Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change of Launch Constraint role results in a error #586

Open
kunzt-aws opened this issue Nov 2, 2022 · 1 comment
Open

Change of Launch Constraint role results in a error #586

kunzt-aws opened this issue Nov 2, 2022 · 1 comment
Labels
question Further information is requested

Comments

@kunzt-aws
Copy link

If you have a launch constraint role defined for a distributed product, you might want to change the role. Based on the observation, this results in an error, as the Puppet tries to associate a new launch constraint not taking into account the existing one.

port-xyz|prod-xyz already exists in stack arn:aws:cloudformation:us-east-1:1234567890:stack/launch-constraints-for-portfolio/86bd5020-56b0-11ed-8102-0a43c1234567

So, if a launch constraint role is defined for a product in the manifest file, Puppet should:

  1. remove the old launch constraint role (CloudFormation stack)
  2. apply the new launch constraint role based on the manifest

Example existing manifest:

stacks:
  launchconstraint-role:
   name: launchconstraint-role
   version: v1-0-0
   capabilities:
     - CAPABILITY_IAM
     - CAPABILITY_NAMED_IAM
   deploy_to:
     tags:
       - tag: "account:account"
         regions: "default_region"

spoke-local-portfolios:
portfolio:
    portfolio: "portfolio"
    sharing_mode: ACCOUNT
    product_generation_method: import
    depends_on:
      - name: launchconstraint-role
        type: stack
    associations:
      - arn:aws:iam::${AWS::AccountId}:role/CatalogRole
    constraints:
      launch:
        - product: "product"
          roles:
            - arn:aws:iam::${AWS::AccountId}:role/launchconstraint-role
    deploy_to:
      tags:
        - tag: "account:account"
          regions: "default_region"

Example new manifest:

stacks:
  launchconstraint-role:
   name: launchconstraint-role
   version: v1-0-0
   capabilities:
     - CAPABILITY_IAM
     - CAPABILITY_NAMED_IAM
   deploy_to:
     tags:
       - tag: "account:account"
         regions: "default_region"
  launchconstraint-role2:
   name: launchconstraint-role2
   version: v1-1-0
   capabilities:
     - CAPABILITY_IAM
     - CAPABILITY_NAMED_IAM
   deploy_to:
     tags:
       - tag: "account:account"
         regions: "default_region"

spoke-local-portfolios:
portfolio:
    portfolio: "portfolio"
    sharing_mode: ACCOUNT
    product_generation_method: import
    depends_on:
      - name: launchconstraint-role2
        type: stack
    associations:
      - arn:aws:iam::${AWS::AccountId}:role/CatalogRole
    constraints:
      launch:
        - product: "product"
          roles:
            - arn:aws:iam::${AWS::AccountId}:role/launchconstraint-role2
    deploy_to:
      tags:
        - tag: "account:account"
          regions: "default_region"
@eamonnfaherty
Copy link
Contributor

could you confirm which version of puppet you are using please and could you provide your logs.

@eamonnfaherty eamonnfaherty added the question Further information is requested label Nov 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eamonnfaherty @kunzt-aws