Prepare step fails with base configuration on new organization about landing-zone-accelerator-on-aws HOT 4 CLOSED

Hello @FlemmingBehrend,

error: undefined in the prepare stage generally points to issues fetching account IDs for your organization based on the email addresses entered in accounts-config.yaml. We are actively working to improve our error messaging here to make that clear. In the meantime, can you please verify the email addresses for your mandatory and workload accounts match exactly what is in AWS Organizations?

Note: email addresses for the mandatory accounts are pushed to the config file from the installer stack parameters, so you may update those there if any of the emails differ. For workload accounts, you may update the accounts-config.yaml directly.

Thanks, and please keep us updated!

from landing-zone-accelerator-on-aws.

Hi @awsclemj

It was as you said a typo in the account email for the management account. There are a couple of things that I was wondering about.

1. Why do we need to specify the email address for the management account?
   My assumption here is the ALZ is always installed in the management account or can it be deployed in another account. The account number could just be looked up.

2. If the email is wrong could you fail earlier?
   If the management account email is wrong could the solution fail in the AWSAccelerator-Installer pipeline instead of waiting until the prepare script in the AWSAccelerator-Pipeline

3. The aws-accelerator-config repo was not updated
   Running the AWSAccelerator-Installer again with the correct email in the stack parameters did not update the accounts-config.yaml, I had to do that manually afterwards before running the AWSAccelerator-Pipeline

Thanks for the help 👍

Looking forward to better error messages 😄

from landing-zone-accelerator-on-aws.

Hello @FlemmingBehrend Thank you for the valuable feedback.

1. Why do we need to specify the email address for the management account?

This is needed so that the aws-accelerator-config repository can populate the correct email addresses when generating the base configuration. It is designed to be compatible with partitions that may not have organizations support.

2. If the email is wrong could you fail earlier?

It is possible for us to fail sooner than the prepare stage. Our team will evaluate this and add it to our feature requests.

3. The aws-accelerator-config repo was not updated

This is the expected behavior of the LZA. As of today, we do not programmatically modify the aws-accelerator-config after initial installation.

from landing-zone-accelerator-on-aws.

is the management account = root account? it is very unclear what account is what?! In the code is says "root" in the CFT is says "management account" which is very inconsistent!

from landing-zone-accelerator-on-aws.