ADF account creation bug - account alias is always set to account name if value is left empty

[mdaehnert]

Description

When an account is added to git:aws-deployment-framework-bootstrap/adf-accounts/adf.yml without an account alias, the account name is used as alias. This leads to errors as account names (e.g.) can contain spaces, account aliases don't.

Info

• ADF version: 3.0.5
• Reproducible: Always

Observed Behavior

Error on creation of AWS account with ADF. (@see stacktrace below). Account name will be set to account alias.

Expected Behavior

Do not set AWS account alias if not explicity set, because:

• account alias has different pattern requirements (^[a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?$) than account names ([\u0020-\u007E]+)
• account alias are world unique. Which means an account name like "app-test-1" can only be created once globally.

Steps to reproduce

1. Go into aws-deployment-framework-bootstrap CodeCommit repository
2. Add an account on adf-accounts/adf.yml with the following information (please leave account_alias out)

accounts:
  - account_full_name: Bug recreation with a space
    organizational_unit_path: /apps
    email: [email protected]
    allow_billing: False
    delete_default_vpc: False
    tags:
      - created_by: adf

3. Check aws-deployment-framework-base-templates CodeBuild project for the upcoming error. (+see stacktrace below)

Additional info

Places to look for the errornous behaviour:

• alias is set to account name value
• no check if Alias is set
• ADF will always try to set alias

Slightly related issue:

• ADF fails to update account alias with new account - comment mentions asks for better alias error if it is already existing

Stacktrace on error:

[Container] 2020/04/21 11:32:01 Running command python adf-build/provisioner/main.py
2020-04-21 11:32:01,362 | INFO | __main__ | Found 1 account(s) in configuration file(s). | (main.py:27)
2020-04-21 11:32:01,533 | INFO | __main__ | Creating new account Something with a space | (main.py:46)
2020-04-21 11:32:32,320 | INFO | __main__ | Ensuring account 123456789012 (alias Something-without-a-space) is in OU /apps | (main.py:56)
2020-04-21 11:32:32,871 | INFO | __main__ | Ensuring account alias for ^123456789012 of Something with a space | (main.py:82)
Traceback (most recent call last):
  File "adf-build/provisioner/main.py", line 100, in <module>
    main()
  File "adf-build/provisioner/main.py", line 37, in main
    create_or_update_account(organizations, account, adf_role_name, account_id)
  File "adf-build/provisioner/main.py", line 83, in create_or_update_account
    org_session.create_account_alias(account.alias, role)
  File "/codebuild/output/src864432504/src/adf-build/shared/python/organizations.py", line 326, in create_account_alias
    iam_client.create_account_alias(AccountAlias=account_alias)
  File "/root/.pyenv/versions/3.7.6/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/root/.pyenv/versions/3.7.6/lib/python3.7/site-packages/botocore/client.py", line 626, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the CreateAccountAlias operation: The specified value for accountAlias is invalid. It must contain only digits, lowercase letters, and hyphens (-), but cannot begin or end with a hyphen.

[Container] 2020/04/21 11:32:33 Command did not exit successfully python adf-build/provisioner/main.py exit status 1
[Container] 2020/04/21 11:32:33 Phase complete: BUILD State: FAILED
[Container] 2020/04/21 11:32:33 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: python adf-build/provisioner/main.py. Reason: exit status 1
[Container] 2020/04/21 11:32:33 Entering phase POST_BUILD
[Container] 2020/04/21 11:32:33 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2020/04/21 11:32:33 Phase context status code:  Message: 

[javydekoning]

Probably not the prettiest Regex, but we could sanitize it like this for example:

wordlist = [' This Should Not Be Allowed!', '-Neither would this!-','this-is-fine','But this isn\'t',' not allowed whitespace 	']
for a in wordlist: 
	re.sub('[^a-z0-9-]','', re.sub('\s','-', a.lower())).strip('-')

Output:

'this-should-not-be-allowed'
'neither-would-this'
'this-is-fine'
'but-this-isnt'
'not-allowed-whitespace'

[mdaehnert]

Good idea @javydekoning to fix the outcome, but the root cause is still unclear: Is it really neccessary to set alias if the account creator doesn't want to set it? Why do we actually set alias automatically?

[mdaehnert]

Almost forgot: It works, thanks a lot.