Separate PCA instances in one AWS Account

[hyde-mattholgate]

Is it possible to deploy multiple instances of the PCA CloudFormation stack in one account? We are currently getting CloudFormation deploy errors when trying to deploy a second instance of the CloudFormation stack in an account. Both instances have Kendra enabled which might be causing the issue.

[MikeGrande]

I had asked the same thing and per a week ago was told(by AWS) because of conflicts on resources its one PCA deployment per account.

[chrislott]

Thanks both - we have put this on the roadmap for an upcoming release.

[hyde-mattholgate]

Thanks both for the replies.

Chris would it be possible to tell me the exact resources used in the CloudFormation stacks that have the conflicts? We are looking to see if we can get multiple instances working ourselves by amending the CloudFormation.

[chrislott]

It is all the ssm parameters found in the pca-ssm/cfn template. The issue is they have hardcoded names.

The way I plan on fixing this is by passing the name of the main stack to this nested stack, and prepending the stack name to the parameter names. This will guarantee a unique parameter store name.

I will also pass the main stack name to all the nested stacks and Lambda functions that read from those parameters, so they can find the correct parameter for their PCA application.

If you are able to get to it, we would love a pull request! 😀

[hyde-mattholgate]

Hi @chrislott I have submitted an initial PR to create a parameter for the main stack name and to preprend this stack name to the first resource in ssm.template

Please could you review and let me know if this is along the correct lines for what you meant and if so I can amend all the SSM parameters and look at passing the name to the nested stacks and Lambdas. This is one of my first times writing CloudFormation (more of a Terraform person ...) so my syntax might be slightly off, for example for the new resource name in the SSM template I was not sure about the quotation marks: Name: !Sub "'${MainStackName}'-BulkUploadBucket"

Also - do you know which lambdas will need the MainStackName parameter passing to them or do you know an easy way of finding out?

Thanks

[chrislott]

Hi @hyde-mattholgate ,

Happy new year! Just reviewed the PR, and this is exactly what I would do. The next step is to make sure all the Lambda functions also have the main stack name as an env variable, and that the code is modified to read the specific parameter for that stack. If you're able to add this to your PR, I will accept and merge it in. If not, no worries, as this is one of our priorities for an upcoming release.

Chris

[akashbhandari999]

Hi @chrislott
Is there any update on this?

[rstrahan]

Hi @akashbhandari999 - sorry for the delays.. @chrislott has left AWS
@kishd - can you pick up this thread? IMHO this is well worth fixing, since it's reasonable, and common, for people to attempt multiple PCA deployments in a single account add region.
I will close the related PR #216 for now since a) it has conflicts, and b) i feel it's a partial (non functioning) solution since it doesn;t include matching updates for the various Cfn templates that consume the hardcoded SSM parameter names as nested stack parameters. We need a new PR that addresses the whole solution holistically.