search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

Account tags are not updated properly when tag is removed #370

Closed kstadnik-aws closed 11 months ago

kstadnik-aws commented 1 year ago

AFT Version: 1.10.3

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.4.6 
on linux_amd64

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft_pipeline
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   └── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_ssm_parameters
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    └── module.aft_account_provisioning_framework
        └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0

Bug Description When performing an update to account_tags property (aft-account-requests repository) by removing the tag from the dictionary, the tag as the result is not removed. All other updates, such as adding a tag or changing a value for an existing tag, are working properly. The reason is in the nature of organizations API call tag_resource that Lambda function aft-account-provisioning-framework-tag-account performs. This call can only create new tag or update existing one, but not remove the tag you didn't provide.

To Reproduce Steps to reproduce the behavior:

  1. Go to the aft-account-requests repository.
  2. Update account_tags property by adding one new tag, updating one of the existing tags, and removing one.
  3. Make a commit, wait for the AFT to perform an update.
  4. Go to the management account -> Organizations -> select the account for which you performed changes.
  5. Notice that one tag was updated, one tag was added, other tags are left unchanged, however one tag was not removed and it's still there.

Expected behavior You should see that one tag was removed, one tag was updated, one tag was added, other tags are left unchanged.

Additional context A potential solution could be to find a difference between the tags you provided (the tags you want to see at the end) with the existing tags, find the ones that should be removed and remove them preforming an untag-resource organizations API call.

pmmalinov01 commented 11 months ago

Duplication of https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/160, I hope the response will be different this time

snebhu3 commented 11 months ago

@kstadnik-aws thank you for reaching out. Please refer to #160 which is a duplicate of this issue.