terraform-aws-control_tower_account_factory
terraform-aws-control_tower_account_factory copied to clipboard
aws-ia
Confusing variable names for AWSAFTExection
Terraform Version & Prov:
AFT Version: 1.12.2
Terraform Version & Provider Versions
Please provide the outputs of terraform version and terraform providers from within your AFT environment
terraform version
{Replace me}
terraform providers
{Replace me}
Bug Description
I think aft_admin_role_arn should be aft_exec_role_arn.
$ aws ssm get-parameters-by-path --path "/aft/resources/iam/" --query 'Parameters[*].Name.[@]' --output text
/aft/resources/iam/aft-administrator-role-name
/aft/resources/iam/aft-execution-role-name
/aft/resources/iam/aft-session-name
$ git grep --name-only "aft_admin_role_arn"
examples/multiple-account-customizations/account-customization-dev/terraform/backend.jinja
examples/multiple-account-customizations/account-customization-prod/terraform/backend.jinja
examples/multiple-regions-customization/multiple-regions/terraform/backend.jinja
modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml
modules/aft-code-repositories/buildspecs/ct-aft-account-request.yml
modules/aft-customizations/buildspecs/aft-account-customizations-terraform.yml
modules/aft-customizations/buildspecs/aft-global-customizations-terraform.yml
modules/aft-iam-roles/outputs.tf
sources/aft-customizations-repos/aft-account-customizations/ACCOUNT_TEMPLATE/terraform/backend.jinja
sources/aft-customizations-repos/aft-account-provisioning-customizations/terraform/aft-providers.jinja
sources/aft-customizations-repos/aft-account-provisioning-customizations/terraform/backend.jinja
sources/aft-customizations-repos/aft-account-request/terraform/aft-providers.jinja
sources/aft-customizations-repos/aft-account-request/terraform/backend.jinja
sources/aft-customizations-repos/aft-global-customizations/terraform/backend.jinja
To Reproduce Steps to reproduce the behavior:
- Go to '...'
- Click on '....'
- Scroll down to '....'
- See error
Expected behavior A clear and concise description of what you expected to happen.
Related Logs Provide any related logs or error messages to help explain your problem.
Additional context Add any other context about the problem here.
@hacker65536 thank you for reaching out. Please may you elaborate on why you would require this change of variable names? You could read more on AFT required roles here.
@snebhu3
Sorry I am not explaining it well. This is about buildspec.yaml and jinja template.
I think the variable name aft_admin_role_arn should be aft_exec_role_arn because the actual content of the variable name aft_admin_role_arn is arn:aws:iam::*:role/AWSAFTExecution.
e.g.
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/aee036db9d4926d60fd48a04fbc1d70917749456/modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml#L70
Thanks for reporting this @hacker65536 , I agree that the variable name can be confusing. aft_admin_role_arn is used in Jinja2 templates as well as TF outputs, so if we rename them, it will unfortunately break existing customer integrations. So, it's safest for us to keep this named as it is.
