AWS Service Graph Connector looking for SSM when not configured on all environments

asanderfordRD
Tera Contributor

‎01-25-2023 11:50 AM

To provide more context: I have over 100 AWS accounts and the Assume Role for AWS SGC is only applied to 4 of them for testing. I can run AWS SGC diagnostic tool and get 200 on everything with my 4 accounts that are setup.

 

My issue is that with the remaining accounts, I will get 403 on the IAM API (which is expected) but then it will return 200 on some of the SSM API's. I have this working in a smaller environment and when the IAM role doesn't exist it just returns 403 and stops there, but with this instance it's not doing that. It seems as though this is causing SGC to check for the SSM documents, which aren't there because we don't want it ran on those accounts. 


My goal is to have AWS SGC running fully on only 4/100 accounts to test with before full deployment. 


Any help would be much appreciated!

Preview file
28 KB
  • 788 Views
4 REPLIES 4

Aarti6
Mega Guru

‎02-07-2023 01:20 AM - edited ‎02-07-2023 01:20 AM

 Did you get any solution? I have similar requirement @asanderfordRD 

0 Helpfuls

asanderfordRD
Tera Contributor
In response to Aarti6

‎02-07-2023 02:04 PM

@Aarti6 I never got an OOB solution, but was able to modify the script include and flow action to get it to work. I'm still testing it though. 

Edit the script include: 

Below is an example of what I changed under the getMemberAccountsFromApi function. 

 

 

 try {
            var inputs = {};
            var requestbody = {};
			var myObject= {};
            requestbody['NextToken'] = 'AWS';
			myObject['NextToken'] = 'AWS';
			myObject['ParentId'] = 'ou-id';
			if (!gs.nil(managementAccountId)) {
                flowAction = this.ORGANIZATION_LIST_ACCOUNTS_DYNAMIC;
                inputs['mgmtaccountid'] = managementAccountId;
            }
            var counter = 0;
            while (!gs.nil(myObject['NextToken'])) {
                if (myObject['NextToken'] === 'AWS') {
                    delete myObject['NextToken'];
                }
                inputs['myObject'] = JSON.stringify(myObject);

                try {
                    var result = sn_fd.FlowAPI.getRunner().action(flowAction).inForeground().withInputs(inputs).run();
                    outputs = result.getOutputs();
                } catch (ex) {
                    gs.warn('Organizations-ListAccounts API call failed');

                }

                if (!gs.nil(outputs)) {
                    var response = JSON.parse(outputs.targetobject);
                    myObject['NextToken'] = response['NextToken'];

 

 

Edit the flow action:

Name: SG-AWS-Organizations-ListAccounts

  1. Change the input label and name to be the name of your new object
  2. Edit the query parameter value under "REST Step" to be 
    ListAccountsForParent
  3. change the header value of x-Amz-Target to 
    AWSOrganizationsV20161128.ListAccountsForParent
  4. Change Request Body to the input Variable data pill 

     

 

Aarti6
Mega Guru
In response to asanderfordRD

‎02-09-2023 02:10 AM

@asanderfordRD Can you please help me understand how to paas the selected accounts ID?
Are you passing it through below line if yes how is the format? is it comma seperate?

myObject['ParentId'] = 'ou-id';

I am new to this. Kindly help

 

0 Helpfuls

Victor Peinado
Tera Guru

‎05-09-2023 06:32 AM

Any replies on this? as it says 3 replies but cannot see them?

 

0 Helpfuls