Release: 1.3.4

.github/ISSUE_TEMPLATE/bug_report_template.md

@@ -0,0 +1,42 @@
+---
+name: Bug/Issue
+about: Use this to report bugs with AFT.
+labels: bug, pending investigation
+---
+
+**Terraform Version & Prov:**
+
+**AFT Version:**
+(Can be found in the AFT Management Account in the SSM Parameter `/aft/config/aft/version`)
+
+**Terraform Version & Provider Versions**
+Please provide the outputs of `terraform version` and `terraform providers` from within your AFT environment
+
+`terraform version`
+```
+{Replace me}
+```
+
+`terraform providers`
+```
+{Replace me}
+```
+
+**Bug Description**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Related Logs**
+Provide any related logs or error messages to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request_template.md

@@ -0,0 +1,17 @@
+---
+name: Feature Request
+about: Suggest ideas or enhancements for AFT.
+labels: enhancement
+---
+
+**Describe the outcome you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Is your feature request related to a problem you are currently experiencing? If so, please describe.**
+
+A clear and concise description of what the problem is.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.

.github/pull_request_template.md

@@ -0,0 +1,7 @@
+# Contributing to the AWS Control Tower Account Factory for Terraform
+
+Thank you for your interest in contributing to the AWS Control Tower Account Factory for Terraform.
+
+At this time, we are not accepting contributions. If contributions are accepted in the future, the AWS Control Tower Account Factory for Terraform is released under the [Apache license](http://aws.amazon.com/apache2.0/) and any code submitted will be released under that license.
+
+If you have a feature request, please create an issue using the Feature Request template, thanks!

.gitignore

@@ -190,6 +190,7 @@ cython_debug/
 .tflint.hcl
 .terraform.lock.hcl
 backend.tf
+.terraform
 
 # Local .terraform directories
 **/.terraform/*

CODEOWNERS

@@ -1 +1 @@
-@balltrev @adam-daily @hanafya @tonynv @andrew-glenn
+@balltrev @adam-daily @hanafya @tonynv @andrew-glenn @stumins @snebhu3 @aws-ia/aws-ia-terraform-core

README.md

@@ -56,19 +56,18 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 
 
 <!-- BEGIN_TF_DOCS -->
-
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | 2.1.0 |
 
 ## Modules
 
@@ -83,6 +82,7 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 | <a name="module_aft_iam_roles"></a> [aft\_iam\_roles](#module\_aft\_iam\_roles) | ./modules/aft-iam-roles | n/a |
 | <a name="module_aft_lambda_layer"></a> [aft\_lambda\_layer](#module\_aft\_lambda\_layer) | ./modules/aft-lambda-layer | n/a |
 | <a name="module_aft_ssm_parameters"></a> [aft\_ssm\_parameters](#module\_aft\_ssm\_parameters) | ./modules/aft-ssm-parameters | n/a |
+| <a name="module_packaging"></a> [packaging](#module\_packaging) | ./modules/aft-archives | n/a |
 
