terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Error : aft_customizations_invoke_account_provisioning_framework

Open Menahem1 opened this issue 2 years ago • 3 comments

AFT Version: 1.4.0

Bug Description An error is generated when using the Step functions aft-invoke-customizations

To Reproduce Steps to reproduce the behavior:

  1. Go to Step Functions aft-invoke-customizations
  2. Launch an execution to all accounts
{
  "include": [
    {
      "type": "all"
    }
  ]
}

After that you will get the following error

Related Logs

[ERROR] KeyError: 'Item'
Traceback (most recent call last):
  File "/var/task/aft_customizations_invoke_account_provisioning_framework.py", line 45, in lambda_handler
    account_request_record = get_account_request_record(
  File "/opt/python/lib/python3.8/site-packages/aft_common/customizations.py", line 290, in get_account_request_record
    item: Dict[str, Any] = response["Item"]

Menahem1 avatar May 31 '22 15:05 Menahem1

This works for me in 1.4.0, FWIW.

michaelw avatar Jun 02 '22 03:06 michaelw

Hi @Menahem1,

I was not able to reproduce this issue in v1.4.1 - below is the input/output from the "Identify Targets" stage when invoking the aft-invoke-customizations step function in one of my testing accounts:

Input:

{
  "include": [
    {
      "type": "all"
    }
  ]
}

Output:

{
  "include": [
    {
      "type": "all"
    }
  ],
  "targets": {
    "number_pending_accounts": 1,
    "pending_accounts": [
      "123456789012"
    ]
  }
}

Can you provide any additional details about this error?

stumins avatar Jun 03 '22 17:06 stumins

After further investigation I was able to reproduce this issue in another account.

The root cause stems from targeting accounts for customization (via all, OU, or directly) that have entries in the aft-request-metadata table but are not present within the most recent account request manifest. The underlying cause was reported in https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/141

We have a backlog item to fix this bug.

In the interim, workarounds are to manually delete records from the aft-request-metadata table that are no longer in your account request manifest, or to use more specific targeting syntax in the customizations step function input that only targets accounts that present are in your request manifest.

stumins avatar Jun 03 '22 18:06 stumins

Hi @Menahem1,

AFT 1.8.0 mitigates this issue by removing the metadata record when an account request is deleted.

However, please note that this only prevents this issue from newly occurring, but does not resolve failures caused by de-synchronized metadata records that already exist. To resolve issues with those accounts, the manual workaround above should be used.

Thanks again for the report!

stumins avatar Jan 18 '23 20:01 stumins