in customizations/AccountFactory/EnrollAccount/enroll_account.py [0:0]
def create_crossaccount_role(account_id, region, master_id):
'''
Create cross account roles in the migrated ou using
service managed auto deployment option of StackSets
'''
ou_id = get_parent_for_account(account_id)
ss_bucket = 'marketplace-sa-resources.s3.amazonaws.com/ct-blogs-content'
ss_url = 'https://' + ss_bucket + '/AWSControlTowerExecution.yml'
ss_deploy = {'Enabled': True, 'RetainStacksOnAccountRemoval': True}
ss_name = 'MyCrossAccountRole-StackSet'
ss_param = [{'ParameterKey': 'AdministratorAccountId', 'ParameterValue': master_id}]
capabilites = ['CAPABILITY_NAMED_IAM']
result = False
op_id = None
ss_status = 'RUNNING'
try:
result = CFT.create_stack_set(StackSetName=ss_name,
Description='Cross account role creation for stacksets',
TemplateURL=ss_url,
Capabilities=capabilites,
Parameters=ss_param,
PermissionModel='SERVICE_MANAGED',
AutoDeployment=ss_deploy)
except ClientError as exe:
error_msg = str(exe.response['Error']['Message'])
if 'StackSet already exists' in error_msg:
LOGGER.info('StackSet already exists, Adding stack instance')
result = True
else:
raise exe
if result:
op_id = add_stack_instance(ss_name, region, ou_id)
# Wait for cross-account role creation completion
while ss_status in ('RUNNING', 'QUEUED', 'STOPPING'):
LOGGER.info('Creating cross-account role on %s, wait 30 sec: %s',
account_id, ss_status)
ss_status = check_ss_status(ss_name, op_id)
sleep(30)
result = bool(ss_status in ('SUCCEEDED', 'FAILED'))
return result