 ## Resources
 
@@ -104,19 +104,20 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 | <a name="input_aft_feature_delete_default_vpcs_enabled"></a> [aft\_feature\_delete\_default\_vpcs\_enabled](#input\_aft\_feature\_delete\_default\_vpcs\_enabled) | Feature flag toggling deletion of default VPCs on/off | `bool` | `false` | no |
 | <a name="input_aft_feature_enterprise_support"></a> [aft\_feature\_enterprise\_support](#input\_aft\_feature\_enterprise\_support) | Feature flag toggling Enterprise Support enrollment on/off | `bool` | `false` | no |
 | <a name="input_aft_framework_repo_git_ref"></a> [aft\_framework\_repo\_git\_ref](#input\_aft\_framework\_repo\_git\_ref) | Git branch from which the AFT framework should be sourced from | `string` | `"main"` | no |
-| <a name="input_aft_framework_repo_url"></a> [aft\_framework\_repo\_url](#input\_aft\_framework\_repo\_url) | Git repo URL where the AFT framework should be sourced from | `string` | `"git@github.com:aws-ia/terraform-aws-control_tower_account_factory.git"` | no |
+| <a name="input_aft_framework_repo_url"></a> [aft\_framework\_repo\_url](#input\_aft\_framework\_repo\_url) | Git repo URL where the AFT framework should be sourced from | `string` | `"https://github.com/aws-ia/terraform-aws-control_tower_account_factory.git"` | no |
 | <a name="input_aft_management_account_id"></a> [aft\_management\_account\_id](#input\_aft\_management\_account\_id) | AFT Management Account ID | `string` | n/a | yes |
 | <a name="input_aft_vpc_cidr"></a> [aft\_vpc\_cidr](#input\_aft\_vpc\_cidr) | CIDR Block to allocate to the AFT VPC | `string` | `"192.168.0.0/22"` | no |
+| <a name="input_aft_vpc_endpoints"></a> [aft\_vpc\_endpoints](#input\_aft\_vpc\_endpoints) | Flag turning VPC endpoints on/off for AFT VPC | `bool` | `true` | no |
 | <a name="input_aft_vpc_private_subnet_01_cidr"></a> [aft\_vpc\_private\_subnet\_01\_cidr](#input\_aft\_vpc\_private\_subnet\_01\_cidr) | CIDR Block to allocate to the Private Subnet 01 | `string` | `"192.168.0.0/24"` | no |
 | <a name="input_aft_vpc_private_subnet_02_cidr"></a> [aft\_vpc\_private\_subnet\_02\_cidr](#input\_aft\_vpc\_private\_subnet\_02\_cidr) | CIDR Block to allocate to the Private Subnet 02 | `string` | `"192.168.1.0/24"` | no |
 | <a name="input_aft_vpc_public_subnet_01_cidr"></a> [aft\_vpc\_public\_subnet\_01\_cidr](#input\_aft\_vpc\_public\_subnet\_01\_cidr) | CIDR Block to allocate to the Public Subnet 01 | `string` | `"192.168.2.0/25"` | no |
 | <a name="input_aft_vpc_public_subnet_02_cidr"></a> [aft\_vpc\_public\_subnet\_02\_cidr](#input\_aft\_vpc\_public\_subnet\_02\_cidr) | CIDR Block to allocate to the Public Subnet 02 | `string` | `"192.168.2.128/25"` | no |
-| <a name="input_aft_vpc_endpoints"></a> [aft\_vpc\_endpoints](#input\_aft\_vpc\_endpoints) | Flag turning VPC endpoints on/off for AFT VPC | `bool` | `true` | no |
 | <a name="input_audit_account_id"></a> [audit\_account\_id](#input\_audit\_account\_id) | Audit Account Id | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | Amount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expire | `string` | `"0"` | no |
 | <a name="input_ct_home_region"></a> [ct\_home\_region](#input\_ct\_home\_region) | The region from which this module will be executed. This MUST be the same region as Control Tower is deployed. | `string` | n/a | yes |
 | <a name="input_ct_management_account_id"></a> [ct\_management\_account\_id](#input\_ct\_management\_account\_id) | Control Tower Management Account Id | `string` | n/a | yes |
 | <a name="input_github_enterprise_url"></a> [github\_enterprise\_url](#input\_github\_enterprise\_url) | GitHub enterprise URL, if GitHub Enterprise is being used | `string` | `"null"` | no |
+| <a name="input_global_codebuild_timeout"></a> [global\_codebuild\_timeout](#input\_global\_codebuild\_timeout) | Codebuild build timeout | `number` | `60` | no |
 | <a name="input_global_customizations_repo_branch"></a> [global\_customizations\_repo\_branch](#input\_global\_customizations\_repo\_branch) | Branch to source global customizations repo from | `string` | `"main"` | no |
 | <a name="input_global_customizations_repo_name"></a> [global\_customizations\_repo\_name](#input\_global\_customizations\_repo\_name) | Repository name for the global customization files. For non-CodeCommit repos, name should be in the format of Org/Repo | `string` | `"aft-global-customizations"` | no |
 | <a name="input_log_archive_account_id"></a> [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | Log Archive Account Id | `string` | n/a | yes |

VERSION

@@ -1 +1 @@
-1.3.3
+1.3.4

main.tf

@@ -84,6 +84,7 @@ module "aft_code_repositories" {
   account_customizations_repo_branch              = var.account_customizations_repo_branch
   global_customizations_repo_branch               = var.global_customizations_repo_branch
   log_group_retention                             = var.cloudwatch_log_group_retention
+  global_codebuild_timeout                        = var.global_codebuild_timeout
 }
 
 module "aft_customizations" {
@@ -117,6 +118,7 @@ module "aft_customizations" {
   maximum_concurrent_customizations                 = var.maximum_concurrent_customizations
   customizations_archive_path                       = module.packaging.customizations_archive_path
   customizations_archive_hash                       = module.packaging.customizations_archive_hash
+  global_codebuild_timeout                          = var.global_codebuild_timeout
 }
 
 module "aft_feature_options" {

modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml

@@ -19,7 +19,7 @@ phases:
       - AFT_ADMIN_ROLE_ARN=arn:aws:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
       - ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-code-repositories/buildspecs/ct-aft-account-request.yml

@@ -19,7 +19,7 @@ phases:
       - AFT_ADMIN_ROLE_ARN=arn:aws:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
       - ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-code-repositories/codebuild.tf

@@ -12,7 +12,7 @@ resource "aws_codebuild_project" "account_request" {
   depends_on     = [aws_cloudwatch_log_group.account_request]
   name           = "ct-aft-account-request"
   description    = "Job to apply Terraform for Account Requests"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.account_request_codebuild_role.arn
   encryption_key = var.aft_key_arn
 
