-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to v1.6.2 failing with Dependencies stack failure for external deployment #455
Comments
Hi @SennaSemakula , thanks for reaching out to the Landing Zone Accelerator team. Thank you for the detailed write-up, I have observed this behavior in my environment as well. The team has implemented a fix that will be included in our next major release, I'll keep the issue open until it is available. In the meantime, you can workaround this behavior with the following steps:
Thank you for raising this issue and supporting the Landing Zone Accelerator! |
Hi @SennaSemakula , I can't make promises since I don't know the full details of your environment, but I did not experience that in my environment using v1.6.2. You can also try manually creating the role without changing the |
@erwaxler great, thanks. Could you give us an ETA on the next release as we use LZA in production. |
No problem! Unfortunately I cannot provide a specific timeline for future releases. Thank you for your support and interest of the LZA solution! I will leave this issue open should you have any follow-ups for the team, and we will update you when the feature becomes available. |
workaround worked for me, thanks @erwaxler
|
Workaround worked on v1.6.2. We manually created the role before updating the installer stack to prevent retrying the pipeline and the pipeline succeeded. Thanks! |
Hi @SennaSemakula , this has been included in our v1.7.0 release so I will be closing this issue. Thanks for supporting the Landing Zone Accelerator! |
Describe the bug
Upgrade from v1.5.2 to v1.6.2 failing for external deployment.
This is due to the
AWSAccelerator-DependenciesStack
failing to create the IAM roleAWSAccelerator-DiagnosticsPackAccessRole
in other accounts. This is attributed to the trust relationship policy incorrectly referencing an ARN that containers theAcceleratorPrefix
but not theAcceleratorQualifier
stated in the template parameters. It seems that when you useaws-accelerator
as the qualfiier, the diagnostic pack incorrectly assumes this is the default value and fallbacks to using theAcceleratorPrefix
instead. If you were to use another value such asaws-accelerator-sandbox
for the qualfiier, this works as expected.https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/main/source/packages/%40aws-accelerator/accelerator/lib/stacks/dependencies-stack/diagnostics-pack.ts#L47 needs to be fixed as
aws-accelerator
is a valid qualifier and should take precedence instead falling back toAcceleratorPrefix
.To Reproduce
Update the template and the
aws-accelerator-installer
codepipeline should kick offAfter the installer pipeline finishes it will kick off the downstream pipeline:
aws-accelerator-pipeline
The pipeline will fail at the logging stage with the following error:
Expected behavior
With EnableDiagnosticsPack set to 'Yes' in the installer template, the
aws-accelerator-pipeline
pipeline should pass and create the following IAM roleAWSAccelerator-DiagnosticsPackAccessRole
in all accounts. This IAM role would have the correct ARN in the trust policy that references the qualifier used in the parameters e.g.Correct:
arn:aws:iam::<account_id>:role/<AcceleratorQualifier>-DiagnosticsPackLambdaRole
Incorrect:
arn:aws:iam::<account_id>:role/<AcceleratorPrefix>-DiagnosticsPackLambdaRole
Please complete the following information about the solution:
Screenshots
Additional context
If you set the qualifier to any value other than
aws-accelerator
this will work as expectedThe text was updated successfully, but these errors were encountered: