Enable more ControlTower Controls (eg `CT.MULTISERVICE.PV.1`)

[richardkeit]

Is your feature request related to a problem? Please describe. Control Tower enables Deny access to AWS based on the requested AWS Region, here I can limit to all required regions. Furthermore, if an organisation unit is only meant to have access to a subset of the landing zone's allowed regions, Control tower allows applying Deny access to AWS based on the requested AWS Region for an organizational unit.

Rather than having the ability to control this control within GlobalConfig / ControlTowerConfig / ControlTowerControlConfig / Control Tower Controls, we have to find another mechanism to do so (which is unintuitive base on most users navigating to controlTowerControls)

Describe the feature you'd like We want the ability to apply more controls via the controlTowerControls attribute. This would need to support parameters, for specific example see the linked control:

AllowedRegions: Specifies the Regions selected, in which the OU is allowed to operate. This parameter is mandatory. ExemptedPrincipalARNs: Specifies the IAM principals that are exempt from this control, so that they are allowed to operate certain AWS services globally. ExemptedActions: Specifies actions that are exempt from this control, so that the actions are allowed.

[erwaxler]

@richardkeit Thanks for creating this, as you identified we currently exclusively support deploying Control Tower controls with predictable identifiers. I've created an issue to track the work to add support for all Control Tower controls to our team's backlog, I will update this ticket accordingly. Thank you again for your interest in the LZA!