Closed mrl045 closed 1 year ago
balltrev
commented
1 year ago Hey @mrl045, we're unable to reproduce this issue in our testing environments.
Can you confirm you've followed the post-deployment steps? If you have and are still experiencing issues, I recommend reaching out to AWS Premium Support to better deep dive your deployment to understand what may be causing the issue for you.
mrl045
commented
1 year ago Hi @balltrev, I've followed the post-deployment steps. The four repositories are created by the Terraform module.
module "control_tower_account_factory" {
source = "aws-ia/control_tower_account_factory/aws"
version = "1.10.3"
# Account Setup
aft_management_account_id = "x"
audit_account_id = "x"
log_archive_account_id = "x"
ct_management_account_id = "x"
ct_home_region = "eu-central-1"
tf_backend_secondary_region = "eu-west-1"
# Optional Parameters
terraform_distribution = "tfc"
vcs_provider = "codecommit"
terraform_org_name = "x"
terraform_token = "x"
# Optional Feature Flags
aft_feature_delete_default_vpcs_enabled = true
aft_feature_cloudtrail_data_events = true
aft_feature_enterprise_support = false
}
After the trigger on the account-request repository it triggers a build. This build always fails with this setup.
unless if I add the two build command in the buildpsec I've mentioned. Its in full detail below
# Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
version: 0.2
phases:
pre_build:
commands:
- DEFAULT_PATH=$(pwd)
- TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
- AWS_MODULE_SOURCE=$(aws ssm get-parameter --name "/aft/config/aft-pipeline-code-source/repo-url" --query "Parameter.Value" --output text)
- AWS_MODULE_GIT_REF=$(aws ssm get-parameter --name "/aft/config/aft-pipeline-code-source/repo-git-ref" --query "Parameter.Value" --output text)
- TF_VERSION=$(aws ssm get-parameter --name "/aft/config/terraform/version" --query "Parameter.Value" --output text)
- TF_DISTRIBUTION=$(aws ssm get-parameter --name "/aft/config/terraform/distribution" --query "Parameter.Value" --output text)
- CT_MGMT_REGION=$(aws ssm get-parameter --name "/aft/config/ct-management-region" --query "Parameter.Value" --output text)
- AFT_MGMT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
- AFT_EXEC_ROLE_ARN=arn:$AWS_PARTITION:iam::$AFT_MGMT_ACCOUNT:role/AWSAFTExecution
- AFT_ADMIN_ROLE_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-administrator-role-name | jq --raw-output ".Parameter.Value")
- AFT_ADMIN_ROLE_ARN=arn:$AWS_PARTITION:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
- ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
- |
ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
if [[ $ssh_key_parameter != "None" ]]; then
ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
mkdir -p ~/.ssh
echo "Host *" >> ~/.ssh/config
echo "StrictHostKeyChecking no" >> ~/.ssh/config
echo "UserKnownHostsFile=/dev/null" >> ~/.ssh/config
echo "$ssh_key" > ~/.ssh/ssh_key
echo -e "\n\n" >> ~/.ssh/ssh_key
chmod 600 ~/.ssh/ssh_key
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/ssh_key
fi
- git config --global credential.helper '!aws codecommit credential-helper $@'
- git config --global credential.UseHttpPath true
- git clone -b $AWS_MODULE_GIT_REF $AWS_MODULE_SOURCE aws-aft-core-framework
- python3 -m venv ./venv
- source ./venv/bin/activate
- pip install jinja2-cli==0.7.0 Jinja2==3.0.1 MarkupSafe==2.0.1 boto3==1.18.56 requests==2.26.0
- |
if [ $TF_DISTRIBUTION = "oss" ]; then
TF_BACKEND_REGION=$(aws ssm get-parameter --name "/aft/config/oss-backend/primary-region" --query "Parameter.Value" --output text)
TF_KMS_KEY_ID=$(aws ssm get-parameter --name "/aft/config/oss-backend/kms-key-id" --query "Parameter.Value" --output text)
TF_DDB_TABLE=$(aws ssm get-parameter --name "/aft/config/oss-backend/table-id" --query "Parameter.Value" --output text)
TF_S3_BUCKET=$(aws ssm get-parameter --name "/aft/config/oss-backend/bucket-id" --query "Parameter.Value" --output text)
TF_S3_KEY=account-request/terraform.tfstate
cd /tmp
echo "Installing Terraform"
curl -o terraform_${TF_VERSION}_linux_amd64.zip https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
unzip -o terraform_${TF_VERSION}_linux_amd64.zip && mv terraform /usr/bin
terraform --version
cd $DEFAULT_PATH/terraform
for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D tf_distribution_type=$TF_DISTRIBUTION -D provider_region=$CT_MGMT_REGION -D region=$TF_BACKEND_REGION -D bucket=$TF_S3_BUCKET -D key=$TF_S3_KEY -D dynamodb_table=$TF_DDB_TABLE -D kms_key_id=$TF_KMS_KEY_ID -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN >> ./$(basename $f .jinja).tf; done
for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
JSON=$(aws sts assume-role --role-arn ${AFT_ADMIN_ROLE_ARN} --role-session-name ${ROLE_SESSION_NAME})
#Make newly assumed role default session
export AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]")
export AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]")
export AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]")
terraform init -no-color
else
TF_ORG_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/org-name" --query "Parameter.Value" --output text)
TF_TOKEN=$(aws ssm get-parameter --name "/aft/config/terraform/token" --with-decryption --query "Parameter.Value" --output text)
TF_ENDPOINT=$(aws ssm get-parameter --name "/aft/config/terraform/api-endpoint" --query "Parameter.Value" --output text)
TF_WORKSPACE_NAME="ct-aft-account-request"
TF_CONFIG_PATH="./temp_configuration_file.tar.gz"
**mkdir -p $DEFAULT_PATH/terraform
mv *.tf *.jinja modules $DEFAULT_PATH/terraform**
cd $DEFAULT_PATH/terraform
for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D provider_region=$CT_MGMT_REGION -D tf_distribution_type=$TF_DISTRIBUTION -D terraform_org_name=$TF_ORG_NAME -D terraform_workspace_name=$TF_WORKSPACE_NAME -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN >> ./$(basename $f .jinja).tf; done
for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
cd $DEFAULT_PATH
tar --verbose -czf temp_configuration_file.tar.gz -C terraform --exclude .git --exclude venv .
python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py --operation "deploy" --organization_name $TF_ORG_NAME --workspace_name $TF_WORKSPACE_NAME --assume_role_arn $AFT_ADMIN_ROLE_ARN --assume_role_session_name $ROLE_SESSION_NAME --api_endpoint $TF_ENDPOINT --api_token $TF_TOKEN --terraform_version $TF_VERSION --config_file $TF_CONFIG_PATH
fi
build:
commands:
- |
if [ $TF_DISTRIBUTION = "oss" ]; then
terraform apply -no-color --auto-approve
fi
post_build:
commands:
- echo "Post-Build"
Terraform Cloud with 0.15.5
AFT Version: 1.10.3 with CodeDeploy VCS
tar: terraform: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
in file modules/aft-code-repositories/buildspecs/cf-aft-account-requests.yml
Should add the following build steps to make it work:
on line 68 mkdir -p $DEFAULT_PATH/terraform mv .tf .jinja modules $DEFAULT_PATH/terraform