search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
629 stars 417 forks source link

AFT does not support to change the secondary region #218

Open fjromerom opened 2 years ago

fjromerom commented 2 years ago

AFT Version: 1.6.2

Terraform Version & Provider Versions terraform version

Terraform v1.2.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.17.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.2.0
+ provider registry.terraform.io/hashicorp/time v0.7.2

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_ssm_parameters
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/random]
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    └── module.aft_feature_options
        └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0

Providers required by state:
    provider[registry.terraform.io/hashicorp/archive]
    provider[registry.terraform.io/hashicorp/random]
    provider[registry.terraform.io/hashicorp/aws]
    provider[registry.terraform.io/hashicorp/local]
    provider[registry.terraform.io/hashicorp/time]

Bug Description We have made the decision to change the secondary region of AFT and I receive the following error:

│ Error: error reading S3 Bucket (aft-backend-XXXXXXXX-secondary-region): BucketRegionError: incorrect region, the bucket is not in 'eu-central-1' region at endpoint ''
│       status code: 301, request id: , host id: 
│ 
│   with module.aft.module.aft_backend.aws_s3_bucket.secondary-backend-bucket,
│   on .terraform/modules/aft/modules/aft-backend/main.tf line 80, in resource "aws_s3_bucket" "secondary-backend-bucket":
│   80: resource "aws_s3_bucket" "secondary-backend-bucket" {

It seems the module is passing the region as provider and it's unable to find the current S3 Bucket in the secondary region.

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/d7699b113f29bd5d2ca8986f8430dabc2a003845/modules/aft-backend/main.tf#L80

This behavior differs from how Terraform usually manage the providers which provides more flexibility.

What is the process to make this change in a safe manner?

To Reproduce Steps to reproduce the behavior:

  1. Deploy AFT
  2. Change the tf_backend_secondary_region parameter to a different region

Expected behavior The aft-backend module should support a change in the region. I'm aware I'll need to manually delete all the objects in the S3 Bucket but the module should recreate the resources in the new region afterwards.

Thanks, Francisco

snebhu3 commented 2 years ago

@fjromerom currently AFT does not support change of secondary region after AFT has been deployed. I have gone ahead and created a backlog to potentially support this in future.

As a workaround you could try to manually delete the S3 bucket for the secondary region and wait at-least an hour (as AFT will be re-using the same name for bucket creation ) before you run the terraform apply with the secondary region change. Please note that we do not test this use case, we would recommend testing in your non-prod / test environment before trying in production.

fjromerom commented 2 years ago

Deleting the S3 Bucket worked fine.

Thanks for your input!