All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Add support for Resource Control Policies (RCPs). RCPs help you ensure that resources in your accounts stay within
your organization’s access control guidelines. Learn more here.
- To set up a configuration package for Resource Control Polices, see CfCT customization guide.
- Add support for GitHub as a version control system (VCS) alternative for CfCT. (#21)
- Learn more on how to set up CfCT using GitHub in the Set up GitHub as the configuration source section of the user guide.
- Add guidance on CodeCommit availability to new customers.
- Add support for AWS Regions: Asia Pacific (Hyderabad, Jakarta, and Osaka), Israel (Tel Aviv), Middle East (UAE), and AWS GovCloud (US-East). Customers with these Regions as their AWS Control Tower home Region can now deploy account customizations using the CfCT framework.
- Enable lifecycle configuration, enable access logging and add versioning on S3 buckets
- Enhance security and robustness through improved handling of file paths and highly compressed data
- Upgrade botocore to version 1.31.17 and boto3 to version 1.28.17
- Update dependencies & runtimes (#186, #193)
- Building the solution from source now requires Python 3.11 or higher
- Update Python Lambda runtimes to 3.11
- Update Ruby version to 3.3
- Update CodeBuild container image to
aws/codebuild/standard:7.0
- Pinned version for
PyYAML
to 5.3.1 due to yaml/pyyaml#724 (#183, #184) - Pinned version for
moto
to 4.2.14. - Add
UpdateReplacePolicy
andDeletionPolicy
to lifecycle event queue and DLQ to improve deployment safety.
- Resolve
ConcurrentModificationException
errors that occur during parallel SCP deployments due to a race condition when enabling SCPs #175 - Improve performance when querying for StackSet instance account IDs in large organizations #174
- The CFCT pipeline now triggers on
UpdateManagedAccount
Control Tower lifecycle events, in addition toCreateManagedAccount
events #173 - Honor the
CodeCommitBranchName
stack parameter on the CFCT repo’s initial commit. The example code is now committed to your chosen branch instead ofmain
#117 - Enable the use of privately registered CloudFormation resources in customization templates (for example, the
AWSUtility::CloudFormation::CommandRunner
resource type) #76 - CFCT now ignores non-existent OU targets when deploying SCPs, aligning with how non-existent OUs are treated when deploying StackSets #126
- Now supported in the following regions: me-south-1, af-south-1, eu-south-1, ap-east-1, us-west-1.
- Manifest now allows the use of S3 global urls to download template files and uses regional urls as a fallback mechanism.
- Eventbased triggers for CodePipeline deployments now supported.
- Bugfix: Add S3 bucket policy necessary for new CfCT deployments
- Fix bug where adding a resource to the middle of the manifest file caused CFCT to submit step function executions for all remaining manifest resources even if those resources had no changes
- Drop polling wait time for step function execution status from 30s to 15s
- Add support for AWS GovCloud
- Please note: using CFCT in AWS GovCloud requires the Control Tower home region to be AWS GovCloud West (us-gov-west-1)
- Support for opt-in deletion of Stack Set resources. This functionality is only supported when using the manifest v2 schema. Opting in to the new functionality reduces the overhead of manually deleting resources provisioned by CfCT.
- In the manifest v2 schema, the
enable_stack_set_deletion
flag is set tofalse
by default. In this configuration, when a resource is removed from Customizations for Control Tower's manifest, no actions will be taken against the StackSet removed. - Once opting into
enable_stack_set_deletion
by setting its value totrue
in the manifest, Removing a resource in its entirety from the manifest will delete the StackSet and all owned resources. - https://docs.aws.amazon.com/controltower/latest/userguide/cfct-delete-stack.html
- In the manifest v2 schema, the
Note: With
enable_stack_set_deletion
set totrue
, on the next invocation of CfCT, ALL resources not declared in the manifest, that start with the prefixCustomControlTower-
and have the associated Tag:"Key": "AWS_Solutions", "Value": "CustomControlTowerStackSet"
will be deleted
- Bug Fix: Resolves a bug with CFCT versions >= 2.0.0 where using a v1 manifest format and defining a resource block without a parameter_file attribute (which is optional in v1 manifests) causes the CFCT pipeline to fail.
