search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

SSO Optional #377

Open Menahem1 opened 11 months ago

Menahem1 commented 11 months ago

Hello,

Since this update of Control Tower it's not mandatory to assign a SSO User in a new account

Is it possible to add that parameter has 'optional' https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/sources/aft-customizations-repos/aft-account-request/examples/account-request.tf#L14 ?

Thanks

adam-daily commented 11 months ago

Hey Ménahem, thanks for the reach out. We have a backlog to address this. To give a little context, I know that people have had luck updating that definition you linked in their repository and effectively enabled what you're describing that way. That said, we'd prefer not to solve the problem for all customers that way and instead explore ways that don't require everyone to go and update their repositories manually, potentially moving that definition out of the repo so that people get updates to the account request interface when they update AFT without needing to touch their repos.

TL;DR: Some people have made the update you're talking about directly on their repos and this worked fine for them, but YMMV. In the meantime, we're investigating methods of updating this in a way that people don't need to make repo updates.

kstadnik-aws commented 9 months ago

Hello @adam-daily,

Can you please clarify what did you mean by "Some people have made the update you're talking about directly on their repos and this worked fine for them". What update did you mean here? Did you mean that people updated "aft-requests" repository so that passing SSO user properties in control_tower_parameters became optional?

The thing is that even if we can make parameters to be optional since we can perform changes in our AFT repositories, when AFT will try to provision an account by performing service_catalog api call (provision_product) the call will fail because we cannot provision products without providing SSO properties. And this is because of the AWS Control Tower Account Factory product template (that we don't control) that is used to provision an account, and parameters of this template are not optional.

@Menahem1 at the end what approach did you take so that CT doesn't link SSO user with an account and that passing SSO properties is optional?

duffenterprises commented 5 months ago

@adam-daily I've adopted AFT for my organization, and have opened a ticket in enterprise support for this exact issue. The current state is problematic: