Release: 1.9.0

Author: AWS

README.md

@@ -120,6 +120,7 @@ As of version 1.6.0, AFT collects anonymous operational metrics to help AWS impr
 | <a name="input_aft_vpc_public_subnet_02_cidr"></a> [aft\_vpc\_public\_subnet\_02\_cidr](#input\_aft\_vpc\_public\_subnet\_02\_cidr) | CIDR Block to allocate to the Public Subnet 02 | `string` | `"192.168.2.128/25"` | no |
 | <a name="input_audit_account_id"></a> [audit\_account\_id](#input\_audit\_account\_id) | Audit Account Id | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | Amount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expire | `string` | `"0"` | no |
+| <a name="input_concurrent_account_factory_actions"></a> [concurrent\_account\_factory\_actions](#input\_concurrent\_account\_factory\_actions) | Maximum number of accounts that can be provisioned in parallel. | `number` | `5` | no |
 | <a name="input_ct_home_region"></a> [ct\_home\_region](#input\_ct\_home\_region) | The region from which this module will be executed. This MUST be the same region as Control Tower is deployed. | `string` | n/a | yes |
 | <a name="input_ct_management_account_id"></a> [ct\_management\_account\_id](#input\_ct\_management\_account\_id) | Control Tower Management Account Id | `string` | n/a | yes |
 | <a name="input_github_enterprise_url"></a> [github\_enterprise\_url](#input\_github\_enterprise\_url) | GitHub enterprise URL, if GitHub Enterprise is being used | `string` | `"null"` | no |

VERSION

@@ -1 +1 @@
-1.8.0
+1.9.0

locals.tf

@@ -18,6 +18,13 @@ locals {
   lambda_layer_codebuild_delay                     = "420s"
   lambda_layer_python_version                      = "3.8"
   lambda_layer_name                                = "aft-common"
+  create_role_lambda_function_name                 = "aft-account-provisioning-framework-create-aft-execution-role"
+  tag_account_lambda_function_name                 = "aft-account-provisioning-framework-tag-account"
+  persist_metadata_lambda_function_name            = "aft-account-provisioning-framework-persist-metadata"
+  account_metadata_ssm_lambda_function_name        = "aft-account-provisioning-framework-account-metadata-ssm"
+  delete_default_vpc_lambda_function_name          = "aft-delete-default-vpc"
+  enroll_support_lambda_function_name              = "aft-enroll-support"
+  enable_cloudtrail_lambda_function_name           = "aft-enable-cloudtrail"
   ssm_paths = {
     aft_tf_aws_customizations_module_url_ssm_path     = "/aft/config/aft-pipeline-code-source/repo-url"
     aft_tf_aws_customizations_module_git_ref_ssm_path = "/aft/config/aft-pipeline-code-source/repo-git-ref"

main.tf

@@ -23,6 +23,14 @@ module "aft_account_provisioning_framework" {
   cloudwatch_log_group_retention                   = var.cloudwatch_log_group_retention
   provisioning_framework_archive_path              = module.packaging.provisioning_framework_archive_path
   provisioning_framework_archive_hash              = module.packaging.provisioning_framework_archive_hash
+  create_role_lambda_function_name                 = local.create_role_lambda_function_name
+  tag_account_lambda_function_name                 = local.tag_account_lambda_function_name
+  persist_metadata_lambda_function_name            = local.persist_metadata_lambda_function_name
+  account_metadata_ssm_lambda_function_name        = local.account_metadata_ssm_lambda_function_name
+  delete_default_vpc_lambda_function_name          = local.delete_default_vpc_lambda_function_name
+  enroll_support_lambda_function_name              = local.enroll_support_lambda_function_name
+  enable_cloudtrail_lambda_function_name           = local.enable_cloudtrail_lambda_function_name
+
 }
 
