balltrev
commented
1 year ago Hey @ivansamartino, thank you for the feature request! I've gone ahead and created a backlog with the team to discuss this enhancement.
Open ivansamartino opened 1 year ago
balltrev
commented
1 year ago Hey @ivansamartino, thank you for the feature request! I've gone ahead and created a backlog with the team to discuss this enhancement.
ChandrakanthRed
commented
1 year ago It would be really great if AFT could register the OU as well. Many times account requests though AFT failed as we forgot to get the OU registered.
dgokcin
commented
9 months ago Is there an update on this? I came across this and am having a hard time figuring out whether to create the OUs manually or if this module is capable of creating additional OUs such as the examples described in AWS whitepapers. Refer to this link for more information.
Also @ivansamartino did you find a way to automate the OU creation in your account creation workflow as a workaround?
temporary-github-user
commented
9 months ago @dgokcin we are facing the same issue and found a workaround suggested in #78
basically, you import your Control Tower account into AFT, and then manage OUs and SCPs via regular TF under aft-account-customizations/ct/terraform
but such an approach lefts sth to be desired. We have to create OUs in one repo aft-account-customizations and account requests in another aft-account-requests
Unfortunately, I don't see the AWS team taking any feedback from users over here.
P.S. OUs created in such a way aren't registered in Control Tower, apparently Organization API isn't aligned with Control Tower. It makes such an approach useless
dgokcin
commented
6 months ago @temporary-github-user I tried your suggested approach and found myself in a chicken-egg situation. Imagine I only want to apply an SCP to a single Account that is a child account in a OU. I have to create the SCP in the imported ct account where I need to know the account ID. But I do not know the account id since the account will be created after the aft-account-request flow is completed. In the last couple of months, have you found yourself in the same position with me or have you been able to apply spcs in a more advanced way?
PeterBengtson
commented
1 month ago This is more complex than it might seem. Creating an OU is simple, but there's no point in implementing this unless they can be nested, which introduces the problem of how to specify the nesting structure. Either that, or created OUs would always be top-level, which is useless and promotes bad OU structure.
It would simplify account structure definition if the framework would allow to create an OU if it does not exist during the account request process