terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

One central log to determine what step AFT is on

Open bmurphey opened this issue 2 years ago • 1 comments

Describe the outcome you'd like

When provisioning accounts, I would like one central place to look to determine where AFT is at in the provisioning process. Something like one CloudWatch Log Group that every step (Step Function, Lambda, CodePipeline, CodeBuild, etc.) writes to when it starts and finishes, in order to easily tell what step was the last to run. This should make it easier to debug when issues happen.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

I have run into several different issues while using this solution and each one typically requires me to step through each part of the process and trace the status of the account provisioning or customization.

bmurphey avatar Jun 08 '22 16:06 bmurphey

Thanks for the feature request @bmurphey. We're aware logging is a pain point with the current version of AFT, and that it can be a challenge to track down root cause for specific account request failures.

We've recently started emitting exceptions from the underlying Lambda Functions to an SNS topic named aft-failure-notifications in the AFT Management account. As we work to improve logging, this may help with troubleshooting for now.

balltrev avatar Jun 08 '22 23:06 balltrev

Publishing failure messages to SNS is useful, I was hoping that the aft-notifications topic would also be getting useful messages but hardly anything is currently being sent to it. Publishing status messages at each step would be great for monitoring (Update ticketing system, slack notifications, etc...)

laurenty avatar Apr 03 '23 17:04 laurenty

Hi @bmurphey,

AFT 1.9.0 introduced "request tracing" - AFT execution logs now include a request ID that is unique for a given customization request. 1.9.0 also adds two CloudWatch Log Insight queries that can be used to create an aggregate view of execution logs across all components by providing the target account ID or a customization request ID. This allows for a centralized view of execution logs without the cost created by generating & storing duplicated logs.

As request tracing meets the spirit of this request, I'm going to close this issue as resolved.

stumins avatar May 08 '23 18:05 stumins