From baa19f8fc323799ae39e546152327a452ebdd24c Mon Sep 17 00:00:00 2001
From: Sanket Dharwadkar <sdharwad@amazon.com>
Date: Thu, 8 Apr 2021 18:06:45 -0400
Subject: [PATCH] fix: assume role on added member account (#434)

---
 CHANGELOG.md                                          | 5 +++++
 main/solution/backend/config/infra/cloudformation.yml | 8 ++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2b44b4402..ebe60e9012 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,11 @@
 All notable changes to this project will be documented in this file.
 
 
+## [2.1.5] - 2021-04-08
+
+### Added
+- fix: assume role on added member account
+
 ## [2.1.4] - 2021-04-06
 
 ### Added
diff --git a/main/solution/backend/config/infra/cloudformation.yml b/main/solution/backend/config/infra/cloudformation.yml
index c9f4103a0f..089bd86884 100644
--- a/main/solution/backend/config/infra/cloudformation.yml
+++ b/main/solution/backend/config/infra/cloudformation.yml
@@ -426,8 +426,8 @@ Resources:
               - 'arn:aws:iam::*:role/SC-*'
               - 'arn:aws:iam::*:role/swb-*'
               - 'arn:aws:iam::*:role/analysis-*'
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-cross-account-role' # This is required since when users onboard the main account as a member account, the onboard CFN stack would also reside there
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-xacc-env-mgmt'
+              - !Sub 'arn:aws:iam::*:role/*-cross-account-role' # This is required since when users onboard the main account as a member account, the onboard CFN stack would also reside there
+              - !Sub 'arn:aws:iam::*:role/*-xacc-env-mgmt'
           - Effect: Allow
             Action:
               - logs:CreateLogGroup
@@ -582,8 +582,8 @@ Resources:
               - 'arn:aws:iam::*:role/SC-*'
               - 'arn:aws:iam::*:role/analysis-*'
               - 'arn:aws:iam::*:role/swb-*'
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-cross-account-role' # This is required since when users onboard the main account as a member account, the onboard CFN stack would also reside there
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-xacc-env-mgmt'
+              - !Sub 'arn:aws:iam::*:role/*-cross-account-role' # This is required since when users onboard the main account as a member account, the onboard CFN stack would also reside there
+              - !Sub 'arn:aws:iam::*:role/*-xacc-env-mgmt'
           - Effect: Allow
             Action:
               - logs:CreateLogGroup