 module "aft_account_request_framework" {
@@ -41,6 +49,7 @@ module "aft_account_request_framework" {
   aft_vpc_public_subnet_01_cidr               = var.aft_vpc_public_subnet_01_cidr
   aft_vpc_public_subnet_02_cidr               = var.aft_vpc_public_subnet_02_cidr
   aft_vpc_endpoints                           = var.aft_vpc_endpoints
+  concurrent_account_factory_actions          = var.concurrent_account_factory_actions
   request_framework_archive_path              = module.packaging.request_framework_archive_path
   request_framework_archive_hash              = module.packaging.request_framework_archive_hash
 }
@@ -143,6 +152,9 @@ module "aft_feature_options" {
   cloudwatch_log_group_retention            = var.cloudwatch_log_group_retention
   feature_options_archive_path              = module.packaging.feature_options_archive_path
   feature_options_archive_hash              = module.packaging.feature_options_archive_hash
+  delete_default_vpc_lambda_function_name   = local.delete_default_vpc_lambda_function_name
+  enroll_support_lambda_function_name       = local.enroll_support_lambda_function_name
+  enable_cloudtrail_lambda_function_name    = local.enable_cloudtrail_lambda_function_name
 }
 
 module "aft_iam_roles" {

modules/aft-account-provisioning-framework/cloudwatch.tf

@@ -0,0 +1,42 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+resource "aws_cloudwatch_query_definition" "customization_request_query" {
+  name = "Account Factory for Terraform/Customization Logs by Customization Request ID"
+
+  log_group_names = [
+    "/aws/lambda/${var.create_role_lambda_function_name}",
+    "/aws/lambda/${var.persist_metadata_lambda_function_name}",
+    "/aws/lambda/${var.tag_account_lambda_function_name}",
+    "/aws/lambda/${var.account_metadata_ssm_lambda_function_name}",
+    "/aws/lambda/${var.delete_default_vpc_lambda_function_name}",
+    "/aws/lambda/${var.enroll_support_lambda_function_name}",
+    "/aws/lambda/${var.enable_cloudtrail_lambda_function_name}",
+  ]
+
+  query_string = <<EOF
+fields @timestamp, log_message.account_id as target_account_id, log_message.customization_request_id as customization_request_id, log_message.detail as detail, @logStream
+| sort @timestamp desc
+| filter log_message.customization_request_id == "INSERT-CUSTOMIZATION-REQUEST-ID-HERE"
+EOF
+}
+
+resource "aws_cloudwatch_query_definition" "account_id_query" {
+  name = "Account Factory for Terraform/Customization Logs by Account ID"
+
+  log_group_names = [
+    "/aws/lambda/${var.create_role_lambda_function_name}",
+    "/aws/lambda/${var.persist_metadata_lambda_function_name}",
+    "/aws/lambda/${var.tag_account_lambda_function_name}",
+    "/aws/lambda/${var.account_metadata_ssm_lambda_function_name}",
+    "/aws/lambda/${var.delete_default_vpc_lambda_function_name}",
+    "/aws/lambda/${var.enroll_support_lambda_function_name}",
+    "/aws/lambda/${var.enable_cloudtrail_lambda_function_name}",
+  ]
+
+  query_string = <<EOF
+fields @timestamp, log_message.account_id as target_account_id, log_message.customization_request_id as customization_request_id, log_message.detail as detail, @logStream
+| sort @timestamp desc
+| filter log_message.account_id == "INSERT-ACCOUNT-ID-HERE" and @message like /customization_request_id/
+EOF
+}

