Workload Discovery on AWS is a solution to visualize AWS Cloud workloads. With it you can build, customize, and share architecture diagrams of your workloads based on live data from AWS. The solution maintains an inventory of the AWS resources across your accounts and regions, mapping their relationships and displaying them in the user interface.
When using Control Tower in an AWS Organization the discovery process can't write to the addAccounts GQL mutation. This is because the mutation makes an unnecessary call to the putConfigAggregator API, an API that is disallowed by the SCP guardrails that Control Tower adds to all accounts in an org.
The call is unnecessary because in AWS_ORGANIZATION mode, the Config aggregator is managed by the organization not Workload Discovery, so there is no need to manually update the aggregator using putConfigAggregator.
svozza
commented
1 week ago
When using Control Tower in an AWS Organization the discovery process can't write to the
addAccountsGQL mutation. This is because the mutation makes an unnecessary call to theputConfigAggregatorAPI, an API that is disallowed by the SCP guardrails that Control Tower adds to all accounts in an org.The call is unnecessary because in
AWS_ORGANIZATIONmode, the Config aggregator is managed by the organization not Workload Discovery, so there is no need to manually update the aggregator usingputConfigAggregator.