search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

New account not created under OU in control tower account (Step function not executed) #442

Closed ragerdevops closed 4 months ago

ragerdevops commented 4 months ago

Terraform Version & Prov:

AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version) 1.12.0 Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.5.7
on darwin_arm64

terraform providers

aws

Bug Description I am trying to use AFT to deploy accounts on AWS, in this case I am using the github main.tf+tf_oss since I need to connect it to my github account.

Deploying all resources works perfectly, but when I create a new account using the repository at https://github.com/hashicorp/learn-terraform-aft-account-request the pipeline is launched, the object is created in the dynamodb , the message arrives at the SQS queue, but the pass function is not executed, or at least I don't see any execution.

Obviously the account will not be displayed.

To Reproduce Steps to reproduce the behavior:

  1. Generate control tower landing zone
  2. Generate new account for terraform management AFT
  3. Deploy code inside the terraform management AFT account
  4. Create conection between github and account AWS and confirm
  5. Grant permissions to AFTExecutionRole in Service Catalog product
  6. Request new account

Expected behavior Creating a new account

Related Logs

2024-03-02T00:52:14.365+01:00 Plan: 1 to add, 0 to change, 0 to destroy. 2024-03-02T00:52:14.365+01:00 module.sandbox.aws_dynamodb_table_item.account-request: Creating... 2024-03-02T00:52:14.365+01:00 module.sandbox.aws_dynamodb_table_item.account-request: Creation complete after 0s

Additional context Add any other context about the problem here.

ragerdevops commented 4 months ago

Solved!

In case this happens to someone else, I corrected the error by adding the name (ouID) indicated as follows:

ManagedOrganizationalUnit = "Sandbox (OU ID)"

On the other hand, the AFT account was not registered correctly in the OU due to an error. Once the AFT gives an error, it is better to delete the Stack or the dynamodb registration so that it does not continue in a loop.

shahbhavik01 commented 3 months ago

@ragerdevops Could really use your help if you're willing. I deployed AFT also tried to create an account with similar format as you mentioned. But somehow the new account is not being vended. If I follow the diagram in the link here, I can see the Account Request Processor Lambda being triggered but I don't see a product being vended in the Service Catalog. Do you usually see a new Service Catalog product provisioned when you create a new account?

https://docs.aws.amazon.com/controltower/latest/userguide/aft-architecture.html

ragerdevops commented 3 months ago

Hello @shahbhavik01 , Yes! i'm happy to help you! atleast we can try :P

Please, for give u more feedback. ¿Could you share what configuration are u doing with terraform?

Paste ur code for deploy the AFT (the code that u're using inside Control Tower) and the code for account_request.tf

Thx! :)

shahbhavik01 commented 3 months ago

Hello @shahbhavik01 , Yes! i'm happy to help you! atleast we can try :P

Please, for give u more feedback. ¿Could you share what configuration are u doing with terraform?

Paste ur code for deploy the AFT (the code that u're using inside Control Tower) and the code for account_request.tf

Thx! :)

Somehow I was able to figure it out. I had some conflicting TF names. Thank you for the offer of help.