Getting LimitExceeded error when adding new accounts to infrastructure-live repository
I’m looking for help to figure out what is the best approach to fix the following issue: ``` │ Error: putting IAM group policy _all-accounts: LimitExceeded: Maximum policy size of 5120 bytes exceeded for group _all-accounts ``` We hit this issue after adding multiple accounts to our repository and applying the module `landingzone/account-baseline-security` module from `terraform-aws-service-catalog` So my questions are: 1. Is there a limit of accounts that we can add to a given repository that we should be aware of? 1. Would it mean that we need to break the _all-accounts IAM group in two? do we have a list of the necessary `aws_iam_group_policy` that we need to have in order to have a repo that was based off the `examples/for-production/infrastructure-live` folder? I know the `arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts` are used by the ECS deploy runners, but does any of the others from this [list](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/security/_global/account-baseline/cross_account_groups.yml) is needed? --- <ins datetime="2023-03-30T19:22:40Z"> <p><a href="https://support.gruntwork.io/hc/requests/110040">Tracked in ticket #110040</a></p> </ins>
After some time debugging this I think I possibly found a way to solve the issues of having too many accounts in the same `infrastructure-live` The solution is based on the following assumption. if this is not true, please let me know. - I'm assuming the `aws_iam_group` `_all-accounts` is informational only. I couldn't find anywhere in `ECS Deploy Runner` if that's used and couldn't find anything. So to fix it, this is what was changed. - Because we don't need `_all-accounts` AWS IAM group, in our setup I defined the following variable: `should_create_iam_group_cross_account_access_all = false` in our `security/_global/account-baseline/terragrunt.hcl` - With the previous variable defined, the LimitExceeded error should be fixed, the next problem I believe it will happen is that I'll need to define all the different auto-deploy groups to the `ci-machine-user` under `security/_global/account-baseline/users.yml` and I'll hit the limit of how many groups it can be attached. Because of that I'm creating a group called `_accounts.all-auto-deploy` and defining the iam_role_arns to be for all of the accounts using the `security/_global/account-baseline/cross_account_groups.yml` file (not sure if we will still have the issue of LimitExceeded, but if so I can break into different groups still. the `security/_global/account-baseline/cross_account_groups.yml` looks like this: ``` cross_account_groups: # NOTE: we have to comment out the directives so that the python based data # merger (see the `merge-data` hook under blueprints in this repository) can # parse this yaml file (we expect to apply the data merger to this module in # the future). This still works when feeding through templatefile, as it will # interleave blank comments with the list items, which yaml handles gracefully. - group_name: "_accounts.all-auto-deploy" iam_role_arns: #%{~ for name, id in account_ids } - "arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts" #%{ endfor ~} #%{~ for name, id in account_ids } - group_name: "_account.${name}-full-access" iam_role_arns: - "arn:aws:iam::${id}:role/allow-full-access-from-other-accounts" - group_name: "_account.${name}-read-only" iam_role_arns: - "arn:aws:iam::${id}:role/allow-read-only-access-from-other-accounts" - group_name: "_account.${name}-auto-deploy" iam_role_arns: - "arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts" - group_name: "_account.${name}-dev" iam_role_arns: - "arn:aws:iam::${id}:role/allow-dev-access-from-other-accounts" - group_name: "_account.${name}-billing" iam_role_arns: - "arn:aws:iam::${id}:role/allow-billing-only-access-from-other-accounts" - group_name: "_account.${name}-support" iam_role_arns: - "arn:aws:iam::${id}:role/allow-support-access-from-other-accounts" #%{ endfor ~} ``` - and finally the `security/_global/account-baseline/users.yml` looks like: ``` ci-machine-user: create_access_keys: false create_login_profile: false groups: - _accounts.all-auto-deploy ```