@@ -55,7 +55,7 @@ resource "aws_codebuild_project" "account_provisioning_customizations_pipeline"
   depends_on     = [aws_cloudwatch_log_group.account_request]
   name           = "ct-aft-account-provisioning-customizations"
   description    = "Deploys the Account Provisioning Customizations terraform project"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.account_provisioning_customizations_codebuild_role.arn
   encryption_key = var.aft_key_arn
 

modules/aft-code-repositories/variables.tf

@@ -88,3 +88,7 @@ variable "account_provisioning_customizations_repo_name" {
 variable "account_provisioning_customizations_repo_branch" {
   type = string
 }
+
+variable "global_codebuild_timeout" {
+  type = number
+}

modules/aft-customizations/buildspecs/aft-account-customizations-api-helpers.yml

@@ -13,7 +13,7 @@ phases:
         CUSTOMIZATION=$(aws dynamodb get-item --table-name aft-request-metadata --key "{\"id\": {\"S\": \"$VENDED_ACCOUNT_ID\"}}" --attributes-to-get "account_customizations_name" | jq --raw-output ".Item.account_customizations_name.S")
       - echo $CUSTOMIZATION
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-customizations/buildspecs/aft-account-customizations-terraform.yml

@@ -20,7 +20,7 @@ phases:
       - AFT_ADMIN_ROLE_ARN=arn:aws:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
       - ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-customizations/buildspecs/aft-create-pipeline.yml

@@ -10,7 +10,7 @@ phases:
       - AWS_MODULE_SOURCE=$(aws ssm get-parameter --name $SSM_AWS_MODULE_SOURCE --query "Parameter.Value" --output text)
       - AWS_MODULE_GIT_REF=$(aws ssm get-parameter --name $SSM_AWS_MODULE_GIT_REF --query "Parameter.Value" --output text)
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-customizations/buildspecs/aft-global-customizations-api-helpers.yml

@@ -10,7 +10,7 @@ phases:
       - AWS_MODULE_SOURCE=$(aws ssm get-parameter --name "/aft/config/aft-pipeline-code-source/repo-url" --query "Parameter.Value" --output text)
       - AWS_MODULE_GIT_REF=$(aws ssm get-parameter --name "/aft/config/aft-pipeline-code-source/repo-git-ref" --query "Parameter.Value" --output text)
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-customizations/buildspecs/aft-global-customizations-terraform.yml

@@ -20,7 +20,7 @@ phases:
       - AFT_ADMIN_ROLE_ARN=arn:aws:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
       - ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh

modules/aft-customizations/codebuild.tf

@@ -9,7 +9,7 @@ resource "aws_codebuild_project" "aft_global_customizations_terraform" {
   depends_on     = [aws_cloudwatch_log_group.aft_global_customizations_terraform]
   name           = "aft-global-customizations-terraform"
   description    = "Job to apply Terraform provided by the customer global customizations repo"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.aft_codebuild_customizations_role.arn
   encryption_key = var.aft_kms_key_arn
 
@@ -61,7 +61,7 @@ resource "aws_codebuild_project" "aft_account_customizations_terraform" {
   depends_on     = [aws_cloudwatch_log_group.aft_account_customizations_terraform]
   name           = "aft-account-customizations-terraform"
   description    = "Job to apply Terraform provided by the customer account customizations repo"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.aft_codebuild_customizations_role.arn
   encryption_key = var.aft_kms_key_arn
 
@@ -113,7 +113,7 @@ resource "aws_codebuild_project" "aft_global_customizations_api_helpers" {
   depends_on     = [aws_cloudwatch_log_group.aft_global_customizations_api_helpers]
   name           = "aft-global-customizations-api-helpers"
   description    = "Job to run API helpers provided by the customer AFT Global Module"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.aft_codebuild_customizations_role.arn
   encryption_key = var.aft_kms_key_arn
 
@@ -165,7 +165,7 @@ resource "aws_codebuild_project" "aft_account_customizations_api_helpers" {
   depends_on     = [aws_cloudwatch_log_group.aft_account_customizations_api_helpers]
   name           = "aft-account-customizations-api-helpers"
   description    = "Job to run API helpers provided by the customer AFT Account Module"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.aft_codebuild_customizations_role.arn
   encryption_key = var.aft_kms_key_arn
 
@@ -218,7 +218,7 @@ resource "aws_codebuild_project" "aft_create_pipeline" {
   depends_on     = [aws_cloudwatch_log_group.aft_create_pipeline]
   name           = "aft-create-pipeline"
   description    = "Job to run Terraform required to create account specific customizations pipeline"
-  build_timeout  = "60"
+  build_timeout  = tostring(var.global_codebuild_timeout)
   service_role   = aws_iam_role.aft_codebuild_customizations_role.arn
   encryption_key = var.aft_kms_key_arn
 

modules/aft-customizations/variables.tf

@@ -115,3 +115,7 @@ variable "customizations_archive_path" {
 variable "customizations_archive_hash" {
   type = string
 }
+
+variable "global_codebuild_timeout" {
+  type = number
+}

modules/aft-lambda-layer/buildspecs/aft-lambda-layer.yml

@@ -14,7 +14,7 @@ phases:
       # URL Without Access ID
       - URL=$(echo "$AWS_MODULE_SOURCE" | awk '{split($0,a,"@"); print a[2]}')
       - |
-        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption || echo "None")
+        ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
         if [[ $ssh_key_parameter != "None" ]]; then
           ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
           mkdir -p ~/.ssh