search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
634 stars 429 forks source link

AFT Management fails when running customization pipeline when repositories are named differently from defaults #159

Closed mbuotidem closed 2 years ago

mbuotidem commented 2 years ago

Bug Description This bug occurs after AFT was successfully deployed. In the process of vending an account, the account appears to have been successfully vended but the customization pipeline for the newly vended account fails because the role aft-codepipeline-customizations-role expects the customization repositories to end with the suffix aft-*. `


The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository 
named aws-aft-account-global-customizations. Update the IAM role permissions, and then try again. 
Error: User: arn:aws:sts::AFT-MGMT-ACCOUNT-ID:assumed-role/aft-codepipeline-customizations-role/16527-RANDOM-ID 
is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:sa-east-1:AFT-MGMT-ACCOUNT-ID
:aws-aft-account-global-customizations because no identity-based policy allows the codecommit:GetBranch action

To Reproduce Steps to reproduce the behavior:

  1. Deploy AFT but set customized repository names for your account customizations that does not begin with aft
  2. Try to vend an account
  3. Account will be vended
  4. However, customization pipeline will fail with error above

Expected behavior The account customization pipeline should run without failing. AFT should handle different repository names gracefully or not offer the option to change the default repository names.

Related Logs Provide any related logs or error messages to help explain your problem.

Additional context

adam-daily commented 2 years ago

Hey Isaac, thanks for bringing this to our attention, I imagine it's frustrating to get that far into deployment and have this fail. Looks like the input validation for that prefix got missed. Just to make sure I understand though, is using the aft- prefix a blocker for your use case, or is it just the inconvenience of finding out something's wrong quite late? Either way, I've taken an item into our backlog to add input validation so at least this gets checked up-front.

mbuotidem commented 2 years ago

No not a blocker for me, just frustrating as you mentioned so I'm hoping to spare some other hapless chap by getting it fixed.

balltrev commented 2 years ago

@mbuotidem AFT 1.5.0 removes this aft-* prefix requirement, thanks for the call out here!