRootOrOrganizationalUnitId | r-9xxn | - |
LucidAccountId | 799803075172 | - |
LucidExternalId | 866b1b06-60a8-4909-842e-a20560724f9f | - |
MemberRoleName | lucid-import-account-role | - |
MembersRootOrOrganizationalUnitId | r-9xxn |
Nothing I’ve been able to do will let the organizational initial cloudformation to run. Its complaining about the role being missing however, based on teh documentation, the first step’s goal is to create the roles. Am I missing something?
After trying a few things, it looks like the first Cloudformation template which clearly says “Configure Permissions with Cloudformation” doesn’t create the bastion permission??? Seems kind of strange?
What I did was run a single account cloudformation which created the role. I then used the role that was created there as the role for my “bastion” role in the Organizational Cloudformation template. That seems to have worked as the Cloudformation and all the stacksets in the member accounts are running successfully.
Please update the cloudformation to create the initial role or improve the documentation so that its clear that the role needs to exist ahead of time.
well.. unfortunately, when trying to import, all of the accounts fail. So i’m still looking into this.
Hi @sean.kaminsk, thank you for posting in the community and sorry to hear you’re experiencing issues with Lucidscale cloudformation import. I see you have already submitted support ticket for this and someone from our team is assisting you there. Please continue referring to the ticket for further correspondence. If you have any questions, please let us know. Thanks!
Hi Sean, hi Leianne.
I am having the same problem. It is possible that the problem is that the template is using an array for a single value and it is also using the Fn::Sub function inside that array?
"Principal": {
"AWS":
{"Fn::Sub": "arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}"}
]
}
If I launch a custom Cloud Formation without the array, the Stack works, but Lucid still does not connect. I understand that custom Cloud Formation deployments are not supported by Lucid, so I would like to be part of the solution.
For some reason, it seems that the Bastion Role stackset doesn’t deploy the role which causes the other stackset to fail.
I had a call with Lucid this week and we opted to create the bastion role (in the bastion account) manually. Then re-ran the full cloudformation and it worked.
If the LucidOrgImportBastionAccountStackSet fails to deploy the bastion role, one can be created manually on the bastion account with the following policies.
Permission Policy
{ "Version": "2012-10-17", "Statement": { "Action": p "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListRoots" ], "Resource": "*", "Effect": "Allow" }, { "Action": "sts:AssumeRole" ], "Resource": "arn:aws:iam::*:role/lucid-import-account-role", "Effect": "Allow" } ] } |
Trust Policy
{ "Version": "2012-10-17", "Statement": < { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::799803075172:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "EXTERNAL_ID_HERE" } } } ] } |
After this policy is deployed, the LucidOrgImportMemberAccountStackSet stackset can be redeployed and should no longer fail due to an invalid principal.
Hi Sean, we also used a workaround. We use YAML for our CloudFormation deployments so we had to recreate everything (LucidOrgImportMemberAccountStackSet, BastionRoleStackSet, MemberRoleStackSet and the ResourcePolicy stack).
Seems like the problem is in the array containing the principal, indeed.
The YAMLs are adapted to our pipelines. They work, but need more parameters.
Import
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
LucidAccountId:
Description: The Lucid AWS account that will assume the role for resource imports
Type: String
LucidExternalId:
Description: The externalId generated by Lucid
Type: String
BastionRootOrOrganizationalUnitId:
Description: The id of the organizational unit or root containing the bastion account.
Type: String
MembersRootOrOrganizationalUnitId:
Description: The id of the organizational unit or root containing the member accounts.
Type: String
BastionAccountId:
Description: The account acting as the main entrypoint for cloud import
Type: String
BastionRoleName:
Description: The name of the role that will be assumed in the bastion account
Type: String
Default: lucid-import-bastion-role
MemberRoleName:
Description: The name of the role that will be assumed in member accounts
Type: String
Default: lucid-import-account-role
ArtifactsUrl:
Type: String
Description: '(Required) The URL for the artifacts source'
AllowedPattern: "https?:\\/\\/((\a-zA-Z0-9]0a-zA-Z0-9\\-]*\a-zA-Z0-9])\\.){0,}(0A-Za-z0-9]|-A-Za-z0-9]0A-Za-z0-9\\-]*\A-Za-z0-9]){1,}(:,0-9]{1,5})?((\\/(a-zA-Z0-9]0a-zA-Z0-9\\-]*\a-zA-Z0-9]))*"
Release:
Type: String
Description: Release identifier
AllowedPattern: "(develop|master)|(((feat\\/)|((((rls\\/rc?_)|(hf\\/)|(mnto\\/))(/0-9]+\\.){1,2}10-9])+_?))(?A-Za-z0-9_\\-]+)?)"
ConstraintDescription: 'Must specity release identifier, for example: master, develop, 1.0.5-rc, 1.0.5 or 1.0.5.1'
Resources:
BastionRoleStackSet:
Type: AWS::CloudFormation::StackSet
DeletionPolicy: Retain
Properties:
StackSetName: !Sub 'LucidOrgImportBastionAccountStackSet-${Release}'
Description: Lucid stackset for importing resources from multiple AWS accounts in an organization.
