-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack unable to delete ServiceLinkedRoles when upgraded to v1.4.3 #237
Comments
Peeking at the CloudWatch Logs, at a guess it looks like this issue was introduced in v1.4.3 in the following commit: 5854321 The resource properties will show a change every time for the UUID and attempt to delete + recreate the ServiceLinkedRole, which won't work for the GuardDuty, AccessAnalyzer and SecurityHub SLRs when those features are enabled in the solution. There's no PR or comments related to the commit above. Can someone comment and confirm whether this is the cause, and why the UUID change was introduced for SLRs? What is the recommended procedure to recover from this issue, as we cannot progress with any changes to the solution. Edit: We rolled back to v1.4.2 and the pipeline succeeded. So I suspect it was the change linked above that caused the problem. |
We have experienced the same issue in our environment. It seems that pipeline is able to randomly run the Accounts step successfully ( it might take 1 retry of the accounts step, sometimes up to 4 retries). |
Thank you for bringing this to our attention @silkyroadsilk , we're aware of this issue and should be addressing this in our next release. As @atte-hemminki a workaround for this is to retry the stage. As this is already being tracked, I will keep this issue open and update you once this issue has been addressed in a later release. |
I have encountered the same issue consistently across all releases of the pipeline, specifically with the Cloudformation stack in the region us-east-1. The issue lies in the inability of the Cloudformation stack to delete the AWSAccelerator ServiceLinkedRoles. This leads to a situation where I have to manually destroy the stack multiple times until the roles are successfully deleted. This issue is reproducible with the following specifications:
|
@de-cx-cloud Seeing the exact same issue as you, multiple retries of that stage and it finally works. We've got another LZA deployed not using the default prefix 'AWSAccelerator' and never really seen this error. |
I have a similar issue with a custom resource lambda. It just randomly times out, according to CFN. The message returned ("waiter timed out") is obviously part of the framework code, not my lambda itself. For example, the custom resource lambda does nothing on resource deletions (because it basically always 'retains' the underlying resource). So, it's not clear to me why the lambda is timing out, even in cases where the lambda action is basically a no-op. Retrying several time resolves the issue, but it's really frustrating, especially in stack creations where this error will cause the stack creation to rollback entirely. |
It's been a year. Is there any movement on this? I waste so much time retrying the Accounts stage because of this error. I had to retry this 4 times before it would finally work today, which is a typical experience with this bug. |
I have the same problem. |
@itmustbejj , @gustavo-guerra-compasso - what versions are you on? Providing as much detail os possible can help prioritise, for example posts above say the default prefix don't see this issue |
I'm using version 1.9.1 I have the same problem that @de-cx-cloud is having. The account stage timeouts sometimes and I have to retry the stage. |
Similar here with Using v1.9.2 |
Same issue Using v1.9.2 |
Describe the bug
When updated from version 1.4.1 to 1.4.3 the pipeline errored out in failure to delete existing Service Linked Roles.
To Reproduce
I have tried to re-run the AWSAccelerator-Pipeline after having upgraded landing-zone-accelerator-on-aws to version 1.4.3. In doing so the pipeline was unabled to delete the following roles AWSServiceRoleForSecurityHub', 'AWSServiceRoleForAccessAnalyzer' and 'AWSServiceRoleForAmazonGuardDuty' with the reason AccessDeniedException.
Expected behavior
I expect when the pipeline line is run, that if the roles already exist it will be able to delete the existing and replace with the new.
Additional context
I have also tried to delete a Role by hand in the AWS console and I get the following error:
IAM Access Analyzer is enabled in one or more regions in your AWS organization. Ask your administrator to delete all analyzers in all regions for your organization before attempting to delete this role.
Having seen this message I ensured that no Access Analyzers exist in any region, and tried to delete again after some time. The same error still persists even though there are no access Analyzers.
Here is an extract of the cloudwatch logs
The text was updated successfully, but these errors were encountered: