search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

CodeBuild is invoked for every plan #427

Open jack-parsons-bjss opened 4 months ago

jack-parsons-bjss commented 4 months ago

Terraform Version & Prov: 1.7.0

AFT Version: 1.11.1 (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version)

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.7.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/archive v2.4.2
+ provider registry.terraform.io/hashicorp/aws v5.33.0
+ provider registry.terraform.io/hashicorp/external v2.3.2
+ provider registry.terraform.io/hashicorp/local v2.4.1
+ provider registry.terraform.io/hashicorp/random v3.6.0
+ provider registry.terraform.io/hashicorp/time v0.10.0
+ provider registry.terraform.io/scottwinkler/shell v1.7.10

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws] >= 5.30.0
├── provider[registry.terraform.io/scottwinkler/shell] ~> 1.7.10
├── provider[terraform.io/builtin/terraform]
├── module.ous
│   └── provider[registry.terraform.io/hashicorp/aws]
├── module.acct_log_archive
│   └── provider[registry.terraform.io/hashicorp/aws]
├── module.sso
│   └── provider[registry.terraform.io/hashicorp/aws]
├── module.acct_management
│   ├── provider[registry.terraform.io/hashicorp/aws]
│   ├── module.config_recorder_us_east_1
│       └── provider[registry.terraform.io/hashicorp/aws]
│   └── module.config_recorder_default_region
│       └── provider[registry.terraform.io/hashicorp/aws]
├── module.acct_aft_management
│   ├── provider[registry.terraform.io/hashicorp/aws]
│   ├── module.account_factory_for_terraform
│       ├── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│       ├── provider[registry.terraform.io/hashicorp/local]
│       ├── module.aft_ssm_parameters
│           ├── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           └── provider[registry.terraform.io/hashicorp/random]
│       ├── module.aft_iam_roles
│           ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
│           ├── module.aft_service_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── module.audit_exec_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── module.audit_service_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── module.ct_management_exec_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── module.ct_management_service_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── module.log_archive_exec_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── module.log_archive_service_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           └── module.aft_exec_role
│               └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│       ├── module.aft_lambda_layer
│           ├── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           ├── provider[registry.terraform.io/hashicorp/random]
│           └── provider[registry.terraform.io/hashicorp/local]
│       ├── module.packaging
│           └── provider[registry.terraform.io/hashicorp/archive]
│       ├── module.aft_account_provisioning_framework
│           └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│       ├── module.aft_code_repositories
│           ├── provider[registry.terraform.io/hashicorp/local]
│           └── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│       ├── module.aft_feature_options
│           └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
│       ├── module.aft_backend
│           └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
│       ├── module.aft_customizations
│           ├── provider[registry.terraform.io/hashicorp/aws] >= 5.11.0, < 6.0.0
│           └── provider[registry.terraform.io/hashicorp/local]
│       └── module.aft_account_request_framework
│           ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
│           └── provider[registry.terraform.io/hashicorp/time]
│   └── module.service_quotas_aft
│       └── provider[registry.terraform.io/hashicorp/aws]
├── module.acct_shared
│   ├── provider[registry.terraform.io/hashicorp/aws]
│   ├── module.subdomain
│       └── provider[registry.terraform.io/hashicorp/aws]
│   └── module.tfr
│       ├── provider[registry.terraform.io/hashicorp/aws]
│       ├── provider[registry.terraform.io/hashicorp/random]
│       ├── module.kms_sns
│           └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.s3bucket_ui
│           └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.lambdacron_get_presigned_url
│           ├── provider[registry.terraform.io/hashicorp/archive]
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           ├── module.kms
│               └── provider[registry.terraform.io/hashicorp/aws]
│           └── module.sns
│               └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.lambdacron_get_provider_versions
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           ├── provider[registry.terraform.io/hashicorp/archive]
│           ├── module.kms
│               └── provider[registry.terraform.io/hashicorp/aws]
│           └── module.sns
│               └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.hookbuild_modules
