terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Improve logging when AFT account request is not valid

Open Menahem1 opened this issue 1 year ago • 1 comments

AFT Version: 1.9.0

Bug Description How to find more detailed logs ?

To Reproduce Steps to reproduce the behavior:

  1. Add an account not enrolled on CT on AFT
  2. Wait few minutes...

Expected behavior A more detailed errors/logs

Related Logs

[ERROR] RuntimeError: CT Request is not valid
Traceback (most recent call last):
  File "/var/task/aft_account_request_processor.py", line 118, in lambda_handler
    raise RuntimeError("CT Request is not valid")

Menahem1 avatar Feb 27 '23 14:02 Menahem1

Hi @Menahem1,

AFT does not support ingesting existing accounts that have not been enrolled with Control Tower.

Specifically, that error gets thrown here when AFT receives an invalid account request. For this case, I suspect AFT did not find a CT Account Factory SC Product matching the account, and tried to create a new account - however, the request was considered invalid because the name or email was already in use in the organization.

You could find a message in the aft-account-request-action-trigger logs that would confirm if AFT considered this request to be for a new account.

I've also created a backlog to update the logging statements to be more clear here.

stumins avatar Feb 27 '23 22:02 stumins