- Add support for CfCT pipeline to fail if any stack instances within a stack set deployment have failed
- New template parameter
EnforceSuccessfulStackInstances
can be set to True to achieve this behaviour - Previously, when customers set high fault tolerance values to get concurrent stack instance deployments, the CfCT pipeline would succeed even when stack instances failed, which caused cascading failures for customer workflow dependencies
- New template parameter
- Bug-Fix: Add non-interactive flag to dpkg-reconfigure to support non-US-ACSII characters in template #121
- Reduce CodeBuild runtime by removing unnecessary apt-get upgrade and apt-mark hold commands
- Update CodeBuild container image to aws/codebuild/standard:5.0. This should reduce CodeBuild queued and provisioning stage wait times.
- Fix bug related to Service Control Policy (SCP) deployment in organizations with >100 SCPs
- Pinned version for MarkupSafe dependency to 2.0.1 due to pallets/jinja#1585
- Pinned version of Amazon Corretto to java-1.8.0-amazon-corretto-jdk due to #102
- Moved python code into its own package
- Building the solution from source now requires Python 3.6 or higher
- Customers should now download the Customizations for AWS Control Tower CloudFormation Template from GitHub instead of S3
- Added support for organization Root as an OU for manifest schema version "2021-03-15". #8
- Added support for nested OU for manifest schema version "2021-03-15". #19
- Added support for CAPABILITY_AUTO_EXPAND for SAM. #78
- Fixed the issue that SSM parameter names were not output to logs for troubleshooting. #68
- Fixed the issue that resources starting with "S3" were incorrectly parsed as empty buckets. #65
- Fixed the issue that customization example folder was missing from the github repository. #71
- Added option to enable concurrency to deploy StackSets operations in regions in parallel.
- Added support for UTF-8 encoded CloudFormation templates. #55
- Support list of SSM Parameter Store keys as CloudFormation parameter value. #43
- Use environment variable for Update StackSet API #50
- Handle account names with overlapping string #45
- Handle SCP policy tag name with whitespace.
- Update parsing logic to learn manifest version in the manifest.
- Support for new simplified manifest schema (version "2021-03-15"). This does not impact existing customers using manifest version "2020-01-01".
- Optimization to skip update Stack Set workflow when only new accounts are added to the Stack Set.
- Ability to create only Stack Sets if the account list is empty. This allows users to configure Stack Set resources with empty Organizational Units. Ref:GitHub Issue 42
- Pinned versions for all the third-party packages.
- Update cfn-nag package to v0.7.2 to utilize new rules. This may result in new failures and warning in the build stage. However, it would help you identify new issues.
- Update default branch name to 'main'.
- Add support for https path for the resource file in the manifest.
- Fix the issue related to incompatibility between latest version of BotoCore and AWS CLI. Ref: Boto3 Issue #2596
- Feature to select AWS CodePipeline source (AWS CodeCommit repository or Amazon S3 bucket).
- Feature to switch between the two CodePipeline sources.
- Feature to use an existing AWS CodeCommit repository.
- Uses Virtual Hosted-Style URLs (path-style URLs will be deprecated in Sept 2020).
- Uses regional endpoint for S3 APIs.
- Increases the stack set operation fault tolerance from 0 to 10 percent to allow parallel stack instance deployments.
- Updates the AWS CodeBuild image to the latest available version (aws/codebuild/standard:4.0).
- Optimizes the CloudFormation resource stage to trigger step function execution only if there is difference between the configuration and deployed stack sets.
- Fixes the issue in the build stage of the CodePipeline by updating manifest version to match the manifest schema.
- Fixes the issue for comparing deployed stack set templates and parameters #4
- Fixes the issue for updating the variables in the files using Jinja #17
- Fixed Stack Instance Deletion Issue: In case there are existing stack instances but none of those instances belongs to the accounts specified in the user manifest file as the input for the StackSet state machine, the deletion of the existing stack instances would fail. This issue is not applicable if at least one account in the input account list has an existing stack instance.
- Code Optimization for Best Practice
- Initial public release