Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AFT installation fails in eu-south-1 (Milan) region #501

Open
stemons opened this issue Oct 7, 2024 · 0 comments
Open

AFT installation fails in eu-south-1 (Milan) region #501

stemons opened this issue Oct 7, 2024 · 0 comments
Labels
bug Something isn't working pending investigation Issue needs further investigation

Comments

@stemons
Copy link

stemons commented Oct 7, 2024

Terraform Version & Prov:

AFT Version:
(Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version)

Terraform Version & Provider Versions
Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

1.13.1

terraform providers

1.9.0

Bug Description
We have a Control Tower installation in eu-south-1 region and we're trying to deploy AFT in the same region. During the terraform plan execution we're getting the following error:

│ Error: reading SSM Parameters by path (/aws/service/global-infrastructure/services/servicecatalog/regions): operation error SSM: GetParametersByPath, https response error StatusCode: 400, RequestID: a951c28c-e2cc-485f-8df7-15f37a44a770, api error AccessDeniedException: No access to "/aws/" namespace: aws/service/global-infrastructure is not a valid namespace │ │ with module.aft.data.aws_ssm_parameters_by_path.servicecatalog_regional_data[0], │ on .terraform/modules/aft/data.tf line 12, in data "aws_ssm_parameters_by_path" "servicecatalog_regional_data": │ 12: data "aws_ssm_parameters_by_path" "servicecatalog_regional_data" {

This data lookup can't be executed in Milan region since the global public parameters are not available in that region. However, there is no limitation in that region as per official Control Tower documentation (https://docs.aws.amazon.com/controltower/latest/userguide/limits.html). The expectation is to be able to install AFT also in Milan region as already done for version < 1.12.1.

To Reproduce
Install AFT with eu-south-1 as primary region

Expected behavior
I expect to complete the aft deployment in eu-south-1 region

Related Logs
│ Error: reading SSM Parameters by path (/aws/service/global-infrastructure/services/servicecatalog/regions): operation error SSM: GetParametersByPath, https response error StatusCode: 400, RequestID: a951c28c-e2cc-485f-8df7-15f37a44a770, api error AccessDeniedException: No access to "/aws/" namespace: aws/service/global-infrastructure is not a valid namespace

│ with module.aft.data.aws_ssm_parameters_by_path.servicecatalog_regional_data[0],
│ on .terraform/modules/aft/data.tf line 12, in data "aws_ssm_parameters_by_path" "servicecatalog_regional_data":
│ 12: data "aws_ssm_parameters_by_path" "servicecatalog_regional_data" {
@stemons stemons added bug Something isn't working pending investigation Issue needs further investigation labels Oct 7, 2024
pitfunie added a commit to pitfunie/-terraform-terraform-create-aws-control_tower_account_factory that referenced this issue Oct 14, 2024
@pitfunie
Update README.md
5c67eff 
 AFT installation fails in eu-south-1 (Milan) region aws-ia#501
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working pending investigation Issue needs further investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stemons