terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Change the name of an account does not update the aft-request-metadata table

Open fjromerom opened this issue 2 years ago • 2 comments

AFT Version: 1.3.4

Bug Description The name and email of an account was changed in the the account-request repository and updated in the aft-request DDB table. Later, I run the aft-invoke-customizations state machine and it failed. Diving deeper into the logs I identified the issue was due to a discrepancy between the aft-request and aft-request-metadata tables. I updated the name and email of the aft-request-metadata table and re-run the state machine and it worked successfully.

To Reproduce Steps to reproduce the behavior:

  1. Create an account
  2. Rename the email and name
  3. Run aft-invoke-customizations

Expected behavior AFT should update the aft-request-metadata table to have consistency with aft-request table. It would be also beneficial to remove the entry when an account is removed from the aft-request table, so you don't need to remove it manually.

Related Logs

{
    "time_stamp": "2022-04-20 09:09:54,510",
    "log_level": "ERROR",
    "log_message": {
        "FILE": "aft_customizations_invoke_account_provisioning_framework.py",
        "METHOD": "lambda_handler",
        "EXCEPTION": "'Item'"
    }
}
Traceback (most recent call last):
  File "/var/task/aft_customizations_invoke_account_provisioning_framework.py", line 41, in lambda_handler
    account_request_record = get_account_request_record(
  File "/opt/python/lib/python3.8/site-packages/aft_common/customizations.py", line 290, in get_account_request_record
    item: Dict[str, Any] = response["Item"]
KeyError: 'Item'

[ERROR] KeyError: 'Item'
Traceback (most recent call last):
  File "/var/task/aft_customizations_invoke_account_provisioning_framework.py", line 41, in lambda_handler
    account_request_record = get_account_request_record(
  File "/opt/python/lib/python3.8/site-packages/aft_common/customizations.py", line 290, in get_account_request_record
    item: Dict[str, Any] = response["Item"]

fjromerom avatar Apr 22 '22 14:04 fjromerom

Hey @fjromerom thanks for bringing this up! I've gone ahead and created a backlog to better handle this situation

balltrev avatar Apr 25 '22 17:04 balltrev

@fjromerom did your account get renamed in Control Tower and AWS Service Catalog? From this issue seems to not be possible https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/129

v-rosa avatar Jul 05 '22 18:07 v-rosa

Hi @fjromerom, following up on this item:

AFT does not support changing account names because the Account Factory Service Catalog product, which is the mechanism AFT uses to provision and update accounts, does not support updating this parameter.

If you want to change the name of an account, follow these instructions but note that the ProvisionedProduct will not reflect the change. As such, the control_tower_parameters.AccountName field provided in an AFT request must remain the old name of the account or AFT will reject the request as invalid.

stumins avatar Jan 10 '23 23:01 stumins