Release: 1.5.2

Author: AWS

README.md

@@ -60,14 +60,15 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1, < 2.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0, < 5.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_local"></a> [local](#provider\_local) | 2.1.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0, < 5.0.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
 
 ## Modules
 
@@ -88,6 +89,7 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 
 | Name | Type |
 |------|------|
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [local_file.version](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
 
 ## Inputs
@@ -103,7 +105,7 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 | <a name="input_aft_feature_cloudtrail_data_events"></a> [aft\_feature\_cloudtrail\_data\_events](#input\_aft\_feature\_cloudtrail\_data\_events) | Feature flag toggling CloudTrail data events on/off | `bool` | `false` | no |
 | <a name="input_aft_feature_delete_default_vpcs_enabled"></a> [aft\_feature\_delete\_default\_vpcs\_enabled](#input\_aft\_feature\_delete\_default\_vpcs\_enabled) | Feature flag toggling deletion of default VPCs on/off | `bool` | `false` | no |
 | <a name="input_aft_feature_enterprise_support"></a> [aft\_feature\_enterprise\_support](#input\_aft\_feature\_enterprise\_support) | Feature flag toggling Enterprise Support enrollment on/off | `bool` | `false` | no |
-| <a name="input_aft_framework_repo_git_ref"></a> [aft\_framework\_repo\_git\_ref](#input\_aft\_framework\_repo\_git\_ref) | Git branch from which the AFT framework should be sourced from | `string` | `"main"` | no |
+| <a name="input_aft_framework_repo_git_ref"></a> [aft\_framework\_repo\_git\_ref](#input\_aft\_framework\_repo\_git\_ref) | Git branch from which the AFT framework should be sourced from | `string` | `null` | no |
 | <a name="input_aft_framework_repo_url"></a> [aft\_framework\_repo\_url](#input\_aft\_framework\_repo\_url) | Git repo URL where the AFT framework should be sourced from | `string` | `"https://github.com/aws-ia/terraform-aws-control_tower_account_factory.git"` | no |
 | <a name="input_aft_management_account_id"></a> [aft\_management\_account\_id](#input\_aft\_management\_account\_id) | AFT Management Account ID | `string` | n/a | yes |
 | <a name="input_aft_vpc_cidr"></a> [aft\_vpc\_cidr](#input\_aft\_vpc\_cidr) | CIDR Block to allocate to the AFT VPC | `string` | `"192.168.0.0/22"` | no |

VERSION

@@ -1 +1 @@
-1.5.1
+1.5.2

data.tf

@@ -4,3 +4,5 @@
 data "local_file" "version" {
   filename = "${path.module}/VERSION"
 }
+
+data "aws_partition" "current" {}

modules/aft-account-provisioning-framework/data.tf

@@ -1,6 +1,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
+data "aws_partition" "current" {}
 data "aws_region" "aft_management" {}
 data "aws_caller_identity" "aft_management" {}
 data "aws_iam_policy" "AWSLambdaBasicExecutionRole" {

modules/aft-account-provisioning-framework/iam.tf

@@ -19,6 +19,7 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_va
   name = "aft-lambda-invoke-aft-account-provisioning-framework-validate-request-policy"
   role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request.id
   policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
     data_aws_region_aft-management_name                = data.aws_region.aft_management.name
     data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
     aft_sns_topic_arn                                  = var.aft_sns_topic_arn
@@ -43,6 +44,7 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_ge
   name = "aft-lambda-invoke-aft-account-provisioning-framework-get-account-info-policy"
   role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info.id
   policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
     data_aws_region_aft-management_name                = data.aws_region.aft_management.name
     data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
     aft_sns_topic_arn                                  = var.aft_sns_topic_arn
@@ -67,6 +69,7 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_cr
   name = "aft-lambda-invoke-aft_account_provisioning_framework-create-role-policy"
   role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_create_role.id
   policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
     data_aws_region_aft-management_name                = data.aws_region.aft_management.name
     data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
     aft_sns_topic_arn                                  = var.aft_sns_topic_arn
@@ -91,6 +94,7 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_ta
   name = "aft-lambda-invoke-aft-account-provisioning-framework-tag-account-policy"
   role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_tag_account.id
   policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
     data_aws_region_aft-management_name                = data.aws_region.aft_management.name
     data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
     aft_sns_topic_arn                                  = var.aft_sns_topic_arn
@@ -115,6 +119,7 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_pe
   name = "aft-lambda-invoke-aft-account-provisioning-framework-persist-metadata-policy"
   role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.id
   policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
     data_aws_region_aft-management_name                = data.aws_region.aft_management.name
     data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
     aft_sns_topic_arn                                  = var.aft_sns_topic_arn
@@ -135,6 +140,7 @@ resource "aws_iam_role_policy" "aft_states" {
   role = aws_iam_role.aft_states.id
 
   policy = templatefile("${path.module}/iam/role-policies/iam-aft-states.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
     data_aws_region_aft-management_name                = data.aws_region.aft_management.name
     data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
   })

