Give Customizations Codebuild Jobs Access to Customer Defined ASM Secrets

[addefisher]

Describe the outcome you'd like

I would like the terraform-aws-control_tower_account_factory module to expose a variable calledvar.customization_codebuild_secrets`

• The value of this variable would be a map of environment variable names -> SecretsManager secret names
• Each key in this map would be added to the aft-global-customizations-terraform and aft-account-customizations-terraform Codebuild projects as a SecretsManager driven environment variable (whose value is the corresponding key)
• The identity policy on the role used by these CodeBuild projects would also need to be updated accordingly.

This would allow AFT customers to leverage AFT to deploy non-AWS resources as customizations (for example, an Okta group per AFT managed account).

Is your feature request related to a problem you are currently experiencing? If so, please describe.

Yes, we would like to use AFT to deploy non-AWS resources as customizations, but we do not have a clean way to provide credentials for non-AWS Terraform providers to the customization CodeBuild projects.

Additional context

[snebhu3]

@addefisher thank you for reaching out. Please may you elaborate on the ask with examples and snippets to ensure we understand the requirement better. Please may you also expand on if you have already explored achieving the goal with existing capabilities (pre-/post api helpers etc. ) and what were the challenges there?