Releases: aws-ia/terraform-aws-control_tower_account_factory
1.13.2
1.13.1
1.13.0
- Add support for AWS Regions: Asia Pacific (Hyderabad, Jakarta, and Osaka), Israel (Tel Aviv), Middle East (UAE), and AWS GovCloud (US-East) Region. Customers with these Regions as their AWS Control Tower home Region can now deploy account customizations using the AFT framework.
- Upgrade the default version of Terraform used to deploy user-defined Terraform modules to
1.6.0
- Upgrade
botocore
to version1.31.17
andboto3
to version1.28.17
- Add access logging for AFT backend primary S3 bucket
1.12.2
1.12.1
- AFT deployment will be unsuccessful if AWS Control Tower is set up in a home Region where AFT dependencies are not available.
- Upgrade the minimum supported version of Terraform to 1.2.0.
- Note: This change does not affect the deployment configuration of user-defined Terraform modules on existing AFT deployments.
1.12.0
-
AFT can now be deployed without the use of a VPC and related private networking resources (NAT Gateways, VPC endpoints) by setting the
aft_enable_vpc
parameter tofalse
. This configuration allows customers to further customize their AFT deployment.aft_enable_vpc = true
by default.- NOTE: When enabling VPC by toggling
aft_enable_vpc
from false to true, you may need to run terraform apply twice in succession. This is a known public issue with the Terraform AWS Provider.
- NOTE: When enabling VPC by toggling
-
An expiration or retention period can now be set for the following AFT resources -
- AWS Backup recovery point retention period through the
backup_recovery_point_retention
parameter.backup_recovery_point_retention = None
by default. (#295) - Log archive S3 bucket objects expiration through the
log_archive_bucket_object_expiration_days
parameter.log_archive_bucket_object_expiration_days = 365 days
by default. (#405)
- AWS Backup recovery point retention period through the
-
Upgrade the Python requests library version in
aft-lambda-layer
. -
Ensure the AFT VPC default Security Group has no inbound/outbound rules, complying with AWS Foundational Security Best Practices. (#275)
-
Bug Fix: Add missing retention period for CloudWatch Log Groups associated with the Lambda and CodeBuild. (#290)
-
Bug Fix: Fix invalid resource type for action in IAM policy. (#408)
1.11.1
1.11.0
-
Bugfix: Fix issue where AFT would crash if an account customization pipeline had not been executed for more than 12 months.
-
Enable customizing the concurrency of the Account Provisioning step function when invoked as part of the
aft-invoke-customizations
step function. Previously this value was set to 25; now, the Account Provisioning concurrency is controlled by the same concurrency parameter as the account customization pipelines,maximum_concurrent_customizations
. As part of this change, the concurrency of the Account Provisioning step function will change from 25 to the current value ofmaximum_concurrent_customizations
(if unspecified, the default value is 5).For more details see:
https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html#aft-re-invoke-customizations
https://github.com/aws-ia/terraform-aws-control_tower_account_factory#input_maximum_concurrent_customizations -
Upgrade the minimum version of Terraform to
1.0.0
and the minimum version of the AWS Provider to5.11
for both the resources AFT requires to deploy and function, and AFT Feature Options. Note that this change does not affect the deployment configuration of user-defined Terraform modules. -
Upgrade the default version of Terraform used to deploy user-defined Terraform modules to
1.5.7
. This value can be configured using theterraform_version
parameter when deploying AFT.Due to the substantial set of changes between the previous default version of
0.15.1
and the new default version of1.5.7
, you are encouraged to test your modules with1.5.7
or otherwise set this parameter to your desired Terraform version.For more details, see: https://github.com/aws-ia/terraform-aws-control_tower_account_factory#input_terraform_version
-
Upgrade AFT CodeBuild job images to
aws/codebuild/amazonlinux2-x86_64-standard:5.0
-
Upgrade AFT Python version to
3.11
. This affects both Lambda function runtimes as well as the version of Python available in the AFT CodeBuild jobs.
1.10.4
- Address throttling errors by increasing retry count for high-volume API calls. Additionally, fully re-try throttled requests (after all retries) for high-volume idempotent APIs called in shared accounts (CT Management, AFT Management)
- Mitigate IAM errors caused by eventual consistency by adding 65s sleep after provisioning IAM roles
- Update AWS provider constraints to
>= 4.27.0, < 5.0.0
1.10.3
- Bugfix: Fix issue where S3 server access logs were failing to be delivered.
- An issue was present wherein access logs for the S3 objects in the
aws-aft-logs-<log-archive-account-id>-<home-region>
bucket were no longer being delivered to theaws-aft-s3-access-logs-<log-archive-account-id>-<home-region>
bucket. This change fixes that issue.
- An issue was present wherein access logs for the S3 objects in the