modules/aft-account-provisioning-framework/iam/role-policies/iam-aft-states.tpl

@@ -11,15 +11,15 @@
         {
             "Effect": "Allow",
             "Action": "states:StartExecution",
-            "Resource": "arn:aws:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:stateMachine:aft-*"
+            "Resource": "arn:${data_aws_partition_current_partition}:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:stateMachine:aft-*"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "lambda:InvokeFunction"
             ],
             "Resource": [
-                "arn:aws:lambda:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:function:aft-*"
+                "arn:${data_aws_partition_current_partition}:lambda:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:function:aft-*"
             ]
         },
         {
@@ -28,7 +28,7 @@
                 "sns:Publish"
             ],
             "Resource": [
-                "arn:aws:sns:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:aft-*"
+                "arn:${data_aws_partition_current_partition}:sns:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:aft-*"
             ]
         },
         {
@@ -39,7 +39,7 @@
                 "codebuild:BatchGetBuilds"
             ],
             "Resource": [
-                "arn:aws:codebuild:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:project/aft-*"
+                "arn:${data_aws_partition_current_partition}:codebuild:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:project/aft-*"
             ]
         },
         {
@@ -50,7 +50,7 @@
                 "events:DescribeRule"
             ],
             "Resource": [
-                "arn:aws:events:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"
+                "arn:${data_aws_partition_current_partition}:events:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"
             ]
         }
     ]

modules/aft-account-provisioning-framework/iam/role-policies/lambda-aft-account-provisioning-framework.tpl

@@ -13,14 +13,14 @@
         "dynamodb:Scan"
       ],
         "Resource" : [
-          "arn:aws:dynamodb:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:table/aft*"
+          "arn:${data_aws_partition_current_partition}:dynamodb:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:table/aft*"
         ]
       },
       {
         "Effect" : "Allow",
         "Action" : "ssm:GetParameter",
         "Resource" : [
-          "arn:aws:ssm:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:parameter/aft/*"
+          "arn:${data_aws_partition_current_partition}:ssm:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:parameter/aft/*"
         ]
       },
       {
@@ -29,7 +29,7 @@
           "sts:AssumeRole"
         ],
         "Resource" : [
-          "arn:aws:iam::${data_aws_caller_identity_aft-management_account_id}:role/AWSAFTAdmin"
+          "arn:${data_aws_partition_current_partition}:iam::${data_aws_caller_identity_aft-management_account_id}:role/AWSAFTAdmin"
         ]
       },
       {
@@ -56,7 +56,7 @@
       ],
       "Resource" : [
         "${aws_kms_key_aft_arn}",
-        "arn:aws:kms:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:alias/aws/sns"
+        "arn:${data_aws_partition_current_partition}:kms:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:alias/aws/sns"
       ]
       }
     ]

modules/aft-account-provisioning-framework/states.tf

@@ -4,6 +4,7 @@
 locals {
   state_machine_source = "${path.module}/states/aft_account_provisioning_framework.asl.json"
   replacements_map = {
+    current_partition                                                 = data.aws_partition.current.partition
     validate_request_function_name                                    = aws_lambda_function.validate_request.function_name
     get_account_info_function_name                                    = aws_lambda_function.get_account_info.function_name
     create_role_function_name                                         = aws_lambda_function.create_role.function_name
@@ -12,9 +13,9 @@ locals {
     account_metadata_ssm_function_name                                = aws_lambda_function.account_metadata_ssm.function_name
     aft_notification_arn                                              = var.aft_sns_topic_arn
     aft_failure_notification_arn                                      = var.aft_failure_sns_topic_arn
-    aft_account_provisioning_customizations_state_machine_arn         = "arn:aws:states:${data.aws_region.aft_management.name}:${data.aws_caller_identity.aft_management.account_id}:stateMachine:${var.aft_account_provisioning_customizations_sfn_name}"
-    customizations_trigger_state_machine_arn                          = "arn:aws:states:${data.aws_region.aft_management.name}:${data.aws_caller_identity.aft_management.account_id}:stateMachine:${var.trigger_customizations_sfn_name}"
-    aft_account_provisioning_framework_aft_features_state_machine_arn = "arn:aws:states:${data.aws_region.aft_management.name}:${data.aws_caller_identity.aft_management.account_id}:stateMachine:${var.aft_features_sfn_name}"
+    aft_account_provisioning_customizations_state_machine_arn         = "arn:${data.aws_partition.current.partition}:states:${data.aws_region.aft_management.name}:${data.aws_caller_identity.aft_management.account_id}:stateMachine:${var.aft_account_provisioning_customizations_sfn_name}"
+    customizations_trigger_state_machine_arn                          = "arn:${data.aws_partition.current.partition}:states:${data.aws_region.aft_management.name}:${data.aws_caller_identity.aft_management.account_id}:stateMachine:${var.trigger_customizations_sfn_name}"
+    aft_account_provisioning_framework_aft_features_state_machine_arn = "arn:${data.aws_partition.current.partition}:states:${data.aws_region.aft_management.name}:${data.aws_caller_identity.aft_management.account_id}:stateMachine:${var.aft_features_sfn_name}"
   }
 }
 

modules/aft-account-provisioning-framework/states/aft_account_provisioning_framework.asl.json

