org-formation
Use !Sub in organizations file
Subject of the issue
I want to tighten some SCPs in my organization.yml. Unfortunately, as soon as I start using !Sub and parameters it fails with an error that just says: MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type
Your environment
- version of org-foramtion (ofn --version): 1.0.11
- version of node (node --version): 20.9.0
- which OS/distro: Mac OS 14.1.1
Steps to reproduce
AWSTemplateFormatVersion: '2010-09-09-OC'
Organization:
ManagementAccount:
Type: OC::ORG::MasterAccount
Properties:
AccountName: Organisation
AccountId: '11111111111'
RootEmail: [email protected]
Alias: my-organisation
RestrictUnusedRegionsSCP:
Type: OC::ORG::ServiceControlPolicy
Properties:
PolicyName: RestrictUnusedRegions
Description: Restrict Unused regions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: DenyUnsupportedRegions
Effect: Deny
NotAction:
- 'cloudfront:*'
- 'iam:*'
- 'route53:*'
- 'support:*'
- 'budgets:*'
- 'acm:*'
Resource: "*"
Condition:
StringNotEquals:
"aws:RequestedRegion":
- !Sub '${primaryRegion}'
Expected behaviour
It should replace the template string with the primary region as defined in organization-parameters.yml
Actual behaviour
MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type`
I also tried to use a lot more in other SCPs, none of them worked. Here are a few examples:
- !Sub '${ManagementAccount.AccountId}'
- !Sub '${AWS::Region}'
- !Sub '${CurrentAccount.AccountId}
What am I doing wrong or how can I circumvent the issue if this is not supported? Are there any docs that clearify where I can use what and when?
Any help is greatly appreciated :)
