-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix reading existing organizations accounts #24899
Fix reading existing organizations accounts #24899
Conversation
Hi @YakDriver could you as the last contributor for the govcloud change maybe take a look at the bug this caused, I guess you are already way more into the code than me, Thanks! |
It looks like this was caused by #24447. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Welcome @linkvt 👋
It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.
Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.
Thanks again, and welcome to the community! 😃
@linkvt Thanks for looking at this 👏 . s, err := findCreateAccountStatusByID(conn, d.Id()) is the account ID, not the |
@ewbankkit thanks for the hint, I now understood a bit more of the code and think, that this would rather belong in the I now read in the docs (~line 1769), that there are two accounts created for govcloud, one in govcloud and one in the commercial region for billing
I don't know how the AWS API behaves; does the I have updated my PR to set the govcloud ID in the same location as the account ID was set, but unfortunately can't test it... I guess this issue needs someone with access to GovCloud to test everything. |
@linkvt Thank you for jumping right on this! I will help by taking a look at what you're working on. The priority now is to get this working for commercial accounts, regardless of the govcloud portion. In other words, we want this to not be a regression and then see if govcloud is behaving. I also cannot test on govcloud. |
@YakDriver I think I can test with a commercial account I have that is the main account of an organization (not able to test GovCloud though). |
% TEST_AWS_ORGANIZATION_ACCOUNT_EMAIL_DOMAIN=xxxxxxxx make testacc TESTS=TestAccOrganizations_serial/Account/GovCloud PKG=organizations
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/organizations/... -v -count 1 -parallel 20 -run='TestAccOrganizations_serial/Account/GovCloud' -timeout 180m
=== RUN TestAccOrganizations_serial
=== RUN TestAccOrganizations_serial/Account
=== RUN TestAccOrganizations_serial/Account/GovCloud
acctest.go:1018: skipping test for aws/us-west-2: Error running apply: exit status 1
Error: error creating AWS Organizations Account (tf_acctest_3683535191489411103): ConstraintViolationException: Only master accounts that are enabled for access to GovCloud can create accounts in GovCloud.
{
RespMetadata: {
StatusCode: 400,
RequestID: "dbeb1d92-5195-49b3-9d35-f94cd047bd04"
},
Message_: "Only master accounts that are enabled for access to GovCloud can create accounts in GovCloud.",
Reason: "MASTER_ACCOUNT_NOT_GOVCLOUD_ENABLED"
}
with aws_organizations_account.test,
on terraform_plugin_test.tf line 2, in resource "aws_organizations_account" "test":
2: resource "aws_organizations_account" "test" {
--- PASS: TestAccOrganizations_serial (8.08s)
--- PASS: TestAccOrganizations_serial/Account (8.08s)
--- SKIP: TestAccOrganizations_serial/Account/GovCloud (8.08s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/organizations 11.968s |
% make providerlint
==> Checking source code with providerlint... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀.
% TEST_AWS_ORGANIZATION_ACCOUNT_EMAIL_DOMAIN=xxxxxxxx make testacc TESTS=TestAccOrganizations_serial/Account/CloseOnDeletion PKG=organizations
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/organizations/... -v -count 1 -parallel 20 -run='TestAccOrganizations_serial/Account/CloseOnDeletion' -timeout 180m
=== RUN TestAccOrganizations_serial
=== RUN TestAccOrganizations_serial/Account
=== RUN TestAccOrganizations_serial/Account/CloseOnDeletion
testing_new.go:87: Error running post-test destroy, there may be dangling resources: exit status 1
Error: error deleting AWS Organizations Account (123456789012): ConstraintViolationException: You have exceeded close account quota for the past 30 days.
{
RespMetadata: {
StatusCode: 400,
RequestID: "c59e13ef-e478-4dbe-bb1e-9c2647ff293c"
},
Message_: "You have exceeded close account quota for the past 30 days.",
Reason: "CLOSE_ACCOUNT_QUOTA_EXCEEDED"
}
--- FAIL: TestAccOrganizations_serial (28.65s)
--- FAIL: TestAccOrganizations_serial/Account (28.65s)
--- FAIL: TestAccOrganizations_serial/Account/CloseOnDeletion (28.65s)
FAIL
FAIL github.com/hashicorp/terraform-provider-aws/internal/service/organizations 32.896s
FAIL
make: *** [testacc] Error 1
The failure is unrelated to this change - the account was successfully created and read.
@linkvt Thanks for the contribution 🎉 👏. |
We have started the release for this fix now. Should be available in a couple of hours. |
This functionality has been released in v4.15.1 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Relates OR Closes #24897
During every account read (also of existing accounts) the create account status is read here
terraform-provider-aws/internal/service/organizations/account.go
Line 199 in 5b2d3d9
which calls the following SDK function
terraform-provider-aws/internal/service/organizations/account.go
Line 390 in 5b2d3d9
As per the AWS docs, this
DescribeCreateAccountStatus
function can only be called with the ID of the account creation which looks like this^car-[a-z0-9]{8,32}$
.For existing accounts
d.Id()
is the account id (12 digit number) which causes this function to fail with the following errorSorry I did not understand how to do the testing after reading the docs and also have no way of testing a govcloud account - Support is appreciated - or just go ahead and reuse this fix in a new PR.
TODOs