control-tower : utils.resources.makeManifestDocument does not honor current LZ Security OU naming

[DavidChristiansen]

Describe the bug

When attempting to update the landing zone configuration, The manifest document generated does not cater for when the Security OU has been renamed. The correct value is returned in response from get-landing-zone api and should be used.

https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/main/source/packages/%40aws-accelerator/lza-modules/lib/control-tower/utils/resources.ts#L165-L193

To Reproduce

1. Rename the Security OU
2. Confirm the landing zone cli returns the new OU name via a call to aws controltower get-landing-zone --landing-zone-identifier <ARN>
3. Attempt to perform an update to the landing zone (such as enabling a new region)
4. Pipeline will fail with an error akin to

2024-11-12 15:48:12.823 | error | runner | AWS Control Tower detected '1' validation errors:The given value for the security OrganizationalUnit name must be consistent with the existing Landing Zone. To view the current value for your Landing Zone, use the GetLandingZone API
ValidationException: AWS Control Tower detected '1' validation errors:The given value for the security OrganizationalUnit name must be consistent with the existing Landing Zone. To view the current value for your Landing Zone, use the GetLandingZone API

Expected behavior
The control tower landing zone should be updated using a manifest that derives from the current landing zone configuration, obtained from landingZoneDetails

Please complete the following information about the solution:

• Version: 1.10
• Region: N/A
• Was the solution modified from the version published on this repository? No
• If the answer to the previous question was yes, are the changes available on GitHub?
• Have you checked your service quotas for the services this solution uses? n/a
• Were there any errors in the CloudWatch Logs? Error provided above.

[IklamA]

We have the same Issue is there any workaround or fix for it? Thanks

[DavidChristiansen]

@IklamA Checkout my PR for a fix

[vk0909]

@DavidChristiansen we have same issue and need a fix. Looks like your PR is not merged.

[mehow-juras]

According to the release docs for v1.11 that was release yesterday it includes:

fix(control-tower): update landingzone fails for non-default security ou name

I'm hoping to test it out asap 🙌🏼

Release link here

[mehow-juras]

Follow up: so I tested the fix, and yes it allows to have a custom named Control Tower Security OU. In my case this means I no longer have to have a placeholder/empty OU called Security, which is great 👍🏼

However what I'd really like to do is also be able to rename the Security OU again to something else. I presume it's because the name of the Security OU is saved in Control Tower and can't be edited (even through CLI 🥲) so until that s changed we're out of options on the LZA side.