modules/aft-account-provisioning-framework/lambda.tf

@@ -6,7 +6,7 @@
 #tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "create_role" {
   filename         = var.provisioning_framework_archive_path
-  function_name    = "aft-account-provisioning-framework-create-aft-execution-role"
+  function_name    = var.create_role_lambda_function_name
   description      = "AFT account provisioning framework - create_role"
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_create_role.arn
   handler          = "aft_account_provisioning_framework_create_role.lambda_handler"
@@ -33,7 +33,7 @@ resource "aws_cloudwatch_log_group" "create_role" {
 #tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "tag_account" {
   filename         = var.provisioning_framework_archive_path
-  function_name    = "aft-account-provisioning-framework-tag-account"
+  function_name    = var.tag_account_lambda_function_name
   description      = "AFT account provisioning framework - tag_account"
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_tag_account.arn
   handler          = "aft_account_provisioning_framework_tag_account.lambda_handler"
@@ -59,7 +59,7 @@ resource "aws_cloudwatch_log_group" "tag_account" {
 #tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "persist_metadata" {
   filename         = var.provisioning_framework_archive_path
-  function_name    = "aft-account-provisioning-framework-persist-metadata"
+  function_name    = var.persist_metadata_lambda_function_name
   description      = "AFT account provisioning framework - persist_metadata"
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.arn
   handler          = "aft_account_provisioning_framework_persist_metadata.lambda_handler"
@@ -87,7 +87,7 @@ resource "aws_cloudwatch_log_group" "persist_metadata" {
 #tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "account_metadata_ssm" {
   filename         = var.provisioning_framework_archive_path
-  function_name    = "aft-account-provisioning-framework-account-metadata-ssm"
+  function_name    = var.account_metadata_ssm_lambda_function_name
   description      = "AFT account provisioning framework - account_metadata_ssm"
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.arn
   handler          = "aft_account_provisioning_framework_account_metadata_ssm.lambda_handler"

modules/aft-account-provisioning-framework/variables.tf

@@ -52,3 +52,31 @@ variable "provisioning_framework_archive_path" {
 variable "provisioning_framework_archive_hash" {
   type = string
 }
+
+variable "create_role_lambda_function_name" {
+  type = string
+}
+
+variable "tag_account_lambda_function_name" {
+  type = string
+}
+
+variable "persist_metadata_lambda_function_name" {
+  type = string
+}
+
+variable "account_metadata_ssm_lambda_function_name" {
+  type = string
+}
+
+variable "delete_default_vpc_lambda_function_name" {
+  type = string
+}
+
+variable "enroll_support_lambda_function_name" {
+  type = string
+}
+
+variable "enable_cloudtrail_lambda_function_name" {
+  type = string
+}

modules/aft-account-request-framework/eventbridge.tf

@@ -22,7 +22,7 @@ resource "aws_cloudwatch_event_rule" "aft_control_tower_events" {
   "source": ["aws.controltower"],
   "detail-type": ["AWS Service Event via CloudTrail"],
   "detail": {
-    "eventName": ["SetupLandingZone", "UpdateLandingZone", "RegisterOrganizationalUnit", "DeregisterOrganizationalUnit", "EnableGuardrail", "DisableGuardrail", "CreateManagedAccount", "UpdateManagedAccount"]
+    "eventName": ["CreateManagedAccount", "UpdateManagedAccount"]
   }
 }
 EOF

modules/aft-account-request-framework/iam/role-policies/lambda-account-request-action-trigger.tpl

@@ -68,6 +68,15 @@
                 "arn:${data_aws_partition_current_partition}:kms:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:alias/aws/sns"
             ]
         },
+		{
+			"Effect": "Allow",
+			"Action": [
+				"states:StartExecution"
+			],
+			"Resource": [
+				"arn:${data_aws_partition_current_partition}:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:stateMachine:aft-account-provisioning-framework"
+			]
+		},
         {
             "Effect" : "Allow",
             "Action" : [

modules/aft-account-request-framework/lambda.tf

@@ -137,6 +137,12 @@ resource "aws_lambda_function" "aft_account_request_processor" {
   timeout          = "300"
   layers           = [var.aft_common_layer_arn]
 
+  environment {
+    variables = {
+      AFT_PROVISIONING_CONCURRENCY = var.concurrent_account_factory_actions
+    }
+  }
+
   vpc_config {
     subnet_ids         = tolist([aws_subnet.aft_vpc_private_subnet_01.id, aws_subnet.aft_vpc_private_subnet_02.id])
     security_group_ids = tolist([aws_security_group.aft_vpc_default_sg.id])