Proactive control

[Galvin-wjw]

For the proactive control, CT.CLOUDFORMATION.PR.1 is the prerequisite.

But when I config tfvars like the below:

 {
    control_names = [
      "AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED",
      "VQJENYWQLIKN", // prerequisite control CT.CLOUDFORMATION.PR.1
      "LZMEYSKSQSYC" //"CT.EC2.PR.3"Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443
    ],
    organizational_unit_ids = ["ou-XXX"],

Terraform apply also returns

ValidationException: AWS Control Tower cannot enable the control CT.EC2.PR.3 on ou-xXX, because the prerequisite control CT.CLOUDFORMATION.PR.1 is not enabled for this OU.

I need to apply again to compete the configuration, Is it possible to add some process to handle this situation？

Maybe add prerequisite before the guardrails creation.

 resource "aws_controltower_control" "guardrails"

[ikerei]

Hi @Galvin-wjw thank you for raising the ticket. Currently this option is not supported, for the use of proactive controls it is required to apply the implementation of the CT.CLOUDFORMATION.PR.1 prerequisite before deploying the CTC module. This can be done in several ways for example using the Console or the API with the CTC tool deployed in a previous step of the CI/CD pipeline. We are working on the new feature to add this optional prerequisite in the module’s configuration. Additional information on this prerequisite is in the AWS documentation https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html.