Execute account customization pipeline automatically when the account_customizations_name field is changed

[vinelias]

Terraform Version & Prov: 1.2.8

AFT Version: 1.6.4 (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version)

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.2.8
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.33.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.8.0

Your version of Terraform is out of date! The latest version
is 1.3.1. You can update by downloading from https://www.terraform.io/downloads.html

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft_pipeline
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0, < 5.0.0
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_service_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_service_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_service_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_exec_role
    │   │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    └── module.aft_ssm_parameters
        ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        └── provider[registry.terraform.io/hashicorp/random]

Bug Description When I change the account_customizations_name parameter in an account request file (.tf) in the aft-account-request repo, the customizations-pipeline for this account is not triggered.

To Reproduce Steps to reproduce the behavior:

1. Go to an account request file (.tf) into aft-account-request repository
2. Change the account_customizations_name to another customization in aft-account-customizations repository
3. Commit and push
4. See the ct-aft-account-request pipeline execution and then the aft-account-provisioning-framework step function execution
5. At the end, the -customizations-pipeline pipeline will not be executed

Expected behavior What is occurring is the step function aft-account-provisioning-framework is being triggered which has a step to "rebuild" the pipeline but it does not execute the pipeline since no pipeline parameters have changed only the payload. I can force this to run with step function aft-invoke-customizations, but I think the account customizations pipeline should be automatically triggered in this case.

[stumins]

Hi @vinelias,

This is the expected behavior of AFT. To invoke customization runs against accounts, you should use the aft-invoke-customizations step function..

I've created a backlog item to explore adding a way to configure account pipelines to auto-invoke after a customization change.

[tb102122]

@stumins any update on this issue? I have noticed that the variable customizations_trigger_state_machine_arn is passed into the state but never used. I think the easy solution would be to add a state machine call after the step https://github.com/tb102122/terraform-aws-control_tower_account_factory/blob/dc3eb7ce8ceb6e71d935431b164805b9facf270d/modules/aft-account-provisioning-framework/states/aft_account_provisioning_framework.asl.json#L133 What do you think?

Who else it the state aft_invoke_customizations_sfn triggered I can find any reference in the documentation or code

[tb102122]

Who else it the state aft_invoke_customizations_sfn triggered I can find any reference in the documentation or code

sorry forget the last part I just found it Re-invoke customizations