Can't create deny-unsupported-regions SCP

[apenney]

Hi,

I'm hoping someone can help me. I'm running into an issue where I can't create the SCP to block regions, when it runs it looks like:

INFO: Executing: update-stacks templates/010-scps/deny-unsupported-regions.yml monad-deny-unsupported-regions.{"result":{"state":"FAILURE","reason":{"$metadata":{"httpStatusCode":200,"requestId":"1abcd8fa-5dd8-4340-8106-1ea449e194f6","attempts":
1,"totalRetryDelay":0},"Stacks":[{"StackId":"arn:aws:cloudformation:us-east-1:637423365128:stack/monad-deny-unsupported-regions/8060052
0-d0f7-11ee-9b0b-0e4b40acefbf","StackName":"monad-deny-unsupported-regions","Parameters":[{"ParameterKey":"targetIds","ParameterValue":
"r-yjlu"},{"ParameterKey":"supportedRegions","ParameterValue":"us-west-1,us-west-2,us-east-1,us-east-2"}],"CreationTime":"2024-02-21T20
:26:32.467Z","DeletionTime":"2024-02-21T20:26:37.173Z","RollbackConfiguration":{},"StackStatus":"ROLLBACK_COMPLETE","DisableRollback":f
alse,"NotificationARNs":[],"Capabilities":["CAPABILITY_NAMED_IAM","CAPABILITY_IAM","CAPABILITY_AUTO_EXPAND"],"Tags":[],"EnableTerminati
onProtection":false,"DriftInformation":{"StackDriftStatus":"NOT_CHECKED"}}]}}} (637423365128 = ManagementAccount)
ERROR: Resource Scp failed because Internal Failure.

I see the same thing in the console, with a failure and:

The following resource(s) failed to create: [Scp]. Rollback requested by user.

I tried looking through CloudTrail but I see nothing useful in there. I then tried making an SCP by hand (well, the policy) with the same regions just to make sure there wasn't anything obvious. That worked.

The params for this template look like:

supportedRegions: us-west-1,us-west-2,us-east-1,us-east-2
targetIds: r-yjlu

My manually created SCP was just the policy part, I didn't try to attach it to the target. Not sure if that's part of the issue. I'm not really sure what to troubleshoot next, I'm feeling a bit lost on this one!

[satoshi-na-kamoto]

check if you have the following in deny-unsupported-regions.yml
Type: Community::Organizations::Policy
and if yes then switch to
Type: AWS::Organizations::Policy

surprised how it allowed you to create any scp for that matter

let us know if that worked?

[apenney]

I did, and changing it has moved me forward:

Properties validation failed for resource Scp with message: #: required key [Type] not found #: required key [Content] not found #: extraneous key [PolicyType] is not permitted #: extraneous key [PolicyDocument] is not permitted

I'll dig into this and see if I can figure out the changes, then fire a PR up once I get it working!

[satoshi-na-kamoto]

indeed so you need to change it to Content and also PolicyType to Type and PolicyName to Name. it will work then and will have to make those changes for rest of SCPs
Resources: Scp: Type: AWS::Organizations::Policy Properties: Description: Restricts the use of unsupported regions Name: DenyUnsupportedRegions Type: SERVICE_CONTROL_POLICY TargetIds: !Ref targetIds Content: Version: "2012-10-17" Statement:

[apenney]

#54 should fix this!

[OlafConijn]

thanks both, for the issue and the fix. i merged the branch into main.

a common issue, when managing SCPs in cloudformation templates, is that the DenyUnsupportedRegions will often update after other templates (in this case: regional templates from within the 005-types folder.

if a region is unsupported, and then you would like to start supporting this, that would cause your build to fail.
a solution to this is to add the SCPs to the organization.yml file.