It is desirable that not only createManagedAccount, but also the CFCT pipeline starts even when a moveAccount action occurs

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.

https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html

Apache License 2.0

354 stars 205 forks source link

It is desirable that not only createManagedAccount, but also the CFCT pipeline starts even when a moveAccount action occurs #173

Closed sudakos closed 7 months ago

sudakos commented 9 months ago

If the OU is moved due to re-registration of the AWS account, the managed functionality of Control Tower will be updated, but the CFCT template will not be re-applied. I want you to make sure that there is no inconsistency between services in behavior with respect to manual workloads when linking services. So, If an AWS account has moved an OU, I think it is a desirable specification that both Control Tower controls and CFCT templates are applied with the policies applied to the relevant OU.

stumins commented 9 months ago

Hi @sudakos,

Thanks for submitting this feature request. I've created a backlog item to update the LifecyleEvent EventBridge rule to trigger the CFCT customization pipeline when the Landing Zone emits UpdateManagedAccount events in addition to CreateManagedAccount events.

sudakos commented 8 months ago

Thank you so much for your consideration!

stumins commented 7 months ago

Hi @sudakos,

We just released CFCT v2.7.0 which adds this behavior - the CFCT pipeline is now also triggered by UpdateManagedAccount events.

sudakos commented 7 months ago

Thank you! I believe that many users will be happy.