terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

How to import existing accounts

Open andy-townsend opened this issue 3 years ago • 5 comments

Describe the outcome you'd like

Update the current documentation to include an example of how to import an existing account to AFT. This is for accounts that are created manually, outside of the organisation/control tower.

There are a number of issues that talk about this but the full process is unclear to me. Do we need to import that account to the organisation, and then create the account request (as per new account) but with details that match the current account? Do we need to register the account in CT?

andy-townsend avatar Jul 08 '22 10:07 andy-townsend

Like Andy I have only just become aware of this functionality after having a read through the various issue tickets, so some documentation about this would be welcome.

patrickmoore-nc avatar Jul 08 '22 15:07 patrickmoore-nc

@andy-townsend thank you for reaching out. I have created a backlog to address your documentation request.

For importing an existing account under AFT management, it needs to be:

  • Part of the Organization
  • Enrolled with Control Tower

Then you could create an AFT account request with appropriate information about this account.

snebhu3 avatar Jul 11 '22 16:07 snebhu3

@snebhu3 thanks for the update. To add to the request, can we also get the docs on how to import the existing CT accounts like Management/Audit/Security etc into AFT please? I imagine the process is the same but as they are already in the Org and enrolled with CT, its just a case of creating the account-request?

andy-townsend avatar Jul 11 '22 17:07 andy-townsend

@andy-townsend yes, you would need to create an account request to let AFT manage an existing account( part of organization, and enrolled with CT) created outside of AFT, these could be the Audit/ Log Archive/ Management accounts too.

The "Note" under "Update an existing account" section does mention this.

snebhu3 avatar Jul 11 '22 22:07 snebhu3

I have a similar question, but I would like to import the AFT-Management account because I want to do some customization to that account.

dignajar avatar Aug 04 '22 13:08 dignajar

@dignajar you don't need to import the management account. Following this doc https://controltower.aws-management.tools/automation/aft_setup/. Once bootstrap is done, you can simply push to aft-account-provisioning-customizations repo and it auto updates the management account.

jarrettj avatar Sep 20 '22 05:09 jarrettj

The workflow documented here seems to have been broken in 1.9.0.

When importing an account not provisioned by AFT, the account request trigger lambda now fails with "Unsupported account request" because the imported account does not match any of the if branches.

lawliet89 avatar Mar 01 '23 12:03 lawliet89

The documentation at https://docs.aws.amazon.com/controltower/latest/userguide/aft-update-account.html meets the original scope of this issue, so I'm going to close this issue as resolved.

Please track the bug report related to importing existing accounts in https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/319

stumins avatar Mar 01 '23 23:03 stumins