Best way to apply specific SCP to an account during provisioning

[mlnrt]

Describe the outcome you'd like We have a use case for a customer where, on top of SCPs applied to OUs, they need in some cases to apply additional SCPs directly on the account. We are trying to find the best way to apply such specific SCP when creating/modifying an account.

A clear and concise description of what you want to happen. In the aft-account-request repository, when creating/modifying the Terraform code of an account in the account-request.tf file if we set a parameter (e.g. additional_scp custom field) to the name of an SCP, that SCP will be directly attached to the account

module "sandbox_account_01" {
  source = "./modules/aft-account-request"

  control_tower_parameters = {
    AccountEmail = "sandbox01@example.com"
    AccountName  = "sandbox-account-01"
    ManagedOrganizationalUnit = "Sandbox"
    SSOUserEmail     = "sandbox01@example.com"
    SSOUserFirstName = "FirstName"
    SSOUserLastName  = "LastName"
  }

  ...

  custom_fields = {
    additional_scp = "specific_scp"
  }
  account_customizations_name = "sandbox-customizations"
}

Is your feature request related to a problem you are currently experiencing? If so, please describe. This is not related to a problem but to a customer need to sometimes apply specific SCP directly to accounts.

Additional context Is the best way to do this to create our own customization in the aft-account-provisioning-customization? This feels to be a pretty common need but I couldn't find any built-in way to do something like that directly in Control Tower or the AFT framework.

Thank you in advance

[snebhu3]

@mlnrt thank you for reaching out. Currently, you could create your own account specific customization using terraform modules to apply SCPs to respective accounts. I have created an internal backlog to explore an in-built way to attach additional SCPs to accounts via AFT.

[mlnrt]

@snebhu3 Thank you for the reply. This is what I thought.