search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

Deployment to new regions like eu-south-2 fails due to Code* missing services #392

Closed jpamies closed 9 months ago

jpamies commented 9 months ago

Terraform Version & Prov:

AFT Version: 1.10.4 Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.5.7

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft_pipeline
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_ssm_parameters
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   └── provider[registry.terraform.io/hashicorp/random]
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   └── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   ├── provider[registry.terraform.io/hashicorp/local]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/time]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    └── module.aft_code_repositories
        ├── provider[registry.terraform.io/hashicorp/local]
        └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0

Providers required by state:

    provider[registry.terraform.io/hashicorp/archive]

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/random]

    provider[registry.terraform.io/hashicorp/time]

Bug Description Deployment fails due to the missing services in eu-south-2. Control Tower is supported but CodePipeline and CodeCommit no. To Reproduce Steps to reproduce the behavior:

  1. Add home region eu-south-2
  2. terraform init && terraform deploy
  3. See error

Expected behavior A clear and concise description of what you expected to happen. Capability to specify aft region to launch the aft architecture and coonect to CT on home region. If not specified, home region == aft region.

Additional context This issue can happen in new Control Tower regions like Asia Pacific (Hyderabad), Europe (Spain and Zurich), and the Middle East (UAE). https://aws.amazon.com/about-aws/whats-new/2023/09/aws-control-tower-new-regions/

hanafya commented 9 months ago

Hey @jpamies!

AFT has hard requirements on both CodeCommit (if you're using that as source VCS) and CodePipeline. Unfortunately, AFT will not function without these dependencies. However, we will take a backlog item to review alternative options.