Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix reading existing organizations accounts #24899

Merged
merged 6 commits into from
May 20, 2022
Merged

Fix reading existing organizations accounts #24899

merged 6 commits into from
May 20, 2022

Conversation

linkvt
Copy link
Contributor

@linkvt linkvt commented May 20, 2022

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #24897

During every account read (also of existing accounts) the create account status is read here

s, err := findCreateAccountStatusByID(conn, d.Id())

which calls the following SDK function
output, err := conn.DescribeCreateAccountStatus(input)

As per the AWS docs, this DescribeCreateAccountStatus function can only be called with the ID of the account creation which looks like this ^car-[a-z0-9]{8,32}$.
For existing accounts d.Id() is the account id (12 digit number) which causes this function to fail with the following error

-----------------------------------------------------: timestamp=2022-05-20T11:45:21.246+0200
2022-05-20T11:45:21.246+0200 [DEBUG] provider.terraform-provider-aws_v4.15.0_x5: [aws-sdk-go] {"__type":"InvalidInputException","Message":"You provided a value that does not match the required pattern.","Reason":"INVALID_PATTERN:CREATE_ACCOUNT_REQUEST_ID"}: timestamp=2022-05-20T11:45:21.246+0200
2022-05-20T11:45:21.246+0200 [DEBUG] provider.terraform-provider-aws_v4.15.0_x5: [aws-sdk-go] DEBUG: Validate Response organizations/DescribeCreateAccountStatus failed, attempt 0/25, error InvalidInputException: You provided a value that does not match the required pattern.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "censored"
  },
  Message_: "You provided a value that does not match the required pattern.",
  Reason: "INVALID_PATTERN:CREATE_ACCOUNT_REQUEST_ID"
}: timestamp=2022-05-20T11:45:21.246+0200
2022-05-20T11:45:21.247+0200 [ERROR] vertex "censored" error: finding AWS Organizations Create Account Status (censored): InvalidInputException: You provided a value that does not match the required pattern.

Sorry I did not understand how to do the testing after reading the docs and also have no way of testing a govcloud account - Support is appreciated - or just go ahead and reuse this fix in a new PR.

TODOs

  • Changelog
  • Testing

@linkvt
Copy link
Contributor Author

linkvt commented May 20, 2022

Hi @YakDriver could you as the last contributor for the govcloud change maybe take a look at the bug this caused, I guess you are already way more into the code than me, Thanks!

@ewbankkit
Copy link
Contributor

It looks like this was caused by #24447.

@github-actions github-actions bot added service/organizations Issues and PRs that pertain to the organizations service. needs-triage Waiting for first response or review from a maintainer. size/XS Managed by automation to categorize the size of a PR. labels May 20, 2022
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @linkvt 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

@ewbankkit ewbankkit added bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. labels May 20, 2022
@ewbankkit
Copy link
Contributor

@linkvt Thanks for looking at this 👏 .
I don't think the original code was working in the new account creation case either as the ID passed here

s, err := findCreateAccountStatusByID(conn, d.Id()) 

is the account ID, not the CreateAccountRequestId.
We may need to do something with the ListCreateAccountStatus API to get that ID in resource Read.

@linkvt
Copy link
Contributor Author

linkvt commented May 20, 2022

@ewbankkit thanks for the hint, I now understood a bit more of the code and think, that this would rather belong in the resourceAccountCreate function, which already contains some code that waits for the account to be created.

I now read in the docs (~line 1769), that there are two accounts created for govcloud, one in govcloud and one in the commercial region for billing

// When you call the CreateGovCloudAccount action, you create two accounts:
// a standalone account in the Amazon Web Services GovCloud (US) Region and
// an associated account in the commercial Region for billing and support purposes.
// The account in the commercial Region is automatically a member of the organization
// whose credentials made the request. Both accounts are associated with the
// same email address.

I don't know how the AWS API behaves; does the CreateAccountStatus field contain both account ids or possibly also only one (e.g. if govcloud is created first and commercial takes a few seconds longer).

I have updated my PR to set the govcloud ID in the same location as the account ID was set, but unfortunately can't test it... I guess this issue needs someone with access to GovCloud to test everything.

@YakDriver
Copy link
Member

@linkvt Thank you for jumping right on this! I will help by taking a look at what you're working on. The priority now is to get this working for commercial accounts, regardless of the govcloud portion. In other words, we want this to not be a regression and then see if govcloud is behaving. I also cannot test on govcloud.

