search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

aft-account-request-action-trigger should check for tained SC provisioned product #331

Closed wellsiau-aws closed 1 year ago

wellsiau-aws commented 1 year ago

Terraform Version & Prov: n/a

AFT Version: 1.6.2

Bug Description When trying to import an existing AWS account to AFT, one might stumble upon issue where the relevant AWS Service Catalog (SC) provisioned product (AWS Control Tower Factory product) for the particular account was tainted.

While the reason that SC provisioned product for the account factory was tainted is beyond the scope of AFT responsibility, however, the error message provided by AFT is not accurate.

In specific, aft-account-request-processor reported that the email address already in use, hinting that AFT is trying to create a new account instead of importing existing account.

{
    "time_stamp": "2023-03-22 00:54:49,426",
    "log_level": "ERROR",
    "log_message": "Account Email: REDACTED already used in Organizations"
}

The actual issue happened upstream at aft-account-request-action-trigger when it tries to check for existing provisioned product. The function provisioned_product_exists only checks for health provisioned product. The lambda log provides INFO level messages as such:

{
    "time_stamp": "2023-03-22 00:50:18,102",
    "log_level": "INFO",
    "log_message": "Did not find account with matching email in healthy status in Account Factory"
}

This small hint can be easily missed during troubleshooting and should be refined by throwing error when the same email address is found on batch of un-healthy provisioned product.

To Reproduce Steps to reproduce the behavior:

  1. Find an existing CT managed account where the provisioned product in Service Catalog is unhealthy
  2. Import the account to AFT
  3. Inspect both aft-account-request-action-trigger and aft-account-request-processor

Expected behavior I believe AFT should prevent any attempt to import account if the underlying SC provisioned product is unhealthy. However, AFT should provide better error message to assist user to identify the problem.

AFT should also check for un-healthy provisioned product and provide warning if the same email address is currently in-use.

Related Logs See above

Additional context n/a

wellsiau-aws commented 1 year ago

I think ver 1.7.x or higher solved this problem. I failed to notice that aft_sc_product_allowed_status includes "AVAILABLE" and "TAINTED" product.

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/1.9.2/sources/aft-lambda-layer/aft_common/account_request_framework.py#L62-L67

snebhu3 commented 1 year ago

Thank you for reaching out @wellsiau-aws . I will go ahead and close the issue.