@@ -4,7 +4,7 @@
     "aft_account_provisioning_framework_validate": {
       "Next": "aft_account_provisioning_framework_get_account_info",
       "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
+      "Resource": "arn:${current_partition}:states:::lambda:invoke",
       "ResultPath": "$.validated",
       "ResultSelector": {"Success.$":"$.Payload"},
       "Parameters": {
@@ -25,7 +25,7 @@
     "aft_account_provisioning_framework_get_account_info": {
       "Next": "aft_account_provisioning_framework_persist_metadata",
       "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
+      "Resource": "arn:${current_partition}:states:::lambda:invoke",
       "ResultPath": "$.account_info",
       "ResultSelector": {"account.$":"$.Payload"},
       "Parameters": {
@@ -46,7 +46,7 @@
     "aft_account_provisioning_framework_persist_metadata": {
       "Next": "aft_account_provisioning_framework_create_role",
       "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
+      "Resource": "arn:${current_partition}:states:::lambda:invoke",
       "ResultPath": "$.persist_metadata",
       "ResultSelector": {"StatusCode.$":"$.StatusCode"},
       "Parameters": {
@@ -67,7 +67,7 @@
     "aft_account_provisioning_framework_create_role": {
       "Next": "aft_account_provisioning_framework_tag_account",
       "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
+      "Resource": "arn:${current_partition}:states:::lambda:invoke",
       "ResultPath": "$.role",
       "ResultSelector": {"Arn.$":"$.Payload"},
       "Parameters": {
@@ -96,7 +96,7 @@
     "aft_account_provisioning_framework_tag_account": {
       "Next": "aft_account_provisioning_framework_account_metadata_ssm",
       "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
+      "Resource": "arn:${current_partition}:states:::lambda:invoke",
       "ResultPath": "$.account_tags",
       "ResultSelector": {"StatusCode.$":"$.StatusCode"},
       "Parameters": {
@@ -118,7 +118,7 @@
     "aft_account_provisioning_framework_account_metadata_ssm": {
       "Next": "aft_account_provisioning_framework_aft_features",
       "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
+      "Resource": "arn:${current_partition}:states:::lambda:invoke",
       "ResultPath": "$.account_metadata_ssm",
       "ResultSelector": {"StatusCode.$":"$.StatusCode"},
       "Parameters": {
@@ -140,7 +140,7 @@
     "aft_account_provisioning_framework_aft_features": {
       "Next": "aft_account_provisioning_customizations",
       "Type": "Task",
-      "Resource": "arn:aws:states:::states:startExecution.sync:2",
+      "Resource": "arn:${current_partition}:states:::states:startExecution.sync:2",
       "Parameters": {
         "StateMachineArn": "${aft_account_provisioning_framework_aft_features_state_machine_arn}",
         "Input.$": "$"
@@ -149,7 +149,7 @@
     "aft_account_provisioning_customizations": {
       "Next": "run_create_pipeline?",
       "Type": "Task",
-      "Resource": "arn:aws:states:::states:startExecution.sync:2",
+      "Resource": "arn:${current_partition}:states:::states:startExecution.sync:2",
       "Parameters": {
         "StateMachineArn": "${aft_account_provisioning_customizations_state_machine_arn}",
         "Input.$": "$.Input"
@@ -175,7 +175,7 @@
     "aft_account_provisioning_framework_create_pipeline": {
       "Next": "aft_account_provisioning_framework_notify_success",
       "Type": "Task",
-      "Resource": "arn:aws:states:::codebuild:startBuild.sync",
+      "Resource": "arn:${current_partition}:states:::codebuild:startBuild.sync",
       "Parameters": {
         "ProjectName": "aft-create-pipeline",
         "EnvironmentVariablesOverride": [
@@ -201,7 +201,7 @@
     },
     "aft_account_provisioning_framework_notify_success": {
       "Type": "Task",
-      "Resource": "arn:aws:states:::sns:publish",
+      "Resource": "arn:${current_partition}:states:::sns:publish",
       "Parameters": {
         "TopicArn": "${aft_notification_arn}",
         "Message.$": "$"
@@ -210,7 +210,7 @@
     },
     "aft_account_provisioning_framework_notify_error": {
       "Type": "Task",
-      "Resource": "arn:aws:states:::sns:publish",
+      "Resource": "arn:${current_partition}:states:::sns:publish",
       "Parameters": {
         "TopicArn": "${aft_failure_notification_arn}",
         "Message.$": "$.Cause"

modules/aft-account-request-framework/data.tf

@@ -1,6 +1,8 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
+data "aws_partition" "current" {}
+
 data "aws_region" "aft-management" {}
 
 data "aws_caller_identity" "aft-management" {}