Closed wellsiau-aws closed 1 year ago
I think ver 1.7.x or higher solved this problem. I failed to notice that aft_sc_product_allowed_status
includes "AVAILABLE" and "TAINTED" product.
Thank you for reaching out @wellsiau-aws . I will go ahead and close the issue.
Terraform Version & Prov: n/a
AFT Version: 1.6.2
Bug Description When trying to import an existing AWS account to AFT, one might stumble upon issue where the relevant AWS Service Catalog (SC) provisioned product (AWS Control Tower Factory product) for the particular account was tainted.
While the reason that SC provisioned product for the account factory was tainted is beyond the scope of AFT responsibility, however, the error message provided by AFT is not accurate.
In specific,
aft-account-request-processor
reported that the email address already in use, hinting that AFT is trying to create a new account instead of importing existing account.The actual issue happened upstream at
aft-account-request-action-trigger
when it tries to check for existing provisioned product. The functionprovisioned_product_exists
only checks for health provisioned product. The lambda log provides INFO level messages as such:This small hint can be easily missed during troubleshooting and should be refined by throwing error when the same email address is found on batch of un-healthy provisioned product.
To Reproduce Steps to reproduce the behavior:
aft-account-request-action-trigger
andaft-account-request-processor
Expected behavior I believe AFT should prevent any attempt to import account if the underlying SC provisioned product is unhealthy. However, AFT should provide better error message to assist user to identify the problem.
AFT should also check for un-healthy provisioned product and provide warning if the same email address is currently in-use.
Related Logs See above
Additional context n/a