Prepare stage failing with Account ID not found for LogArchive. Validate that the emails in the parameter ManagementAccountEmail of the AWSAccelerator-InstallerStack

[sathyashop]

Describe the bug
I am trying to deploy the LZA 1.10.0 on a clean AWS environment as a root user. I am simply following the instructions as in https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/deploy-the-solution.html

**I had been using the default configurations provided with LZA , with an understanding that I need to add my customizations only after AWSAccelerator-Pipeline completes **

organization-config.yaml:

enable: true
organizationalUnits:
  - name: Security
  - name: Infrastructure

accounts-config.yaml:

mandatoryAccounts:
  - name: Management
    description: >-
      The management (primary) account. Do not change the name field for this
      mandatory account. Note, the account name key does not need to match the
      AWS account name.
    email: xxxx@yy.com
    organizationalUnit: Root
    warm: false
  - name: LogArchive
    description: >-
      The log archive account. Do not change the name field for this mandatory
      account. Note, the account name key does not need to match the AWS account
      name.
..

But AWSAccelerator-Pipeline fails at "Prepare" stage

2024/11/14 19:10:21.747147 Running command cd source
..
yarn run v1.22.22
$ /codebuild/output/src3662/src/s3/00/source/node_modules/.bin/ts-node packages/@aws-accelerator/lza-modules/bin/runner.ts --module control-tower --partition aws --use-existing-role No --config-dir /codebuild/output/src3662/src/s3/01
2024-11-14 19:10:26.188 | info | runner | The global-config.yaml file did not contain any configuration for AWS Control Tower Landing Zone, no activities for module control-tower.
Done in 1.94s.

2024-11-14 19:10:30.424 | info | index | AWS Organizations organizational unit "Infrastructure" created successfully.
2024-11-14 19:10:31.057 | info | index | The organizational unit "Infrastructure" is not registered into AWS Control Tower, it will be registered now.
..

2024-11-14 19:14:49.551 | error | accounts-config | Account ID not found for LogArchive. Validate that the emails in the parameter ManagementAccountEmail of the AWSAccelerator-InstallerStack and account configs (accounts-config.yaml) match the correct account emails shown in AWS Organizations.
2024-11-14 19:14:49.560 | error | app | configuration validation failed.
2024-11-14 19:14:49.560 | error | toolkit | Error: configuration validation failed.
2024-11-14 19:14:49.748 | error | accelerator | Runtime Error
/codebuild/output/src3662/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/accelerator.ts:105

None of the OU/Accounts are automatically created by LZA except the "Infrastructure" Ou
Expected behavior
AWSAccelerator-Pipeline needs to be successful.

Please complete the following information about the solution:

• Version: 1.10.0

[richardkeit]

@sathyashop - can you clarify if you intend to use Control Tower?

The global-config.yaml file did not contain any configuration for AWS Control Tower Landing Zone, no activities for module control-tower.

If this is true, then confirm that in the InstallerStack that the email address for the existing LogArchive account matches what is in the Organizations page AND matches what is in the accounts-config.yaml.

[sathyashop]

Yes, I intend to use Control Tower. I did confirm that email address matches as per your direction.

…

On Sun, Nov 17, 2024, 3:38 p.m. Richard Keit ***@***.***> wrote: @sathyashop <https://github.com/sathyashop> - can you clarify if you intend to use Control Tower? The global-config.yaml file did not contain any configuration for AWS Control Tower Landing Zone, no activities for module control-tower. If this is true, then confirm that in the InstallerStack that the email address for the *existing* LogArchive account matches what is in the Organizations page AND matches what is in the accounts-config.yaml. — Reply to this email directly, view it on GitHub <#647 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BM66JDXKKNADIFDZL6P5JDD2BD5FJAVCNFSM6AAAAABR3SVT6SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBRGU2DENZRHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[richardkeit]

@sathyashop - then the first message printed by the validator indicates whats wrong.
Please update your global-config.yaml to something like the below (with values under landingZone uncommented):

controlTower:
  enable: true
  # New AWS Management Account
  # Uncomment if no OUs, Identity Centre, Accounts are created
  # See documentation/control-tower.md for further reading
  # landingZone:
  #   version: '3.3'
  #   logging:
  #     loggingBucketRetentionDays: 365
  #     accessLoggingBucketRetentionDays: 3650
  #     organizationTrail: true
  #   security:
  #     enableIdentityCenterAccess: true
  # controls: []
  ##

In then the event that it resolves the issue for you, please mark as closed with that acknowledgement.
Thanks

[sathyashop]

Unfortunately, does not work. Same error

[sathyashop]

I did some debugging, and looks like that specific code expects the account with name "LogArchive" to be pre-existing (and already created) in AWS organization.

In my case, I didnt have it, and here it is throwing this error.

I was under assumption that LZA will automatically create all necessary accounts (LogArchive, Audit etc..) as part of this process? In yes, then why is it failing at the Prepare fail? Can someone please confirm my understanding?

Below is the callstack, just in case

2024-11-21 18:25:34.579 | error | accounts-config | Account ID not found for LogArchive. Validate that the emails in the parameter ManagementAccountEmail of the AWSAccelerator-InstallerStack and account configs (accounts-config.yaml) match the correct account emails shown in AWS Organizations.
2024-11-21 18:25:34.587 | error | runner | configuration validation failed.
Error: configuration validation failed.
    at AccountsConfig.getAccountId (/codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/config/dist/lib/accounts-config.js:297:11)
    at AccountsConfig.getLogArchiveAccountId (/codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/config/dist/lib/accounts-config.js:416:17)
    at ControlTowerLandingZone.getControlTowerLandingZoneConfig (/codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/lza-modules/lib/control-tower/index.ts:118:43)
    at ControlTowerLandingZone.manageModule (/codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/lza-modules/lib/control-tower/index.ts:196:43)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async ControlTowerLandingZone.handler (/codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/lza-modules/lib/control-tower/index.ts:266:12)
    at async main (/codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/lza-modules/bin/runner.ts:73:10)
    at async /codebuild/output/src1324/src/s3/00/source/packages/@aws-accelerator/lza-modules/bin/runner.ts:81:20 {
  level: 'error',
  mainLabel: 'accelerator',
  [Symbol(level)]: 'error'

[richardkeit]

My assumption here is that because the initial run of the pipeline did not have the Control Tower configuration set, that this has contributed to it.

With 1.9.2, I had a single Management Account (in an Organization) and it created everything including the mandatory accounts - I followed this documentation closely and worked without an issue: https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html#for-aws-control-tower-based-installation

Triple check that the parameters in the Installer Cloudformation stack are correct, run the installer pipeline and double check the configuration in the repository is correct. If using S3 as the configuration location, it is very likely that the configuration has not been updated there