Skip to content
This repository has been archived by the owner on Jul 7, 2021. It is now read-only.

TransitVPC CF stack parms must include transit account, if transit account also a subscribing account #58

Open
peterb154 opened this issue Jan 10, 2019 · 1 comment
Open

TransitVPC CF stack parms must include transit account, if transit account also a subscribing account #58

peterb154 opened this issue Jan 10, 2019 · 1 comment

Comments

@peterb154
Copy link

I have a situation where I was deploying multi-account transit VPC, where the transitvpc account will also be a subscriber. When I initially deployed this, I did not specify the transit account in the list of accounts that must be defined in initializeTransitAccount.json cfn parameter SubscriberAWSAccountNumber.

So when I tried to trigger a new subscribingVpc in the transit account, I got the following error in createVpnConnection-transitVpcSubscriberAccount lambda.

[INFO]  2019-01-06T16:05:33.284Z  e49eacd3-c5f8-4a47-8dcc-376209e84b4c  Publishing to Transit-SNS Topoic arn:aws:sns:us-east-1:767xxxxxx804:transitSns-transitVpcAccout By assuming Role arn:aws:iam::767xxxxxx804:role/TransitAssumeRole-transitVpcAccout
[ERROR] 2019-01-06T16:05:33.565Z  e49eacd3-c5f8-4a47-8dcc-376209e84b4c  Error in publishToSns(), Error: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Adding the transit account number to the SubscriberAWSAccountNumber in the initializeTransitAccount.json cloud formation stack fixed this issue. To help others avoid this, suggest updating the deployment guide and/or updating the comments for the parameter in the embedded documentation in file: cfts/initializeTransitAccount.json. Change:

84       "Description": "Subscriber AWS Account number(s) required for Assume Role, Provide comma separated valid 12-digit AWS Account Number. Note: While doing stack Update, add account numbers to the existing account numbers. If you delete the existing account numbers, those accounts no longer subscriberd with Transit Account",

should say:

84       "Description": "Subscriber AWS Account number(s) required for Assume Role, Provide comma separated valid 12-digit AWS Account Number. Note: While doing stack Update, add account numbers to the existing account numbers. If you delete the existing account numbers, those accounts no longer subscribed with Transit Account. If the TransitVPC account is also a Subscribing account, include it also",

I'll submit a simple PR for this.
@peterb154 peterb154 mentioned this issue Jan 10, 2019
Merged
@peterb154
Copy link
Author

Submitted PR: #59

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peterb154