Skip to content

Releases: aws-ia/terraform-aws-control_tower_account_factory

1.13.2

23 Oct 17:22
Compare
Choose a tag to compare
  • Add support for GitLab and GitLab self-managed as version control systems (VCS) alternatives for AFT (#102). Learn more on how to set up AFT using GitLab here.

1.13.1

07 Aug 19:53
Compare
Choose a tag to compare
  • Upgrade setuptools to version >=70.0.0 and requests to version 2.32.2
  • Update log messages for enhanced logging security

1.13.0

18 Jul 17:13
Compare
Choose a tag to compare
  • Add support for AWS Regions: Asia Pacific (Hyderabad, Jakarta, and Osaka), Israel (Tel Aviv), Middle East (UAE), and AWS GovCloud (US-East) Region. Customers with these Regions as their AWS Control Tower home Region can now deploy account customizations using the AFT framework.
  • Upgrade the default version of Terraform used to deploy user-defined Terraform modules to 1.6.0
  • Upgrade botocore to version 1.31.17 and boto3 to version 1.28.17
  • Add access logging for AFT backend primary S3 bucket

1.12.2

23 Apr 23:13
Compare
Choose a tag to compare
  • Mitigate IAM errors caused by eventual consistency during initial AFT deployment by adding a delay between provisioning IAM roles and AWS CodeBuild projects.

1.12.1

16 Apr 23:00
Compare
Choose a tag to compare
  • AFT deployment will be unsuccessful if AWS Control Tower is set up in a home Region where AFT dependencies are not available.
  • Upgrade the minimum supported version of Terraform to 1.2.0.
    • Note: This change does not affect the deployment configuration of user-defined Terraform modules on existing AFT deployments.

1.12.0

12 Feb 17:48
Compare
Choose a tag to compare
  • AFT can now be deployed without the use of a VPC and related private networking resources (NAT Gateways, VPC endpoints) by setting the aft_enable_vpc parameter to false. This configuration allows customers to further customize their AFT deployment. aft_enable_vpc = true by default.

    • NOTE: When enabling VPC by toggling aft_enable_vpc from false to true, you may need to run terraform apply twice in succession. This is a known public issue with the Terraform AWS Provider.
  • An expiration or retention period can now be set for the following AFT resources -

    • AWS Backup recovery point retention period through the backup_recovery_point_retention parameter. backup_recovery_point_retention = None by default. (#295)
    • Log archive S3 bucket objects expiration through the log_archive_bucket_object_expiration_days parameter. log_archive_bucket_object_expiration_days = 365 days by default. (#405)
  • Upgrade the Python requests library version in aft-lambda-layer.

  • Ensure the AFT VPC default Security Group has no inbound/outbound rules, complying with AWS Foundational Security Best Practices. (#275)

  • Bug Fix: Add missing retention period for CloudWatch Log Groups associated with the Lambda and CodeBuild. (#290)

  • Bug Fix: Fix invalid resource type for action in IAM policy. (#408)

1.11.1

22 Nov 01:09
Compare
Choose a tag to compare
  • Bugfix: Replace use of the deprecated template_file resource with the preferred templatefile function. Fixes a bug introduced in AFT 1.11.0 that could cause failure to deploy or update AFT on some newer computer architectures.

1.11.0

20 Nov 22:09
Compare
Choose a tag to compare
  • Bugfix: Fix issue where AFT would crash if an account customization pipeline had not been executed for more than 12 months.

  • Enable customizing the concurrency of the Account Provisioning step function when invoked as part of the aft-invoke-customizations step function. Previously this value was set to 25; now, the Account Provisioning concurrency is controlled by the same concurrency parameter as the account customization pipelines, maximum_concurrent_customizations. As part of this change, the concurrency of the Account Provisioning step function will change from 25 to the current value of maximum_concurrent_customizations (if unspecified, the default value is 5).

    For more details see:
    https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html#aft-re-invoke-customizations
    https://github.com/aws-ia/terraform-aws-control_tower_account_factory#input_maximum_concurrent_customizations

  • Upgrade the minimum version of Terraform to 1.0.0 and the minimum version of the AWS Provider to 5.11 for both the resources AFT requires to deploy and function, and AFT Feature Options. Note that this change does not affect the deployment configuration of user-defined Terraform modules.

  • Upgrade the default version of Terraform used to deploy user-defined Terraform modules to 1.5.7. This value can be configured using the terraform_version parameter when deploying AFT.

    Due to the substantial set of changes between the previous default version of 0.15.1 and the new default version of 1.5.7, you are encouraged to test your modules with 1.5.7 or otherwise set this parameter to your desired Terraform version.

    For more details, see: https://github.com/aws-ia/terraform-aws-control_tower_account_factory#input_terraform_version

  • Upgrade AFT CodeBuild job images to aws/codebuild/amazonlinux2-x86_64-standard:5.0

  • Upgrade AFT Python version to 3.11. This affects both Lambda function runtimes as well as the version of Python available in the AFT CodeBuild jobs.

1.10.4

10 Aug 23:03
Compare
Choose a tag to compare
  • Address throttling errors by increasing retry count for high-volume API calls. Additionally, fully re-try throttled requests (after all retries) for high-volume idempotent APIs called in shared accounts (CT Management, AFT Management)
  • Mitigate IAM errors caused by eventual consistency by adding 65s sleep after provisioning IAM roles
  • Update AWS provider constraints to >= 4.27.0, < 5.0.0

1.10.3

26 Apr 09:01
Compare
Choose a tag to compare
  • Bugfix: Fix issue where S3 server access logs were failing to be delivered.
    • An issue was present wherein access logs for the S3 objects in the aws-aft-logs-<log-archive-account-id>-<home-region> bucket were no longer being delivered to the aws-aft-s3-access-logs-<log-archive-account-id>-<home-region> bucket. This change fixes that issue.