Error while deploying Community::Organizations::EnableAWSServiceAccess

[eduardomourar]

If you try to enable the AWS service access for access-analyzer.amazonaws.com, the following error happens in Community::Organizations::EnableAWSServiceAccess resource type v0.1.0:

Properties validation failed for resource AccessAnalyzerServiceAccess with message: #: required key [ResourceId] not found

[sshvetsov]

This error still appears today.

_tasks.yml::

AccessAnalyzer:
  Type: update-stacks
  Template: ./access-analyzer.yml
  StackName: !Sub '${resourcePrefix}-access-analyzer'
  MaxConcurrentStacks: 10
  Parameters:
    targetId: !Ref SectoolsAccount
  OrganizationBindings:
    ManagementAccountBinding:
      IncludeMasterAccount: true
      Region: !Ref globalRegion

access-analyzer.yml:

AWSTemplateFormatVersion: '2010-09-09-OC'

OrganizationBindings:
  # Binding for:
  ManagementAccountBinding: # null = empty binding

Parameters:
  targetId:
    Type: String

Resources:
  AccessAnalyzerServiceAccess:
    Type: 'Community::Organizations::EnableAWSServiceAccess'
    OrganizationBinding: !Ref ManagementAccountBinding
    Properties:
      ServicePrincipal: access-analyzer.amazonaws.com

  AccessAnalyzerDelegatedAdmin:
    Type: 'Community::Organizations::DelegatedAdmin'
    DependsOn: AccessAnalyzerServiceAccess
    OrganizationBinding: !Ref ManagementAccountBinding
    Properties:
      ServicePrincipal: access-analyzer.amazonaws.com
      AccountId: !Ref targetId

Error message:

ERROR: error updating CloudFormation stack prefix-access-analyzer in account 1234 (us-east-1).
Resource is not in the state stackCreateComplete (1234 = ManagementAccount)
ERROR: Resource AccessAnalyzerServiceAccess failed because Properties validation failed for resource AccessAnalyzerServiceAccess with message:
#: required key [ResourceId] not found.
ERROR: Stack prefix-access-analyzer in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234 = ManagementAccount)
Resource is not in the state stackCreateComplete (use option --print-stack to print stack)

[OlafConijn]

hi @sshvetsov ,

thanks for reaching out!
i haven't looked into why this is required, but using 0.1.0 it indeed seems you would need to provide a ResourceId.
example:

  AccessAnalyzerServiceAccess:
    Type: 'Community::Organizations::EnableAWSServiceAccess'
    OrganizationBinding: !Ref ManagementAccountBinding
    Properties:
      ServicePrincipal: access-analyzer.amazonaws.com
      ResourceId: enable-access-analyzer

Looking at the aws service call for aws organizations enable-aws-service-access this indeed seems like something that should not be necessary. providing it in the properties can be used as a workaround until fixed

[sshvetsov]

Thanks a bunch for describing the ResourceId workaround. It works like a charm!
It's listed as required property in the docs, but I have completely missed it because it was not shown in the example.yml.

I've submitted PR #114 to fix the example.yml file.

I've also submitted PR org-formation/org-formation-reference#46 to the org-formation-reference repo to fix the AccessAnalyzer example there.