Cannot get the name of the account being provisioned using the global-customizations pipeline

[nitrocode]

trafficstars

How do you get the name of the account for each global customization run ?

I see that the VENDED_ACCOUNT_ID env var is passed in, but is it possible to get the name of the account that was used within the account request?

The only way I can think of this is by creating a custom map of account ID to account name.

# VENDED_ACCOUNT_ID="1234567890"
# This map has to be manually maintained
accounts=(
    [1234567890]="sandbox"
)

VENDED_ACCOUNT_NAME=${accounts[$VENDED_ACCOUNT_ID]}

echo "VENDED_ACCOUNT_ID: $VENDED_ACCOUNT_ID"
echo "VENDED_ACCOUNT_NAME: $VENDED_ACCOUNT_NAME"

It doesn't seem like an account alias is created for each account either...

aws iam list-account-aliases --query 'AccountAliases[]' --output text

It would be nice if terraform or a lambda was used to create an alias when a new account is provisioned. That way we wouldn't have to maintain the above map.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_alias

resource "aws_iam_account_alias" "alias" {
  account_alias = "sandbox"
}

[nitrocode]

Hmmm. Another way to do this is to add a new item to custom_fields

locals {
  sandbox_account_name = "sandbox"
}

module "sandbox" {
  source = "./modules/aft-account-request"

  control_tower_parameters = {
    # ...
    AccountName               = local.sandbox_account_name
    # ...
  }

  # ...

  custom_fields = {
    account_name = local.sandbox_account_name
  }

  account_customization_name = local.sandbox_account_name
}

Then the account will contain an SSM param of /aft/account-request/custom-fields/account_name which can then be retrieved in a script.

[nitrocode]

It would be nice to have a better way of doing this since we're providing the account name 3 times in the module arguments but for now this is no longer a blocker.

Let's keep this open for now. I'd love to see this automatically added as a new SSM parameter, preferably in some directory structure so we can grab a full account id to account name map using awscli.

[damovsky]

hi, you can get account name the same way as VENDED_ACCOUNT_ID

      - |
        ACCOUNT_NAME=$(aws dynamodb get-item --table-name aft-request-metadata --key "{\"id\": {\"S\": \"$VENDED_ACCOUNT_ID\"}}" --attributes-to-get "account_name" | jq --raw-output ".Item.account_name.S")
      - echo $ACCOUNT_NAME
     

[casimcdaniels]

@damovsky Do you have a full working example from a pre/post build script?

@nitrocode Did you ever find a better way to pass variables (like account name) to terraform?

As a bit of a rant, the lack of documentation or examples for how to do even basic things is a huge pain point for this workflow.