search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

State machine "aft-invoke-customizations" fails with SUSPENDED accounts #336

Closed vaspoz closed 1 year ago

vaspoz commented 1 year ago

AFT Version: 1.9.2

Terraform Version & Provider Versions

Terraform v1.4.2
on windows_386
+ provider registry.terraform.io/hashicorp/aws v4.61.0

Bug Description

To Reproduce Steps to reproduce the behavior:

  1. Run the state machine with input: 
    {
"include": [
{
  "type": "all"
}
]
}
  2. Make sure one of the aft accounts is suspended.
  3. Observe the State Machine fails in the first stage Identify Targets with error message: 
    {
"Error": "Exception",
"Cause": "{\"errorMessage\": \"Account XXXXX@XXX.XX  not found in aft-request\", \"errorType\": \"Exception\", \"requestId\": \"232f6875-647e-4bca-aa85-4141d5b3139d\", \"stackTrace\": [\"  File \\\"/var/task/aft_customizations_identify_targets.py\\\", line 82, in lambda_handler\\n    account_request = get_account_request_record(\\n\", \"  File \\\"/opt/python/lib/python3.9/site-packages/aft_common/account_request_framework.py\\\", line 400, in get_account_request_record\\n    raise Exception(f\\\"Account {request_table_id}  not found in {table_name}\\\")\\n\"]}"
}

Expected behavior SUSPENDED accounts should not be taken into the process.

Additional context As a part of the function get_all_aft_account_ads (in utils), the process scans all items from aft-request-metadata table, where some items have status Suspended: image

sources/aft-lambda-layer/aft_common/aft_utils.py

hanafya commented 1 year ago

Hey @vaspoz!

Thank you for bring this to our attention! I have cut a feature request in our backlog to address this item.

As a workaround you can remove this account from AFT using the steps and this will prevent it from being returned when identifying targets.: https://docs.aws.amazon.com/controltower/latest/userguide/aft-remove-account.html

In addition, you can also exclude that account when passing the input to the aft-invoke-customizations AWS Step Function. Please see, https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html#aft-re-invoke-customizations

vaspoz commented 1 year ago

ok, thanks, i'll check the workarounds