support for ControlTower account creation
OlafConijn opened this issue · 0 comments
Currently the organization.yml supports creation of AWS Accounts using the Organizations Service.
This issue proposes to add support for Control Tower accounts. Control Tower accounts get created by "AWS Control Tower Account Factory" in Service Catalog. Some of the attributes that can be specified in the organization.yml will be directly used as parameters to the Service Catalog product. Others may be used post-creation time, to set up things like the IAM Alias.
SharedUsersAccount:
Type: OC::ControlTower::Account
Properties:
AccountName: My Account # passed directly into the SC product
RootEmail: email@fomain.com # passed directly into the SC product
SSOUserFirstName: "Fred" # passed directly into the SC product
SSOUserLastName: "Flintstone" # passed directly into the SC product
SSOUserEmail: "fred@flintstone.com" # passed directly into the SC product
ManagedOrganizationalUnit: "Dev (ou-abc-12def34ghi)" # passed directly into the SC product
Alias: my-account # used post-creation to set up IAM alias
PasswordPolicy: !Ref PasswordPolicy # used post-creation to set up Pwd policies
Tags: # used post-creation to set account tags
budget-alarm-threshold: '100'
When a new account gets added to the model the account gets created in Service Catalog
- if the account already exists in SC/CT it will be a no-op
- if the account already exists as a regular account, this will be an error (todo: import account?)
When a new account gets updated: the provisioned product gets updated
When a new account gets removed: the provisioned product gets terminated