AFT Version: 1.9.1
terraform version: 0.15.5
terraform providers: AWS
Description:-
We have deployed control tower and AFT for terraform in a separate AFT account using Terraform, aft version 1.9.1. After deploying aft new account request is working fine, it is running pipeline for creating the account whenever we add new account request terraform code in our AFT account request repository.
But account customisation is not working and even we can't see the state machine for account-provisioning-customization as well as no pipeline for any of the account created for account customisation.
When we try to run the aft-invoke-customization step function then we are getting below error.
Note: The logs mentions about account creation but the account is already existing and we are making customisation through account-customization.
{
"Cause": "An error occurred while executing the state 'run_create_pipeline?' (entered at the event id #33). Invalid path '$.Input.account_provisioning.run_create_pipeline': The choice state's condition path references an invalid value.",
"Error": "States.Runtime",
"ExecutionArn": "arn:aws:states:us-east-2:<aft-account-id>:execution:aft-account-provisioning-framework:e5c48973-f6fa-4def-beaf-55ca11e33ba2",
"Input": "{"account_info":{"account":{"id":"<shared-account-id>","email":"shared_acct@email","name":"shared-account",
"joined_method":"CREATED","joined_date":"2023-03-09 07:51:44.747000+00:00","status":"ACTIVE","parent_id":"ou-38lh-9att8jja","parent_type":"ORGANIZATIONAL_UNIT",
"type":"account","vendor":"aws"}},"control_tower_event":{},"account_request":{"custom_fields":"{\"group\":\"prod\"}","change_management_parameters":
{"change_reason":"Create new ControlPlane account shared-account","change_requested_by":"shared_acct@email.com"},"id":"shared_acct@email.com","control_tower_parameters":
{"AccountEmail":"sharedservices-account@email","SSOUserFirstName":"-sharedservices-account","SSOUserLastName":"sharedservices-account"
,"ManagedOrganizationalUnit":"controlplane-ou","AccountName":"shared-account","SSOUserEmail":"shared_acct@email.com@email"},"account_tags":
{"Environment":"prod","Owner":"sharedservices-account sharedservices-account","Project":"xyz","Vended":"true","created_by":"
sharedservices-account@email"},"account_customizations_name":"shared-customizations"},"account_provisioning":{"run_create_pipeline":"true"},
"customization_request_id":"c0bb8f9a-9f82-4c30-a62c-96119a391b53"}",
"InputDetails": {
"Included": true
},
"Name": "e5c48973-f6fa-4def-beaf-55ca11e33ba2",
"StartDate": 1679307003825,
"StateMachineArn": "arn:aws:states:us-east-2:<aft-account-id>:stateMachine:aft-account-provisioning-framework",
"Status": "FAILED",
"StopDate": 1679307036829
}
To Reproduce:-
Steps to reproduce the behavior:
- Add terraform code in account-customization repository under account_customization_name valued folder
- Run the Step function with below input
{
"include": [
{
"type": "accounts",
"target_value": [
"<target account id>"
]
}
]
}
AWS OFFICIALUpdated 2 years ago
Thanks for info, the issue is resolved. Though the state tf files were already there in our aft-account-provisioning-customizations repository as mentioned in https://github.com/aws-ia/terraform-aws-control_tower_account_factory/tree/main/sources/aft-customizations-repos/aft-account-provisioning-customizations/terraform, but somereason they were not picked up during AFT deployment. So we just had to make a dummy commit into the repository and that triggered aft to deploy the state machine from our aft-account-provisioning-customizations.
Though the current/actual issue is resolved but the I still see a bug ... that AFT during deployment should take the repository content and deploy it, it should not explicitly wait for another commit into the repository to deploy the state machine, if the files are already present.
Thanks again for the help
Regards