Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failure to update org after succesfull init without making any changes #512

Open
k-paulius opened this issue Jul 8, 2023 · 4 comments
Open

Comments

@k-paulius
Copy link
Contributor

Failure to update org after successful init

I have the following org structure:

<Root>
├── Infrastructure
│   └── Prod
├── Sandbox
│       └── sandbox-01 (account)
├── Security      
│   └── Prod
│       └── log-archive-prod (account)
│       └── security-tooling-prod (account)
├── Workloads
│   └── Prod
│       └── workload-a-prod
└── management (account)

org-formation init successfully generated organization.yml and state file.

AWSTemplateFormatVersion: '2010-09-09-OC'
Description: default template generated for organization with master account 1111

Organization:
  ManagementAccount:
    Type: OC::ORG::MasterAccount
    Properties:
      AccountName: management
      AccountId: '111'
      RootEmail: bob@email.com

  OrganizationRoot:
    Type: OC::ORG::OrganizationRoot
    Properties:
      DefaultOrganizationAccessRoleName: OrganizationAccountAccessRole
  
  InfrastructureOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Infrastructure
      OrganizationalUnits: !Ref ProdOU

  ProdOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Prod

  ProdOU2:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Prod
      Accounts: !Ref WorkloadAProd

  ProdOU3:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Prod
      Accounts:
        - !Ref LogArchiveProdAccount
        - !Ref SecurityToolingProdAccount

  SandboxOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Sandbox
      Accounts: !Ref Sandbox_01Account

  SecurityOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Security
      OrganizationalUnits: !Ref ProdOU3

  WorkloadsOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: Workloads
      OrganizationalUnits: !Ref ProdOU2

  WorkloadAProd:
    Type: OC::ORG::Account
    Properties:
      AccountName: workload-a-prod
      AccountId: '222'
      RootEmail: bob@email.com

  LogArchiveProdAccount:
    Type: OC::ORG::Account
    Properties:
      AccountName: log-archive-prod
      AccountId: '333'
      RootEmail: bob@email.com

  Sandbox_01Account:
    Type: OC::ORG::Account
    Properties:
      AccountName: sandbox-01
      AccountId: '444'
      RootEmail: bob@email.com

  SecurityToolingProdAccount:
    Type: OC::ORG::Account
    Properties:
      AccountName: security-tooling-prod
      AccountId: '555'
      RootEmail: bob@email.com

But when I ran org-formation update organization.yml without making any changes to the org structure or yml file it failed.

OC::ORG::ServiceControlPolicy | DenyLeaveOrganizationSCP      | Create (p-evtg9bae)
OC::ORG::ServiceControlPolicy | DenyLeaveOrganizationSCP      | CommitHash
OC::ORG::ServiceControlPolicy | DenyOrgTrailKmsKeyDeletionSCP | Create (p-e3tv85fg)
OC::ORG::ServiceControlPolicy | DenyOrgTrailKmsKeyDeletionSCP | CommitHash
OC::ORG::ServiceControlPolicy | DenyRootUserActionsSCP        | Create (p-fubllui4)
OC::ORG::ServiceControlPolicy | DenyRootUserActionsSCP        | CommitHash
OC::ORG::ServiceControlPolicy | RestrictRegionSCP             | Create (p-68q3d4cq)
OC::ORG::ServiceControlPolicy | RestrictRegionSCP             | CommitHash
OC::ORG::Account              | WorkloadAProd                 | Create (bbb)
OC::ORG::Account              | WorkloadAProd                 | CommitHash
OC::ORG::Account              | LogArchiveProdAccount         | Create (bbb)
OC::ORG::Account              | LogArchiveProdAccount         | CommitHash
OC::ORG::Account              | Sandbox_01Account             | Create (bbb)
OC::ORG::Account              | Sandbox_01Account             | CommitHash
OC::ORG::Account              | SecurityToolingProdAccount    | Create (bbb)
OC::ORG::Account              | SecurityToolingProdAccount    | CommitHash
OC::ORG::OrganizationalUnit   | InfrastructureOU              | Create (ou-g0qz-ko3t1zsu)
OC::ORG::OrganizationalUnit   | ProdOU                        | Create (ou-g0qz-sxolqy99)
OC::ORG::OrganizationalUnit   | InfrastructureOU              | Attach OU (ProdOU)
OC::ORG::OrganizationalUnit   | InfrastructureOU              | CommitHash
OC::ORG::OrganizationalUnit   | ProdOU                        | CommitHash
OC::ORG::OrganizationalUnit   | ProdOU2                       | Create (ou-g0qz-7mm1apwu)
OC::ORG::OrganizationalUnit   | ProdOU2                       | Attach Account (WorkloadAProd)
OC::ORG::OrganizationalUnit   | ProdOU2                       | CommitHash
OC::ORG::OrganizationalUnit   | ProdOU3                       | Create (ou-g0qz-7mm1apwu)
OC::ORG::OrganizationalUnit   | ProdOU3                       | Attach Account (LogArchiveProdAccount)
OC::ORG::OrganizationalUnit   | ProdOU3                       | Attach Account (SecurityToolingProdAccount)
OC::ORG::OrganizationalUnit   | ProdOU3                       | CommitHash
OC::ORG::OrganizationalUnit   | SandboxOU                     | Create (ou-g0qz-2e1q2vhm)
OC::ORG::OrganizationalUnit   | SandboxOU                     | Attach Account (Sandbox_01Account)
OC::ORG::OrganizationalUnit   | SandboxOU                     | CommitHash
OC::ORG::OrganizationalUnit   | SecurityOU                    | Create (ou-g0qz-m9l7l7h6)
ERROR: failed executing task: Attach OU (ProdOU3) OC::ORG::OrganizationalUnit SecurityOU DuplicateOrganizationalUnitException: An organizational unit with the specified name already exists under the specified parent.
ERROR: error: DuplicateOrganizationalUnitException, aws-request-id: 85cdc567-15ab-4f06-9a75-a7cc614c6313
ERROR: An organizational unit with the specified name already exists under the specified parent.

What is even worse it altered my org structure:

<Root>
├── Infrastructure
│   └── Prod                               <-- this OU was re-created, but new physicalId is not in the state file
├── Prod_tmp                               <-- new OU
│    └── workload-a-prod                   <-- account moved
│    └── log-archive-prod (account)        <-- account moved
│    └── security-tooling-prod (account)   <-- account moved
├── Sandbox
│       └── sandbox-01 (account)
├── Security      
│   └── Prod
├── Workloads
│   └── Prod
└── management (account)

Your environment

  • version of org-foramtion (ofn --version): 1.0.11
  • version of node (node --version): v18.16.1
  • which OS/distro: Ubuntu 22.04.2 LTS

Expected behaviour

ofn update should run successfully after ofn init and no changes made

@k-paulius
Copy link
Contributor Author

I did some experimenting and was able to work-around the issue.

I manually reset my org structure to how it is supposed to look.
Generated new organization.yml and state files.
Then renamed logical names as per below in both yml and state files:

ProdOU -> InfrastructureProdOU
ProdOU2 -> WorkloadsProdOU
ProdOU3 -> SecurityProdOU

Then ran org-formation update and it was successful.

@KarlCF
Copy link

KarlCF commented Aug 9, 2023

@k-paulius , how did you update your state file?

@k-paulius
Copy link
Contributor Author

@KarlCF state file is store in the S3 bucket that you specify with --state-bucket-name. I simply downloaded the file from S3, modified it, uploaded it back to S3 and then ran org-formation

@KarlCF
Copy link

KarlCF commented Aug 11, 2023

thx a lot @k-paulius , will give it a try!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants