fix(core): Replace StackSet and removing dependency with CloudFormationStackSetExecutionRole (#583)

* Adding validation for StackSet and replace fix
* Fixing Typo for OrganizationAdminRole and passing role to addQurantineSCP

Author: naveenkoppula

src/core/cdk/src/initial-setup.ts

@@ -158,6 +158,7 @@ export namespace InitialSetup {
           'inputConfig.$': '$',
           'executionArn.$': '$$.Execution.Id',
           'stateMachineArn.$': '$$.StateMachine.Id',
+          acceleratorPrefix: props.acceleratorPrefix,
         },
         resultPath: '$.configuration',
       });
@@ -208,7 +209,7 @@ export namespace InitialSetup {
           'phases.$': '$.configuration.baselineOutput.phases',
           'acceleratorVersion.$': '$.configuration.acceleratorVersion',
           'configRootFilePath.$': '$.configuration.configRootFilePath',
-          'organizationAdmiRole.$': '$.configuration.baselineOutput.organizationAdmiRole',
+          'organizationAdminRole.$': '$.configuration.baselineOutput.organizationAdminRole',
         },
         resultPath: '$.configuration',
       });
@@ -228,7 +229,7 @@ export namespace InitialSetup {
           'phases.$': '$.configuration.baselineOutput.phases',
           'acceleratorVersion.$': '$.configuration.acceleratorVersion',
           'configRootFilePath.$': '$.configuration.configRootFilePath',
-          'organizationAdmiRole.$': '$.configuration.baselineOutput.organizationAdmiRole',
+          'organizationAdminRole.$': '$.configuration.baselineOutput.organizationAdminRole',
         },
         resultPath: '$.configuration',
       });
@@ -304,6 +305,7 @@ export namespace InitialSetup {
           'configFilePath.$': '$.configuration.configFilePath',
           'configCommitId.$': '$.configuration.configCommitId',
           acceleratorPrefix: props.acceleratorPrefix,
+          'organizationAdminRole.$': '$.configuration.organizationAdminRole',
         },
       });
 
@@ -354,7 +356,7 @@ export namespace InitialSetup {
           'regions.$': '$.configuration.regions',
           'accounts.$': '$.configuration.accounts',
           'configRootFilePath.$': '$.configuration.configRootFilePath',
-          'organizationAdmiRole.$': '$.configuration.organizationAdmiRole',
+          'organizationAdminRole.$': '$.configuration.organizationAdminRole',
         },
         resultPath: '$',
       });
@@ -390,7 +392,7 @@ export namespace InitialSetup {
               s3ObjectKey: installCfnRoleMasterTemplate.s3ObjectKey,
             },
             stackParameters: {
-              'RoleName.$': '$.configuration.organizationAdmiRole',
+              'RoleName.$': '$.configuration.organizationAdminRole',
             },
           }),
           resultPath: 'DISCARD',
@@ -423,7 +425,7 @@ export namespace InitialSetup {
           },
           stackTemplate: executionRoleContent.toString(),
           'accountId.$': '$.accountId',
-          'assumedRoleName.$': '$.organizationAdmiRole',
+          'assumedRoleName.$': '$.organizationAdminRole',
         }),
         resultPath: 'DISCARD',
       });
@@ -434,7 +436,7 @@ export namespace InitialSetup {
         maxConcurrency: 40,
         parameters: {
           'accountId.$': '$$.Map.Item.Value',
-          'organizationAdmiRole.$': '$.organizationAdmiRole',
+          'organizationAdminRole.$': '$.organizationAdminRole',
         },
       });
 

src/core/cdk/src/tasks/create-organization-account-task.ts

@@ -93,6 +93,7 @@ export class CreateOrganizationAccountTask extends sfn.StateMachineFragment {
       functionPayload: {
         'account.$': '$.moveOutput',
         'acceleratorPrefix.$': '$.createAccountConfiguration.acceleratorPrefix',
+        'organizationAdminRole.$': '$.createAccountConfiguration.organizationAdminRole',
       },
     });
     attachQuarantineScpTask.next(pass);

src/core/runtime/src/get-baseline-step.ts

@@ -20,7 +20,7 @@ export interface GetBaseelineOutput {
   baseline: string;
   storeAllOutputs: boolean;
   phases: number[];
-  organizationAdmiRole: string;
+  organizationAdminRole: string;
 }
 
