terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Tracking Account Creation & Customisation

Open aoriord2 opened this issue 1 year ago • 3 comments

This is not a bug or feature request, but rather a query about monitoring the framework.

Environment

Account Factory for Terraform 1.6.4

Query

I am looking to find a way to trace/track/monitor the requests that pass through AFT. Specifically what I'd like to do is :

  1. Track an account request through the pipeline (Identify the account information and trace this as the account is provisioned and customised)
  2. Track account customisations (Identify the customisation and trace until completion)

The purpose of this is to find and monitor the progress of requests from an external self-service tool. I'm relatively new to AFT, but I believe there is a Request ID that is generated when a request is received.

  • Does this Request ID persist through the various parts of AFT (CodeBuild, CodePipeline, Lambdas etc.)?
  • Can a Request ID be mapped to the original request?

Ideally, the end scenario would be :

  1. Submit a request to AFT
  2. Retrieve an identifier from AFT related to the request
  3. Query AFT with the identifier to check provisioning, customisation or completion

If anyone has any suggestions regarding the best approach to this or experience with this scenario I would be most grateful.

Thanks for your time!

aoriord2 avatar Feb 13 '24 12:02 aoriord2

Hey @aoriord2!

For AFT Account requests we create an Amazon DynamoDB table in the AFT management account, which store account requests, audit history of account updates, account metadata, and AWS Control Tower lifecycle events.

For Account customizations we support request tracing. Every time you submit an account customization request, AFT generates a unique tracing token that passes through an AFT customizations AWS Step Functions state machine, which logs the token as part of its execution. You can then use Amazon CloudWatch Logs insights queries to search timestamp ranges and retrieve the request token. As a result, you can see payloads that accompany the token, so you can trace your account customization request throughout the entire AFT workflow.

Here is an example of CloudWatch Logs insights queries you could use to filter CloudWatch Logs related to your customization request by your target account or customization request ID.

https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html#aft-customization-request

hanafya avatar Feb 22 '24 22:02 hanafya

Also please note the tracing is available only for the lambda steps and not for codebuild and codepipeline.

hanafya avatar Feb 22 '24 22:02 hanafya

Thanks for the detailed information @hanafya, that helps a lot!

aoriord2 avatar Mar 05 '24 10:03 aoriord2