search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
643 stars 445 forks source link

Field ‘ManagedOrganizationalUnit’ inconsistency when importing a “shared” account in a nested OU #206

Open brhankel opened 2 years ago

brhankel commented 2 years ago

Terraform Version & Prov:

AFT Version: 1.5.0

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.2.3
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.18.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.3.1
+ provider registry.terraform.io/hashicorp/time v0.7.2

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0, < 5.0.0
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_service_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_service_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_service_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_ssm_parameters
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    └── module.aft_account_provisioning_framework
        └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0

Providers required by state:

    provider[registry.terraform.io/hashicorp/archive]

    provider[registry.terraform.io/hashicorp/random]

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/time]

Bug Description Account Factory product requires the ManagedOrganizationalUnit field to be in the format of <ou_name> (<ou_id>) for nested OU's. Customers can now import existing Audit and Logging accounts when deploying Control Tower and in some cases these could be in a nested OU. When importing these into AFT and using the proper nested OU format an error will occur.

To Reproduce Steps to reproduce the behavior:

  1. Have existing Logging and Audi accounts in a nested OU
  2. Deploy Control Tower and reference the existing Audit and Logging accounts
  3. Import these accounts into AFT using the proper format which is <ou_name> (<ou_id>)
  4. See error

Expected behavior AFT should recognize this as a "shared" account matching the ou on format <ou_name> (<ou_id>) and not try to vend the account but go directly to the provisioning framework.

Related Logs "Invalid Request - AccountEmail already exists in Organization: "

Additional context Setting ManagedOrganizationalUnit to name only allows for the importing of the account to occur

balltrev commented 2 years ago

Thanks for bringing this up @brhankel, we've gone ahead and created a story to address this bug in our backlog.