Pagination issue on Lambda aft-account-request-action-trigger

[emmanueldiquas]

AFT Version : 1.6.3 and below Issue:

When an account is modified by the user in aft-account-request repository, modification is interpreted as a request for creation because of a pagination bug in lambda aft-account-request-action-trigger.

This lambda first checks provisioned products in AWS Service Catalog to check if a products exists for the email provided. If it's the case it will send an UPDATE message to aft-queue, otherwise a CREATE message When there are more than 100 provisionned products, the function may perform a pagination and it's where the bug may happen (cf. below), that will lead the function to send a CREATE message even if the provisioned product exists and is in valid state.

This is quite a serious bug that needs an urgent fix. We have been forced to fork the repository as a workaround

Technical Detail :

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/sources/aft-lambda-layer/aft_common/account_request_framework.py#L89

Following line should be inserted : provisioned_products = response["ProvisionedProducts"]

[hanafya]

Thanks for bringing this to our attention @emmanueldiquas , I've gone ahead and made a backlog to address this feature request!

[stumins]

@emmanueldiquas We just released 1.6.4 which fixes this bug. Thanks for the report!

[emmanueldiquas]

@stumins Many thanks !!! this one is much blocking also when you will have time :))) => https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/223