Add dependency to LAUNCH role constraint to fix SC issues in ap-southeast-2

brightsparc · brightsparc · commit 1ef82c3a5dd9 · 2021-04-28T13:12:43.000+10:00
diff --git a/README.md b/README.md
@@ -192,7 +192,7 @@ Then, click the **Add inline policy** link, switch to to the **JSON** tab, and p
             "Action": [
                 "iam:GetRole",
                 "iam:PassRole",
-                "iam:getRolePolicy",
+                "iam:GetRolePolicy",
                 "iam:AttachRolePolicy",
                 "iam:PutRolePolicy",
                 "iam:DetachRolePolicy",
diff --git a/infra/service_catalog.py b/infra/service_catalog.py
@@ -92,22 +92,24 @@ def __init__(
             role_arn=f"arn:{self.partition}:iam::{self.account}:role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole",
         )
 
-        aws_servicecatalog.CfnLaunchRoleConstraint(
+        portfolio_association = aws_servicecatalog.CfnPortfolioPrincipalAssociation(
             self,
-            "LaunchRoleConstraint",
+            "PortfolioPrincipalAssociation",
             portfolio_id=portfolio.ref,
-            product_id=product.ref,
-            role_arn=launch_role.role_arn,
-            description=f"Launch as {launch_role.role_arn}",
+            principal_arn=execution_role_arn.value_as_string,
+            principal_type="IAM",
         )
 
-        aws_servicecatalog.CfnPortfolioPrincipalAssociation(
+        # Ensure we run the LaunchRoleConstrait last as there are timing issues on product/portfolio being created
+        role_constraint = aws_servicecatalog.CfnLaunchRoleConstraint(
             self,
-            "PortfolioPrincipalAssociation",
+            "LaunchRoleConstraint",
             portfolio_id=portfolio.ref,
-            principal_arn=execution_role_arn.value_as_string,
-            principal_type="IAM",
+            product_id=product.ref,
+            role_arn=launch_role.role_arn,
+            description=f"Launch as {launch_role.role_arn}",
         )
+        role_constraint.add_depends_on(portfolio_association)
 
         # Create the deployment asset as an output to pass to pipeline stack
         deployment_asset = aws_s3_assets.Asset(
diff --git a/lambda/api/lambda_register.py b/lambda/api/lambda_register.py
@@ -99,7 +99,7 @@ def lambda_handler(event, context):
         # If this endpoint does not match prefix or not enabled return Not Modified (304)
         endpoint_name = event["detail"]["EndpointName"]
         endpoint_tags = event["detail"]["Tags"]
-        endpoint_enabled = endpoint_tags.get("ab-testing:enabled", "false").lower() == "true"
+        endpoint_enabled = endpoint_tags.get("ab-testing:enabled", "").lower() == "true"
         if not (endpoint_name.startswith(ENDPOINT_PREFIX) and endpoint_enabled):
             error_message = (
                 f"Endpoint: {endpoint_name} not enabled for prefix: {ENDPOINT_PREFIX}"
