The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
Describe the bug
If an AWS account is enrolled in Control Tower but does not have an entry in the AWSControlTowerBP-Baseline-CONFIG stackset (enrolled with existing Config resources). And you try and use the Account ID in the manifest file, it won't deploy a stack instance. And if once exists it will remove it.
To Reproduce
Have an existing AWS Account in an Org but not enrolled in Control Tower
Make a support request to whitelist the Account so we can keep existing AWS Config resources
Enroll the account in Control Tower.
Try and deploy a customization using Account ID
Expected behavior
When creating resources in the manifest file, and using a specified individual account list. The accounts that don't appear in the StackSet AWSControlTowerBP-BASELINE-CONFIG get removed from the list
Please complete the following information about the solution:
[ 2.2.0 ] Version: [e.g. v1.0.0]
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0089) - customizations-for-aws-control-tower Solution. Version: v1.0.0". You can also find the version from releases
[ us-east-1 ] Region: [e.g. us-east-1]
[ No ] Was the solution modified from the version published on this repository?
[ ] If the answer to the previous question was yes, are the changes available on GitHub?
[ yes ] Have you checked your service quotas for the sevices this solution uses?
[ no ] Were there any errors in the CloudWatch Logs?
Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context
Control Tower provides a new way of enrolling accounts when they already have AWS Config resources. This involves creating a support request to "whitelist" accounts so they can be enrolled successfully.
This seems to cause the result, that the Account ID of the enrolled account does not get added to the Control Tower StackSet "AWSControlTowerBP-BASELINE-CONFIG". CfCT seems to use this StackSet as validation for the Account list.
When creating resources in the manifest file, and using a specified individual account list. The accounts that don't appear in the above StackSet get removed from the list. If the stackset has an instance relating to that account, it gets deleted.
The stackset may already exist, as we (ProServe) have migration patterns moving from the AWS landing Zone or other scenarios where we may migrate stacks between Landing Zone and Customizations StackSets.
Also with that new Config "whitelist" process this may create issues for other customers.
Describe the bug If an AWS account is enrolled in Control Tower but does not have an entry in the AWSControlTowerBP-Baseline-CONFIG stackset (enrolled with existing Config resources). And you try and use the Account ID in the manifest file, it won't deploy a stack instance. And if once exists it will remove it.
To Reproduce Have an existing AWS Account in an Org but not enrolled in Control Tower Make a support request to whitelist the Account so we can keep existing AWS Config resources Enroll the account in Control Tower. Try and deploy a customization using Account ID
Expected behavior When creating resources in the manifest file, and using a specified individual account list. The accounts that don't appear in the StackSet AWSControlTowerBP-BASELINE-CONFIG get removed from the list
Please complete the following information about the solution:
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0089) - customizations-for-aws-control-tower Solution. Version: v1.0.0". You can also find the version from releases
Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context Control Tower provides a new way of enrolling accounts when they already have AWS Config resources. This involves creating a support request to "whitelist" accounts so they can be enrolled successfully.
This seems to cause the result, that the Account ID of the enrolled account does not get added to the Control Tower StackSet "AWSControlTowerBP-BASELINE-CONFIG". CfCT seems to use this StackSet as validation for the Account list.
When creating resources in the manifest file, and using a specified individual account list. The accounts that don't appear in the above StackSet get removed from the list. If the stackset has an instance relating to that account, it gets deleted.
The stackset may already exist, as we (ProServe) have migration patterns moving from the AWS landing Zone or other scenarios where we may migrate stacks between Landing Zone and Customizations StackSets.
Also with that new Config "whitelist" process this may create issues for other customers.