 const dynamoDB = new DynamoDB();
@@ -69,6 +69,6 @@ export const handler = async (input: GetBaseLineInput): Promise<GetBaseelineOutp
     baseline,
     storeAllOutputs: runStoreAllOutputs,
     phases: [-1, 0, 1, 2, 3],
-    organizationAdmiRole: globalOptionsConfig['organization-admin-role'] || 'AWSCloudFormationStackSetExecutionRole',
+    organizationAdminRole: globalOptionsConfig['organization-admin-role'] || 'AWSCloudFormationStackSetExecutionRole',
   };
 };

src/core/runtime/src/get-or-create-config.ts

@@ -3,13 +3,15 @@ import { S3 } from '@aws-accelerator/common/src/aws/s3';
 import { RawConfig } from '@aws-accelerator/common/src/util/common';
 import { JSON_FORMAT, RAW_CONFIG_FILE, YAML_FORMAT } from '@aws-accelerator/common/src/util/constants';
 import { StepFunctions } from '@aws-accelerator/common/src/aws/stepfunctions';
+import { CloudFormation } from '@aws-accelerator/common/src/aws/cloudformation';
 
 interface GetOrCreateConfigInput {
   repositoryName: string;
   s3Bucket: string;
   branchName: string;
   executionArn: string;
   stateMachineArn: string;
+  acceleratorPrefix: string;
   acceleratorVersion?: string;
   // Taking entire input to replace any default paramaters in SM Input
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -19,6 +21,7 @@ interface GetOrCreateConfigInput {
 const codecommit = new CodeCommit();
 const s3 = new S3();
 const stepfunctions = new StepFunctions();
+const cfn = new CloudFormation();
 
 export const handler = async (input: GetOrCreateConfigInput) => {
   console.log(`Get or Create Config from S3 file...`);
@@ -32,11 +35,9 @@ export const handler = async (input: GetOrCreateConfigInput) => {
     inputConfig,
     executionArn,
     stateMachineArn,
+    acceleratorPrefix,
   } = input;
-  const runningStatus = await validateExecution(stateMachineArn, executionArn);
-  if (runningStatus === 'DUPLICATE_EXECUTION') {
-    throw new Error('Another execution of Accelerator is already running');
-  }
+  await beforeStart(acceleratorPrefix, stateMachineArn, executionArn);
   const storeAllOutputs: boolean = !!inputConfig.storeAllOutputs;
   const configRepository = await codecommit.batchGetRepositories([repositoryName]);
   if (!configRepository.repositories || configRepository.repositories?.length === 0) {
@@ -291,3 +292,16 @@ async function validateExecution(stateMachineArn: string, executionArn: string)
   }
   return 'SUCCESS';
 }
+
+async function beforeStart(acceleratorPrefix: string, stateMachineArn: string, executionArn: string) {
+  const installRolesStack = await cfn.describeStackSet(`${acceleratorPrefix}PipelineRole`);
+  if (installRolesStack) {
+    throw new Error(
+      'This upgrade requires the manual removal of the "PBMMAccel-PipelineRole" Stackset from this account - see upgrade instructions',
+    );
+  }
+  const runningStatus = await validateExecution(stateMachineArn, executionArn);
+  if (runningStatus === 'DUPLICATE_EXECUTION') {
+    throw new Error('Another execution of Accelerator is already running');
+  }
+}

src/core/runtime/src/load-configuration-step.ts

@@ -4,7 +4,7 @@ export interface LoadConfigurationInput {
   configFilePath: string;
   configRepositoryName: string;
   configCommitId: string;
-  organizationAdmiRole: string;
+  organizationAdminRole: string;
   baseline?: BaseLineType;
   acceleratorVersion?: string;
   configRootFilePath?: string;

src/lib/common/src/scp/index.ts

@@ -92,11 +92,8 @@ export class ServiceControlPolicy {
         throw e;
       }
 
-      // eslint-disable-next-line no-template-curly-in-string
-      if (policyContent.includes('${ORG_ADMIN_ROLE}')) {
-        // eslint-disable-next-line no-template-curly-in-string
-        policyContent = policyContent.replace('${ORG_ADMIN_ROLE}', organizationAdminRole);
-      }
+      policyContent = policyContent.replace(/\${ORG_ADMIN_ROLE}/g, organizationAdminRole);
+
       // Minify the SCP content
       policyContent = JSON.stringify(JSON.parse(policyContent));