Open Menahem1 opened 11 months ago
Hey Ménahem, thanks for the reach out. We have a backlog to address this. To give a little context, I know that people have had luck updating that definition you linked in their repository and effectively enabled what you're describing that way. That said, we'd prefer not to solve the problem for all customers that way and instead explore ways that don't require everyone to go and update their repositories manually, potentially moving that definition out of the repo so that people get updates to the account request interface when they update AFT without needing to touch their repos.
TL;DR: Some people have made the update you're talking about directly on their repos and this worked fine for them, but YMMV. In the meantime, we're investigating methods of updating this in a way that people don't need to make repo updates.
Hello @adam-daily,
Can you please clarify what did you mean by "Some people have made the update you're talking about directly on their repos and this worked fine for them". What update did you mean here? Did you mean that people updated "aft-requests" repository so that passing SSO user properties in control_tower_parameters
became optional?
The thing is that even if we can make parameters to be optional since we can perform changes in our AFT repositories, when AFT will try to provision an account by performing service_catalog api call (provision_product) the call will fail because we cannot provision products without providing SSO properties. And this is because of the AWS Control Tower Account Factory
product template (that we don't control) that is used to provision an account, and parameters of this template are not optional.
@Menahem1 at the end what approach did you take so that CT doesn't link SSO user with an account and that passing SSO properties is optional?
@adam-daily I've adopted AFT for my organization, and have opened a ticket in enterprise support for this exact issue. The current state is problematic:
Hello,
Since this update of Control Tower it's not mandatory to assign a SSO User in a new account
Is it possible to add that parameter has 'optional' https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/sources/aft-customizations-repos/aft-account-request/examples/account-request.tf#L14 ?
Thanks