search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
631 stars 420 forks source link

Expand Jinja variables for Control Tower management account #321

Closed ryanash999 closed 1 year ago

ryanash999 commented 1 year ago

Describe the outcome you'd like

It is often useful within global or account customizations to interact with Control Tower management account. To create a provider within the existing aft-proviers.jinja we need the CT management account id to be available. It is already set in SSM, just needs to be pulled and passed into Jinja.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

I've run into this situation with multiple AFT implementations when trying to interact with CT mgmt account as part of a customization.

Additional context

Update these two files: aft-account-customizations-terraform.yml aft-global-customizations-terraform.yml

Example to insert: - CT_MGMT_ACCOUNT=$(aws ssm get-parameter --name "/aft/account/ct-management/account-id" --query "Parameter.Value" --output text)

Ensure it is passed into Jinja: for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D tf_distribution_type=$TF_DISTRIBUTION -D provider_region=$CT_MGMT_REGION -D ct_management_account=$CT_MGMT_ACCOUNT -D region=$TF_BACKEND_REGION -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN -D target_admin_role_arn=$VENDED_EXEC_ROLE_ARN -D bucket=$TF_S3_BUCKET -D key=$TF_S3_KEY -D dynamodb_table=$TF_DDB_TABLE -D kms_key_id=$TF_KMS_KEY_ID >> ./$(basename $f .jinja).tf; done

Flydiverny commented 1 year ago

As a workaround you could use something similar to https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/128#issuecomment-1452293747 to inject additional variables into the jinja templates using pre-api-helpers :)

hsdp-smulford commented 1 year ago

There's already a profile in the aws credentials file for the management account, as seen here: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/624c0ccf7a777b18f6533de1c0462f5dbe558381/modules/aft-customizations/buildspecs/aft-create-pipeline.yml#L70

so just create a simple provider and you'll be able to access the mngt account: provider "aws" { alias = "management_profile" profile = "aft-management-admin" }

ryanash999 commented 1 year ago

Thanks - Never knew those profiles were available. Great solution