Getting LimitExceeded error when adding new accounts to infrastructure-live repository

[gabrielanavarrorsid]

I’m looking for help to figure out what is the best approach to fix the following issue:

│ Error: putting IAM group policy _all-accounts: LimitExceeded: Maximum policy size of 5120 bytes exceeded for group _all-accounts

We hit this issue after adding multiple accounts to our repository and applying the module landingzone/account-baseline-security module from terraform-aws-service-catalog

So my questions are:

1. Is there a limit of accounts that we can add to a given repository that we should be aware of?
2. Would it mean that we need to break the _all-accounts IAM group in two? do we have a list of the necessary aws_iam_group_policy that we need to have in order to have a repo that was based off the examples/for-production/infrastructure-live folder? I know the arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts are used by the ECS deploy runners, but does any of the others from this list is needed?

---

Tracked in ticket #110040

[gabrielanavarrorsid]

After some time debugging this I think I possibly found a way to solve the issues of having too many accounts in the same infrastructure-live

The solution is based on the following assumption. if this is not true, please let me know.

• I'm assuming the aws_iam_group _all-accounts is informational only. I couldn't find anywhere in ECS Deploy Runner if that's used and couldn't find anything.

So to fix it, this is what was changed.

• Because we don't need _all-accounts AWS IAM group, in our setup I defined the following variable: should_create_iam_group_cross_account_access_all = false in our security/_global/account-baseline/terragrunt.hcl
• With the previous variable defined, the LimitExceeded error should be fixed, the next problem I believe it will happen is that I'll need to define all the different auto-deploy groups to the ci-machine-user under security/_global/account-baseline/users.yml and I'll hit the limit of how many groups it can be attached. Because of that I'm creating a group called _accounts.all-auto-deploy and defining the iam_role_arns to be for all of the accounts using the security/_global/account-baseline/cross_account_groups.yml file (not sure if we will still have the issue of LimitExceeded, but if so I can break into different groups still. the security/_global/account-baseline/cross_account_groups.yml looks like this:

cross_account_groups:
# NOTE: we have to comment out the directives so that the python based data
# merger (see the `merge-data` hook under blueprints in this repository) can
# parse this yaml file (we expect to apply the data merger to this module in
# the future). This still works when feeding through templatefile, as it will
# interleave blank comments with the list items, which yaml handles gracefully.
  - group_name: "_accounts.all-auto-deploy"
    iam_role_arns:
#%{~ for name, id in account_ids }
      - "arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts"
#%{ endfor ~}

#%{~ for name, id in account_ids }
  - group_name: "_account.${name}-full-access"
    iam_role_arns:
      - "arn:aws:iam::${id}:role/allow-full-access-from-other-accounts"
  - group_name: "_account.${name}-read-only"
    iam_role_arns:
      - "arn:aws:iam::${id}:role/allow-read-only-access-from-other-accounts"
  - group_name: "_account.${name}-auto-deploy"
    iam_role_arns:
      - "arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts"
  - group_name: "_account.${name}-dev"
    iam_role_arns:
      - "arn:aws:iam::${id}:role/allow-dev-access-from-other-accounts"
  - group_name: "_account.${name}-billing"
    iam_role_arns:
      - "arn:aws:iam::${id}:role/allow-billing-only-access-from-other-accounts"
  - group_name: "_account.${name}-support"
    iam_role_arns:
      - "arn:aws:iam::${id}:role/allow-support-access-from-other-accounts"
#%{ endfor ~}

• and finally the security/_global/account-baseline/users.yml looks like:

ci-machine-user:
  create_access_keys: false
  create_login_profile: false
  groups:
  - _accounts.all-auto-deploy

[ellisonc]

Thanks for providing your solution! Your assumptions look correct to me. We'll be looking into this a bit further to improve our defaults and add documentation in the future.