- The solution uses a logging convention aligned to the following data structure for all the lambda based use case flow logs written to cloud watch log groups. Trace starts from a use case trigger where it generates the request ID and all the subsequent logs until the lifecycle of this request carry over this request ID
| Log Element | Description | Mandatory |
|---|---|---|
| logMode | Classifies mode the log message is written in, i.e. info, error, warn |
Yes |
| handler | Name of the lambda handler that generated the log | Yes |
| requestId | UUID based request ID to collate different log entries triggered from the same process |
No |
| status | Status of the current request i.e. one of InProgress, Completed, FailedWithError, FailedWithException, OnHold, Aborted |
Yes |
| statusMessage | Details of status to provide more context | No |
| relatedData | Solution entity that the log is being written to. For ex, this could be a permission set name, account assignment link |
No |
| hasRelatedRequests | Either true/false depending on whether this request triggered other requests |
No |
| sourceReqeustId | Holds the source request ID that triggered this request | No |
- The solution writes logs to the following cloud watch log groups in
targetaccount and region. Note that these log groups only get created after the relevant use case flow is executed. Replaceenvwith your environment name
| Cloudwatch log group | Related use case |
|---|---|
| /aws/lambda/env-linkApiHandler | Account assignment - API interface processing |
| /aws/lambda/env-linkCuHandler | Account assignment - S3 interface create/update processing |
| /aws/lambda/env-linkDelHandler | Account assignment - S3 interface delete processing |
| /aws/lambda/env-linkManagerHandler | Account assignment - provisioning/de-provisioning operations |
| /aws/lambda/env-linkTopicProcessor | Account assignment - provisioning/de-provisioning topic processor that handles resolution of ou_id, root, account_tag scopes into target accounts list |
| /aws/lambda/env-processTargetAccountSMListenerHandler | Account assignment - handles state machine outputs when the target accounts for ou_id, root, account_tag scopes are resolved |
| /aws/lambda/env-psApiHandler | Permission set - API interface processing |
| /aws/lambda/env-psCuHandler | Permission set - S3 interface create/update processing |
| /aws/lambda/env-psDelHandler | Permissoin set - S3 interface delete processing |
| /aws/lambda/env-permissionSetTopicProcessor | Permission set - create/update/delete topic processor |
| /aws/lambda/env-permissionSetSyncHandler | Permission set - synchronisation of updated permission set to already provisioned accounts |
| /aws/lambda/env-ssoUserHandler | Self sustain - SSO user creation/deletion events processing |
| /aws/lambda/env-ssoGroupHandler | Self sustain - SSO group creation/deletion events processing |
| /aws/lambda/env-orgEventsHandler | Self sustain - org changes events processing |
- The solution deploys pre-defined
Cloud watch insights queriesintargetaccount and region that allow you to access information around a use case flow easily. These queries are defined to handle most common queries. If these queries do not fit your needs, then you could tweak them to fit your requirements. Replaceenvwith your environment name.
| Cloudwatch Insights query name | Purpose |
|---|---|
| env-accountAssignmentAPIFlows-getRequestDetails | Get details of a specific request for account assignment flows via API interface |
| env-accountAssignmentAPIFlows-getRelatedRequestDetails | Get details of all related requests for account assignment flows via API interface |
| env-permissionSetAPIFlows-getRequestDetails | Get details of a specific request for permission set flows via API interface |
| env-permissionSetAPIFlows-getRelatedRequestDetails | Get details of all related requests for permission set flows via API interface |
| env-ssoGroupTriggerFlows-getRequestDetails | Get details of a specific request for SSO group creation/deletion events |
| env-ssoGroupTriggerFlows-getRelatedRequestDetails | Get details of all related requests for SSO group creation/deletion events |
| env-ssoUserTriggerFlows-getRequestDetails | Get details of a specific request for SSO user creation/deletion events |
| env-ssoUserTriggerFlows-getRelatedRequestDetails | Get details of all related requests for SSO user creation/deletion events |
| env-permissionSetSyncTriggerFlows-getRequestDetails | Get details of a specific request for permission set sync flows |
| env-permissionSetSyncTriggerFlows-getRelatedRequestDetails | Get details of all related requests for permission set sync flows |
| env-orgEventsTriggerFlows-getRequestDetails | Get details of a specific request for org events |
| env-orgEventsTriggerFlows-getRelatedRequestDetails | Get details of all related requests for org events |
- For
import current SSO configurationuse cases, the solution creates the cloudwatch insights queryenv-importCurrentSSOConfiguration-errorsin yourSSO serviceaccountSSO serviceregion to provide details of all the errors that the state machine ran into and suppressed when trying to import current SSO configuration into the solution - For
region switchuse cases, the solution creates the cloudwatch insights queryaws-sso-extensions-region-switch-discover-errorsin yourSSO serviceaccountSSOServiceAccountRegionto provide details of all the errors that the state machine ran into and suppressed when trying to discover your current SSO region configuration - For
region switchuse cases, the solution creates the cloudwatch insights queryaws-sso-extensions-region-switch-deploy-errorsin yourSSO serviceaccountSSOServiceTargetAccountRegionto provide details of all the errors that the state machine ran into and suppressed when trying to deploy the discovered SSO configuration into your new region - For
upgradetoV303use cases, the solution creates the cloudwatch insights queryupgradeV303-errorsin yourtargetaccount and region to provide details of all the errors that the state machine ran into and suppressed when trying to upgrade account assignments from old solution format to a format compatible with solution version 3.0.3 and above