@YakDriver YakDriver self-assigned this May 20, 2022
@ewbankkit
Copy link
Contributor

@YakDriver I think I can test with a commercial account I have that is the main account of an organization (not able to test GovCloud though).

@linkvt linkvt marked this pull request as ready for review May 20, 2022 20:16
@github-actions github-actions bot added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/S Managed by automation to categorize the size of a PR. and removed size/XS Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels May 20, 2022
@ewbankkit
Copy link
Contributor

% TEST_AWS_ORGANIZATION_ACCOUNT_EMAIL_DOMAIN=xxxxxxxx make testacc TESTS=TestAccOrganizations_serial/Account/GovCloud PKG=organizations
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/organizations/... -v -count 1 -parallel 20 -run='TestAccOrganizations_serial/Account/GovCloud'  -timeout 180m
=== RUN   TestAccOrganizations_serial
=== RUN   TestAccOrganizations_serial/Account
=== RUN   TestAccOrganizations_serial/Account/GovCloud
    acctest.go:1018: skipping test for aws/us-west-2: Error running apply: exit status 1
        
        Error: error creating AWS Organizations Account (tf_acctest_3683535191489411103): ConstraintViolationException: Only master accounts that are enabled for access to GovCloud can create accounts in GovCloud.
        {
          RespMetadata: {
            StatusCode: 400,
            RequestID: "dbeb1d92-5195-49b3-9d35-f94cd047bd04"
          },
          Message_: "Only master accounts that are enabled for access to GovCloud can create accounts in GovCloud.",
          Reason: "MASTER_ACCOUNT_NOT_GOVCLOUD_ENABLED"
        }
        
          with aws_organizations_account.test,
          on terraform_plugin_test.tf line 2, in resource "aws_organizations_account" "test":
           2: resource "aws_organizations_account" "test" {
        
--- PASS: TestAccOrganizations_serial (8.08s)
    --- PASS: TestAccOrganizations_serial/Account (8.08s)
        --- SKIP: TestAccOrganizations_serial/Account/GovCloud (8.08s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/organizations	11.968s

@ewbankkit
Copy link
Contributor

% make providerlint
==> Checking source code with providerlint...

Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% TEST_AWS_ORGANIZATION_ACCOUNT_EMAIL_DOMAIN=xxxxxxxx make testacc TESTS=TestAccOrganizations_serial/Account/CloseOnDeletion PKG=organizations
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/organizations/... -v -count 1 -parallel 20 -run='TestAccOrganizations_serial/Account/CloseOnDeletion'  -timeout 180m
=== RUN   TestAccOrganizations_serial
=== RUN   TestAccOrganizations_serial/Account
=== RUN   TestAccOrganizations_serial/Account/CloseOnDeletion
    testing_new.go:87: Error running post-test destroy, there may be dangling resources: exit status 1
        
        Error: error deleting AWS Organizations Account (123456789012): ConstraintViolationException: You have exceeded close account quota for the past 30 days.
        {
          RespMetadata: {
            StatusCode: 400,
            RequestID: "c59e13ef-e478-4dbe-bb1e-9c2647ff293c"
          },
          Message_: "You have exceeded close account quota for the past 30 days.",
          Reason: "CLOSE_ACCOUNT_QUOTA_EXCEEDED"
        }
        
--- FAIL: TestAccOrganizations_serial (28.65s)
    --- FAIL: TestAccOrganizations_serial/Account (28.65s)
        --- FAIL: TestAccOrganizations_serial/Account/CloseOnDeletion (28.65s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/organizations	32.896s
FAIL
make: *** [testacc] Error 1

The failure is unrelated to this change - the account was successfully created and read.

@github-actions github-actions bot removed the size/S Managed by automation to categorize the size of a PR. label May 20, 2022
@github-actions github-actions bot added size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels May 20, 2022
@YakDriver YakDriver merged commit 35642e5 into hashicorp:main May 20, 2022
@github-actions github-actions bot added this to the v4.16.0 milestone May 20, 2022
@linkvt linkvt deleted the fix-reading-existing-aws-organizations-accounts branch May 20, 2022 21:24
@ewbankkit ewbankkit modified the milestones: v4.16.0, v4.15.1 May 20, 2022
@ewbankkit
Copy link
Contributor

@linkvt Thanks for the contribution 🎉 👏.

@ewbankkit
Copy link
Contributor

We have started the release for this fix now. Should be available in a couple of hours.

@github-actions
Copy link

This functionality has been released in v4.15.1 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/organizations Issues and PRs that pertain to the organizations service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_organizations_account (v4.15.0): Create Account Status does not validate
3 participants