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           └── module.lambdacron
│               ├── provider[registry.terraform.io/hashicorp/aws]
│               ├── provider[registry.terraform.io/hashicorp/archive]
│               ├── module.sns
│                   └── provider[registry.terraform.io/hashicorp/aws]
│               └── module.kms
│                   └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.lambdacron_async_cache
│           ├── provider[registry.terraform.io/hashicorp/archive]
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           ├── module.sns
│               └── provider[registry.terraform.io/hashicorp/aws]
│           └── module.kms
│               └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.lambdacron_get_presigned_provider
│           ├── provider[registry.terraform.io/hashicorp/archive]
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           ├── module.kms
│               └── provider[registry.terraform.io/hashicorp/aws]
│           └── module.sns
│               └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.lambdacron_get_provider
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           ├── provider[registry.terraform.io/hashicorp/archive]
│           ├── module.kms
│               └── provider[registry.terraform.io/hashicorp/aws]
│           └── module.sns
│               └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.s3bucket_modules
│           └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.lambdacron_authoriser
│           ├── provider[registry.terraform.io/hashicorp/aws]
│           ├── provider[registry.terraform.io/hashicorp/archive]
│           ├── module.kms
│               └── provider[registry.terraform.io/hashicorp/aws]
│           └── module.sns
│               └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.kms_s3_cache
│           └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.kms_s3_modules
│           └── provider[registry.terraform.io/hashicorp/aws]
│       ├── module.kms_dynamodb
│           └── provider[registry.terraform.io/hashicorp/aws]
│       └── module.s3bucket_cache
│           └── provider[registry.terraform.io/hashicorp/aws]
├── module.controltower_region_deny_core_ous
│   ├── provider[registry.terraform.io/hashicorp/aws]
│   └── provider[registry.terraform.io/scottwinkler/shell] ~> 1.7.10
├── module.acct_audit
│   ├── provider[registry.terraform.io/scottwinkler/shell] ~> 1.7.10
│   ├── provider[registry.terraform.io/hashicorp/aws]
│   ├── module.security_hub_central_config
│       ├── provider[registry.terraform.io/scottwinkler/shell] ~> 1.7.10
│       └── provider[registry.terraform.io/hashicorp/aws]
│   ├── module.security_hub_central_config_association
│       ├── provider[registry.terraform.io/scottwinkler/shell] ~> 1.7.10
│       └── provider[registry.terraform.io/hashicorp/aws]
│   └── module.security_hub_central_config_policy_org_default
│       ├── provider[registry.terraform.io/hashicorp/aws]
│       └── provider[registry.terraform.io/scottwinkler/shell] ~> 1.7.10
├── module.acct_network
│   ├── provider[registry.terraform.io/hashicorp/aws]
│   └── module.r53
│       └── provider[registry.terraform.io/hashicorp/aws]
└── module.control_tower
    ├── provider[registry.terraform.io/hashicorp/aws]
    ├── provider[registry.terraform.io/scottwinkler/shell]
    ├── provider[registry.terraform.io/hashicorp/external]
    ├── module.lambdacron_register_ou
        ├── provider[registry.terraform.io/hashicorp/archive]
        ├── provider[registry.terraform.io/hashicorp/aws]
        ├── module.kms
            └── provider[registry.terraform.io/hashicorp/aws]
        └── module.sns
            └── provider[registry.terraform.io/hashicorp/aws]
    ├── module.sfn
        └── provider[registry.terraform.io/hashicorp/aws]
    └── module.kms_control_tower
        └── provider[registry.terraform.io/hashicorp/aws]

Providers required by state:

    provider[registry.terraform.io/hashicorp/time]

    provider[registry.terraform.io/scottwinkler/shell]

    provider[terraform.io/builtin/terraform]

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/archive]

    provider[registry.terraform.io/hashicorp/external]

    provider[registry.terraform.io/hashicorp/random]

Bug Description Every time the AFT module is invoked, the CodeBuild job to build the Lambda layer is invoked. This is very frustrating and wasteful, as we don't need to build the layer every single time.

To Reproduce Steps to reproduce the behavior: Plan Terraform with AFT in the configuration.

Expected behavior CodeBuild should only be invoked when the layer will be changed.

Additional context I have forked this repository and applied the required patch: https://github.com/jack-parsons-bjss/terraform-aws-control_tower_account_factory I can see that you are not accepting contributions at this time, so I raised this issue instead - AFT is part of our Landing Zone deployment, while we are rapidly iterating this is very frustrating for us

snebhu3 commented 4 months ago

@jack-parsons-bjss thank you for reaching out. I have created an internal backlog to address this concern.