If keycloak admin password start with a "-" like in -+Kz872+bR5/QB7f0dFgv0o1YpH1//k- — it starts with a dash (-).
When this gets passed as --keycloak-admin-password -+Kz872+bR5/QB7f0dFgv0o1YpH1//k-, argparse interprets -+Kz872... as another flag/option rather than the value for --keycloak-admin-password, which is why
you get:
configure_identity_center.py: error: argument --keycloak-admin-password: expected one argument
This failed on all 5 attempts, but the script continued anyway (the IDC/SCIM integration was never configured). Then later:
- The SSM document signaled FAILURE to CloudFormation because 3 ArgoCD apps couldn't reach healthy state (backstage-peeks-hub, keycloak-peeks-hub, spark-operator-peeks-hub)
- CloudFormation received the FAILURE signal and initiated stack deletion
- The delete builds then failed (timeout on ArgoCD app deletion, then data.aws_lb.ingress_nginx not found in terraform destroy)
Root Cause Chain
- Keycloak admin password starts with - → configure_identity_center.py fails to parse args (all 5 attempts)
- IDC/SCIM integration never configured → but script continues
- spark-operator CRD annotation size issue → app stuck in OutOfSync/Failed
- SSM document signals FAILURE to CloudFormation
- CloudFormation initiates stack deletion → delete builds fail → orphaned resources
If keycloak admin password start with a "-" like in -+Kz872+bR5/QB7f0dFgv0o1YpH1//k- — it starts with a dash (-).
When this gets passed as --keycloak-admin-password -+Kz872+bR5/QB7f0dFgv0o1YpH1//k-, argparse interprets -+Kz872... as another flag/option rather than the value for --keycloak-admin-password, which is why
you get:
configure_identity_center.py: error: argument --keycloak-admin-password: expected one argument
This failed on all 5 attempts, but the script continued anyway (the IDC/SCIM integration was never configured). Then later:
Root Cause Chain