1.4.1

• Update minimum required hashicorp/aws provider for AFT deployment to version >= 4.9.0.
  • This applies to only AFT deployment and does not apply to account/global customization runtime
• Bug Fix: AFT now uses AWSAFTService role instead of using the AWSAFTExecution role to perform operations in the Control Tower management account
• Define required_providers for AWSAFTService role. This resolves the warning Warning: Reference to undefined provider

1.4.0

• Includes support for customizing Control Tower Shared Accounts (Log Archive, Audit), and the Organization Management Account.
• AFT now uses an AWSAFTService role to deploy AFT resources, which is deployed in all managed accounts. The existing AWSAFTExecution role is now used for deploying customizations only. You can use IAM permissions boundaries to limit the permissions of the AWSAFTExecution role to match the permission requirements of your customizations, and limit their access to managed accounts.

1.3.7

• Resolves AuthorizationErrors caused by SNS publishing features added in 1.3.6

1.3.6

• Improve clarity of Lambda errors and publish them to the SNS topic aft-failure-notifications
• Fix bug where AFT components used the latest version of AFT regardless of the deployed version
• Fix bug that caused throttling on DescribeOrganizationalUnit API calls for some customers when gathering account info
• Fix malformed IAM policy related to DynamoDB

1.3.5

• Hotfix: Jinja2 and jinja2-cli versions pinned due to breaking changes

1.3.4

• Remove case sensitivity in the AccountEmail parameter for account requests
• Add support for AccountName parameters with spaces in them
• Add support for custom CodeBuild timeouts via global_codebuild_timeout input
• Fix bug where Service Catalog errors blocked AFT account request updates

1.3.3

• Updated account request processor to use account emails as unique identifiers to better support externally provisioned accounts
• Increased memory size of Lambda Functions to 1024MB
• Add example for:
  • Deploying customizations to multiple accounts
  • Deploying customizations to multiple regions
• Add delay after creating AWSAFTExecution Role to mitigate errors caused by propagation delays

1.3.2

• Fix bug preventing Lambda layer builds. Terraform output "lambda_layer_build_status" now refers to "Status" key instead of "BuildStatus"

1.3.1

• Update maximum supported version of HashiCorp AWS provider
• Fix bug related to ingesting pre-existing Control Tower accounts
• Set limit of 1 retry on aft-account-request-action-trigger Lambda function
• Default to empty map for account tags
• Log the correct target account ID during customization pipeline errors
• Add license headers in source code
• Reduce Lambda layer build time

1.3.0

• Refactor of Python source code
• Lambda Handlers now located in /src instead of within terraform modules