search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

Function aft_delete_default_vpcs using incorrect session while deleting default VPCs #393

Closed vippr1237 closed 9 months ago

vippr1237 commented 9 months ago

AFT Version: 1.10.4 (Latest)

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.4.5
on darwin_arm64

Your version of Terraform is out of date! The latest version
is 1.5.7. You can update by downloading from https://www.terraform.io/downloads.html

terraform providers

Providers required by configuration:
.
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   └── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    └── module.aft_ssm_parameters
        ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
        └── provider[registry.terraform.io/hashicorp/random]

Providers required by state:

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/random]

    provider[registry.terraform.io/hashicorp/time]

    provider[registry.terraform.io/hashicorp/archive]

Bug Description Function aft_delete_default_vpcs is using incorrect session when deleting default VPCs causing lambda to delete the VPC in AFT account instead of VPC account.

To Reproduce Steps to reproduce the behavior:

  1. Deploy AFT to Control Tower
  2. Trigger creation of an account
  3. Observe the lambda log to see that it's deleting the AFT acccount VPC instead of target account

Expected behavior Default VPC in all regions should be deleted in target account instead of AFT account when setting aft_feature_delete_default_vpcs_enabled to true

Additional context Current I workaround by changing the session like below: src/aft_lambda/aft_feature_options/aft_delete_default_vpc.py

  # session = boto3.session.Session(region_name=region)
  client = target_account_session.client("ec2", region_name=region)
  vpc = get_default_vpc(client)
  if vpc is not None:
      resource: EC2ServiceResource = target_account_session.resource(
          "ec2", region_name=region
      )
hanafya commented 9 months ago

Hey @vippr1237!

This is a known issue that will not be fixed in the 1.x major version. Please see https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/200#issuecomment-1178227617 for more details. Sorry for this inconvenience.