Changing VCS repository locations results in failed CodePipeline runs

[rybons]

Terraform Version & Prov:

AFT Version:

1.9.2

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

0.15.5

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0, < 5.0.0
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/time]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/local]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_ssm_parameters
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    └── module.aft_iam_roles
        ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.audit_service_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.ct_management_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.ct_management_service_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.log_archive_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.log_archive_service_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.aft_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        ├── module.aft_service_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        └── module.audit_exec_role
            └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0

Bug Description

I am trying to update the VCS details for my AFT deployment, as I have switched GitHub organizations from foo-org to bar-org, like so:

Before:

module "aft" {
  source  = "aws-ia/control_tower_account_factory/aws"
  version = "1.9.0"

  # VCS Vars
  vcs_provider                                  = "github"
  account_request_repo_name                     = "foo-org/aft-account-request"
  global_customizations_repo_name               = "foo-org/aft-global-customizations"
  account_customizations_repo_name              = "foo-org/aft-account-customizations"
  account_provisioning_customizations_repo_name = "foo-org/aft-account-provisioning-customizations"

  [...]

After:

module "aft" {
  source  = "aws-ia/control_tower_account_factory/aws"
  version = "1.9.0"

  # VCS Vars
  vcs_provider                                  = "github"
  account_request_repo_name                     = "bar-org/aft-account-request"
  global_customizations_repo_name               = "bar-org/aft-global-customizations"
  account_customizations_repo_name              = "bar-org/aft-account-customizations"
  account_provisioning_customizations_repo_name = "bar-org/aft-account-provisioning-customizations"

  [...]

After running a terraform apply with these updates, the following resources are changed (no create or destroy actions):

• module.aft.module.aft_code_repositories.aws_codepipeline.codestar_account_provisioning_customizations[0] (FullRepositoryId definitions in the pipeline to be updated to use the new org repositories)
• module.aft.module.aft_code_repositories.aws_codepipeline.codestar_account_request[0] (FullRepositoryId definitions in the pipeline to be updated to use the new org repositories)
• module.aft.module.aft_ssm_parameters.aws_ssm_parameters.account_customizations_repo_name (parameter values updated to use the new org repositories)
• module.aft.module.aft_ssm_parameters.aws_ssm_parameters.account_provisioning_customizations_repo_name (parameter values updated to use the new org repositories)
• module.aft.module.aft_ssm_parameters.aws_ssm_parameters.account_request_repo_name (parameter values updated to use the new org repositories)
• module.aft.module.aft_ssm_parameters.aws_ssm_parameters.account_global_customizations_repo_name (parameter values updated to use the new org repositories)

There is no issue with the terraform apply itself running. However, the CodePipelines are left non-functional because there is no AWS CodeStar connection pending confirmation for the new github VCS repositories (in the new org).

If I then attempt to execute the customizations pipeline (i.e. via the aft-invoke-customizations state machine), the source stage of the CodePipeline run fails with the error:

[GitHub] No Branch [main] found for FullRepositoryName [bar-org/aft-global-customizations]

I assume this is because there has not been a CodeStar connection established for the new org repositories.

To Reproduce Steps to reproduce the behavior:

1. Update module VCS arguments as shown in bug description.
2. Run terraform apply to update CodePipeline and SSM parameter resources.
3. See that no new AWS CodeStar connections are pending confirmation.
4. Attempt to run AFT CodePipelines fail at the source step with "no branch found"

Expected behavior

I would expect that when changing VCS settings in the module, a new AWS CodeStar connection to the new org should be pending approval. This would be in-line with the post-deployment steps AWS documentation.

Additional context

I would appreciate any suggestions for how to proceed here. My current idea is to terraform state rm any existing CodeStar connection resources for github, or deleting the existing connection in the AWS CodeStar console as a means of forcing Terraform to re-create the CodeStar connection. Would you advise against this?

Also, could this type of change disrupt any other functionality that I'm not thinking of?

I understand that CodeStar requires manual intervention during the initial provisioning of the AFT module. So, perhaps the resolution to this issue may simply be documentation along the lines of:

If you need to update your VCS settings, here are the steps you should take and things you need to consider

[snebhu3]

@rybons I would recommend reaching out to premium support as this may require a deeper dive into the account and environment.