Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use !Sub in organizations file #541

Open
nlang opened this issue Dec 1, 2023 · 0 comments
Open

Use !Sub in organizations file #541

nlang opened this issue Dec 1, 2023 · 0 comments
Labels
hacktoberfest

Comments

@nlang
Copy link

nlang commented Dec 1, 2023

Subject of the issue

I want to tighten some SCPs in my organization.yml. Unfortunately, as soon as I start using !Sub and parameters it fails with an error that just says: MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type

Your environment

  • version of org-foramtion (ofn --version): 1.0.11
  • version of node (node --version): 20.9.0
  • which OS/distro: Mac OS 14.1.1

Steps to reproduce

AWSTemplateFormatVersion: '2010-09-09-OC'

Organization:

  ManagementAccount:
    Type: OC::ORG::MasterAccount
    Properties:
      AccountName: Organisation
      AccountId: '11111111111'
      RootEmail: [email protected]
      Alias: my-organisation

  RestrictUnusedRegionsSCP:
    Type: OC::ORG::ServiceControlPolicy
    Properties:
      PolicyName: RestrictUnusedRegions
      Description: Restrict Unused regions
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyUnsupportedRegions
            Effect: Deny
            NotAction:
              - 'cloudfront:*'
              - 'iam:*'
              - 'route53:*'
              - 'support:*'
              - 'budgets:*'
              - 'acm:*'
            Resource: "*"
            Condition:
              StringNotEquals:
                "aws:RequestedRegion":
                  - !Sub '${primaryRegion}'

Expected behaviour

It should replace the template string with the primary region as defined in organization-parameters.yml

Actual behaviour

MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type`

I also tried to use a lot more in other SCPs, none of them worked. Here are a few examples:

- !Sub '${ManagementAccount.AccountId}'
- !Sub '${AWS::Region}'
- !Sub '${CurrentAccount.AccountId}

What am I doing wrong or how can I circumvent the issue if this is not supported? Are there any docs that clearify where I can use what and when?

Any help is greatly appreciated :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nlang @mhlchirosca