Skip to content

Releases: aws-ia/terraform-aws-control_tower_account_factory

1.10.3

26 Apr 09:01
Compare
Choose a tag to compare
  • Bugfix: Fix issue where S3 server access logs were failing to be delivered.
    • An issue was present wherein access logs for the S3 objects in the aws-aft-logs-<log-archive-account-id>-<home-region> bucket were no longer being delivered to the aws-aft-s3-access-logs-<log-archive-account-id>-<home-region> bucket. This change fixes that issue.

1.10.2

26 Apr 06:21
Compare
Choose a tag to compare
  • Bugfix: Fix issue with DynamoDB replica creation preventing AFT deployment
    • Conflicting replica definitions in the aft-backend- DynamoDB table caused a creation collision in some cases. This change introduces a pattern that is robust to this problem.

Please note that some situations cause replicas to not exist on initial terraform apply. If replicas for the aft-backend-<AFT-MGMT-ACCOUNT-ID> DynamoDB table are not present after an initial apply, rerun terraform apply

1.10.1

24 Apr 17:55
Compare
Choose a tag to compare
  • Bugfix: Resolve an issue with 1.10.0 where AFT backend DynamoDB table replica would show a perpetual change of state and get re-created on every alternate run of Terraform apply
  • Bugfix: Resolve an issue where no target accounts were identified when targeting a nested OU which shared the same OU name as another nested OU under a different parent OU

1.10.0

19 Apr 01:47
Compare
Choose a tag to compare
  • AFT is now supported in us-west-1 and the opt-in regions: me-south-1, af-south-1, eu-south-1, and ap-east-1.
    • Some required VPC endpoints are not currently available in me-south-1. When deploying AFT to me-south-1, you must set the aft_vpc_endpoints parameter to false.
  • AFT now supports single-region deployments without a secondary-region backup by omitting the secondary_region parameter.
    • Note that me-south-1, af-south-1, and ap-east-1 do not currently support DynamoDB table replicas; when deploying AFT with one of these regions as the primary region, the secondary_region parameter must be omitted
  • Amazon S3 now automatically enables S3 Block Public Access and disables the use of access control lists for all newly created buckets. Due to this change, the ACLs applied to AFT buckets have been removed.
  • The minimum version for the hashicorp/aws provider has been updated to 4.27.0.

1.9.2

22 Mar 19:05
Compare
Choose a tag to compare
  • Update CodeBuild projects to use the aws/codebuild/amazonlinux2-x86_64-standard:4.0 image due to the deprecation of the aws/codebuild/amazonlinux2-x86_64-standard:3.0 image on April 30th 2023.
  • Upgrade Python version to 3.9 in all AFT components as the new amazonlinux2-x86_64-standard:4.0 container image does not distribute Python 3.8.

1.9.1

01 Mar 23:57
Compare
Choose a tag to compare
  • Bugfix: Resolve an issue introduced in 1.9.0 where AFT fails to import existing Control Tower-enrolled accounts.
  • Bugfix: Resolve an issue where AFT crashed if any customization pipeline had not been executed for more than 12 months.

1.9.0

16 Feb 20:10
Compare
Choose a tag to compare
  • Customization request tracing - AFT now includes both the target account ID and a unique request ID in logs emitted during during Lambda-based account customization workflows. AFT also provisions 2 new CloudWatch Log Insights queries that can be used to find logs related to a customization request by the account ID or the customization request ID. These queries reduce troubleshooting effort by making it easier to identify where a failure is occurring.
  • Concurrent account provisioning - AFT now supports provisioning new AWS accounts concurrently. The maximum concurrency is configurable via the new concurrent_account_factory_actions parameter. (default: 5, the default limit for AWS Control Tower Account Factory concurrent provisioning).
  • Remove unneeded Lambda Layer dependencies, reducing build processing time by ~20%
  • Bugfix: AFT now ignores unsupported Control Tower Events instead of sending failure notifications to the SNS topic
  • Bugfix: Resolve an issue where the “aft-customizations-get-pipeline-executions” Lambda function did not have permissions to emit exceptions to the failure SNS topic.

1.8.0

18 Jan 20:20
Compare
Choose a tag to compare
  • Add resource cleanup behavior - AFT now deletes the customization pipeline and metadata record for an account when its request file is removed from the account request repo.
  • Use consistent S3 Block Public Access settings for AFT buckets.
  • Bugfix: Targeting suspended or non-existent accounts with the aft-invoke-customizations step function no longer causes the customization workflow to fail. These accounts now generate a warning in the logs but are otherwise ignored.
  • Bugfix: The account provisioning workflow no longer fails when any Account Factory provisioned product is in a Tainted state without a prior successful event.
  • Bugfix: Mitigate an issue that causes the account customization workflow to fail when an account record is present in the metadata table but has been removed from the account request table.
    • The new cleanup behavior prevents this issue from newly occurring, but does not resolve failures caused by de-synchronized metadata records that already exist.
  • Bugfix: Fix case-sensitive email comparisons throughout AFT.
  • Bugfix: Resolve authorization errors that appeared in AFT logs without affecting functionality.

1.7.0

13 Dec 18:08
Compare
Choose a tag to compare
  • Optimize the aft-account-provisioning-framework to address network throttling errors that occurred during concurrent executions, typically caused by targeting a large number of accounts using the aft-invoke-customizations step function interface.
    • Note that this change removes the aft-account-provisioning-framework-validate-request and aft-account-provisioning-framework-get-account-info step function stages and related resources.
  • Use the -no-color flag when calling Terraform actions to avoid creating shell color-code artifacts in AFT log groups

1.6.7

19 Oct 18:10
Compare
Choose a tag to compare