Can not add core Control Tower account to AFT

[number21]

Terraform Version & Prov: Terraform v1.1.7 AFT Version: 1.3.4 Terraform Version & Provider Versions

terraform version

Terraform v1.1.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.75.0
+ provider registry.terraform.io/hashicorp/local v2.2.2
+ provider registry.terraform.io/hashicorp/random v3.1.2
+ provider registry.terraform.io/hashicorp/time v0.7.2

terraform providers

Providers required by configuration:
.
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   ├── provider[registry.terraform.io/hashicorp/local]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_ssm_parameters
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    └── module.aft_iam_roles
        ├── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0, < 4.0.0
        ├── module.ct_management_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 2.7.0
        ├── module.log_archive_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 2.7.0
        ├── module.aft_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 2.7.0
        └── module.audit_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 2.7.0

Providers required by state:

    provider[registry.terraform.io/hashicorp/random]

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/time]

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/archive]

Bug Description Can not add core Control Tower (Management, Log Archive, Audit) account to AFT through account request procedure.

To Reproduce Steps to reproduce the behavior:

1. Deploy Control Tower
2. Deploy AFT
3. Try account request for core Control Tower accounts.
4. See that nothing happens
5. Go to AWS Lambda - aft-account-request-action-trigger
6. See in logs that request is going to create new account than pick up existing account.

Expected behavior You have to be able add core Control Tower account to AFT, this give you possibility customize Management account for your needs. In previos versions this was working.

Related Logs { "time_stamp": "2022-03-24 16:05:11,146", "log_level": "INFO", "log_message": "Did not find account with matching email in healthy status in Account Factory" } { "time_stamp": "2022-03-24 16:05:11,146", "log_level": "INFO", "log_message": "New account request received" }

Additional context Entry point in Lambda: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/2846260c41c62db89cd2c54ae34c9f393e96fb6e/src/aft_lambda/aft_account_request_framework/aft_account_request_action_trigger.py#L44

Function that check if requested account exist: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/2846260c41c62db89cd2c54ae34c9f393e96fb6e/sources/aft-lambda-layer/aft_common/account_request_framework.py#L86

Function that filter available accounts: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/2846260c41c62db89cd2c54ae34c9f393e96fb6e/sources/aft-lambda-layer/aft_common/account_request_framework.py#L44

[opsalex17]

It is must be a bug because it excellently works with AFT released in December (1.0.5 version) for Management, Audit and Log Archive accounts. Account filtering logic seems to be changed, and as of now, it relies on Service Catalog which causes the issue because core control tower accounts are out of ServiceCatalog. And the request-account is simply going to enroll the account instead of putting it to the aft governance.

We were thinking about aft upgrade, but how can we leverage our existing code of Management account customization if the new aft version can't put this account under AFT governance? Will the latest aft version break customization of Management,Audit, and Log Archive account? Probably some workarounds?

[adam-daily]

Hey there, thanks for reaching out. Currently, we don't support the management of CT core accounts in AFT. When we include features in AFT, one important element of that is making sure we cover all aspects of the feature through internal testing, which also includes things like ensuring permission scope is appropriate per our security guidance, making sure there aren't unintended side effects, giving it a logical and friendly user interface, etc. Those steps help us stand behind the feature and make sure we're not putting you at risk or unintentionally breaking AFT when you leverage them.

While AFT may have been successfully able to act upon a CT core account in a previous release, we don't include it as part of the solution contract because we haven't yet done the due diligence to make sure the manner in which it acts is safe and scalable and that including one of those accounts satisfies all the assumptions that AFT has about the nature of the accounts it manages. That said, we're aware that this is a highly requested feature and we're currently investigating official support for it.

[YermakovvD]

Hi @adam-daily! Thanks for the very detailed explanation about further plans! We're also currently working on looking into the AFT product, and we think it's really powerful as it can help us solve a lot of accounts management issues. Unfortunately, just a couple of hours ago, we faced this issue too. And we noticed that AFT does not yet support "core" account management. This feature is crucial for us. We are one of those who are looking forward to the start of its support because it can be a determining factor in the decision to use/not use AFT to create and manage our accounts in ControlTower.

to better understand what we can expect from the AFT, we have a few questions: 1) Could you shed some light on this and tell us how far this feature is on the roadmap and when can we expect it to be released? 2) if the release is still not soon, what will happen if we use an older version where it is supported (based on the comments above), how difficult will it be to migrate from version 1.0.5 to the newest. Is this migration even possible? (I'm sure it should be in the roadmap because the product is exciting, and I'm sure it's already used by many AWS customers)

Looking forward to your replies, thanks!

[AlbertasG]

Anyone has suggestions how to manage core accounts guardrails in the meantime? Our main idea was to utilize AFT Customisation pipelines with API Helpers as the terraform provider are not yet available.

[balltrev]

We've just released 1.4.0, you can now specify your shared/management accounts in your account request repository allowing you to manage your shared/management accounts with AFT

[number21]

Thank you!

[devalibvr]

@balltrev I'm trying to add control tower management account to "aft-account-request" since I needed to provide alternate contact information. In this process, I already added all control tower accounts without any issue(includeing log-archive), but when I tried to add CT management account, I received an error relating to the account:PutAlternateContact permission, which it seems AFT cannot manage CT management account. also pipeline not created and aft-account-provisioning-framework step function failed because of the following error: An error occurred while executing the state 'run_create_pipeline?' (entered at the event id #34). Invalid path '$.Input.account_provisioning.run_create_pipeline': The choice state's condition path references an invalid value.

I'm sure that aft-alternate-contacts-add-lambda-role has * permission for PutAlternateContact permission. I asked AWS support and they said that it's not possible to add CT management account into AFT and now I found this :D thought might worth to ask here instead of support