PermissionModel: SERVICE_MANAGED
Capabilities:
- CAPABILITY_NAMED_IAM
CallAs: DELEGATED_ADMIN
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: true
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds:
- !Ref BastionRootOrOrganizationalUnitId
AccountFilterType: INTERSECTION
Accounts:
- !Ref BastionAccountId
Regions:
- us-east-1
ManagedExecution:
Active: true
Tags:
- Key: Lucid
Value: CloudImport
Parameters:
- ParameterKey: LucidAccountId
ParameterValue: !Ref LucidAccountId
- ParameterKey: LucidExternalId
ParameterValue: !Ref LucidExternalId
- ParameterKey: BastionRoleName
ParameterValue: !Ref BastionRoleName
- ParameterKey: MemberRoleName
ParameterValue: !Ref MemberRoleName
TemplateURL: !Sub '${ArtifactsUrl}/AWS_Lucidscale/${Release}/cloudformation/bastion.yaml'
MemberRoleStackSet:
Type: AWS::CloudFormation::StackSet
DeletionPolicy: Retain
DependsOn: BastionRoleStackSet
Properties:
StackSetName: !Sub 'LucidOrgImportMemberAccountStackSet-${Release}'
Description: Lucid stackset set for importing resources from multiple AWS accounts in an organization.
PermissionModel: SERVICE_MANAGED
Capabilities:
- CAPABILITY_NAMED_IAM
CallAs: DELEGATED_ADMIN
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: true
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds:
- !Ref MembersRootOrOrganizationalUnitId
Regions:
- us-east-1
ManagedExecution:
Active: true
Tags:
- Key: Lucid
Value: CloudImport
Parameters:
- ParameterKey: BastionAccountId
ParameterValue: !Ref BastionAccountId
- ParameterKey: BastionRoleName
ParameterValue: !Ref BastionRoleName
- ParameterKey: MemberRoleName
ParameterValue: !Ref MemberRoleName
TemplateURL: !Sub '${ArtifactsUrl}/AWS_Lucidscale/${Release}/cloudformation/member.yaml'
Bastion
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
LucidAccountId:
Description: The Lucid AWS account that will assume the role for resource imports
Type: String
LucidExternalId:
Description: The externalId generated by Lucid
Type: String
BastionRoleName:
Description: The name of the role that will be assumed in the bastion account
Type: String
Default: lucid-import-bastion-role
MemberRoleName:
Description: The name of the role that will be assumed in member accounts
Type: String
Default: lucid-import-account-role
Resources:
BastionAccountRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref BastionRoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRolePolicy
Effect: Allow
Principal:
AWS: !Ref LucidAccountId
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref LucidExternalId
Path: '/'
BastionAccountRolePolicy:
Type: AWS::IAM::Policy
DependsOn: BastionAccountRole
Properties:
PolicyName: LucidImportBastionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'organizations:DescribeAccount'
- 'organizations:DescribeOrganization'
- 'organizations:DescribeOrganizationalUnit'
- 'organizations:ListAccounts'
- 'organizations:ListAccountsForParent'
- 'organizations:ListChildren'
- 'organizations:ListOrganizationalUnitsForParent'
- 'organizations:ListParents'
- 'organizations:ListRoots'
Resource: '*'
- Effect: Allow
Action:
- 'sts:AssumeRole'
Resource: !Sub 'arn:aws:iam::*:role/${MemberRoleName}'
Roles:
- !Ref BastionRoleName
Member
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
BastionAccountId:
Description: The account acting as the main entrypoint for cloud import
Type: String
BastionRoleName:
Description: The name of the role that will be assumed in the bastion account
Type: String
MemberRoleName:
Description: The name of the role that will be assumed in member accounts
Type: String
Default: lucid-import-account-role
Resources:
MemberAccountRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref MemberRoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRolePolicy
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}'
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/ReadOnlyAccess'
Path: '/'
Policy
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
BastionAccountId:
Description: The account acting as the main entrypoint for cloud import
Type: String
Resources:
ResourcePolicy:
DeletionPolicy: Retain
Type: AWS::Organizations::ResourcePolicy
Properties:
Content:
Version: '2012-10-17'
Statement:
- Sid: DelegatedOrganizationsRead
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${BastionAccountId}:root'
Action:
- 'organizations:ListAccounts'
- 'organizations:ListAccountsForParent'
- 'organizations:ListChildren'
- 'organizations:ListParents'
- 'organizations:ListRoots'
- 'organizations:DescribePolicy'
- 'organizations:DescribeOrganizationalUnit'
- 'organizations:DescribeOrganization'
- 'organizations:DescribeAccount'
- 'organizations:ListOrganizationalUnitsForParent'
Resource: '*'
Hi @sean.kaminsk @Nicolas S., thank you for taking the time to share your workarounds. We have passed this information on to our engineering team and will update this thread if we have any additional information.
Please let us know if you have any questions in the meantime -- we are happy to help!