Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
- The
AWSControlTowerExecutionRole provides the support needed to deploy solutions to themanagement accountacross regions as CloudFormationStackSetsand it is required for the SRA CFCT solution deployments. - This role is created as part of the common_prerequisites solution deployment.
- Option 1 (Recommended) Deploy the Common CFCT Setup solution.
- Option 2 Manually deploy the Customizations for AWS Control Tower solution following the below instructions.
- In the
Management account (home region), deploy a new CloudFormation stack with the below recommended settings:Amazon S3 URL= https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.templateStack name= custom-control-tower-initiationAWS CodePipeline Source= AWS CodeCommitFailure Tolerance Percentage= 0- Acknowledge that AWS CloudFormation might create IAM resources with custom names
- In the
Note: Version 2 or higher of CfCT is expected.
- On the local machine install git and git-remote-codecommit.
- Clone the AWS CodeCommit repository via
git clone codecommit::<HOME REGION>://custom-control-tower-configuration custom-control-tower-configuration
- Determine which version of the Customizations for AWS Control Tower solution you have deployed:
- Within the
management account (home region)find the CloudFormation Stack for the Customizations for Control Tower (e.g.custom-control-tower-initiation) - Select the
Outputstab - The
CustomControlTowerSolutionVersionValue is the version running in the environment- Version 1 = v1.x.x = manifest.yaml version 2020-01-01
- Version 2 = v2.x.x = manifest.yaml version 2021-03-15
- Within the
- If version 2 is installed, continue to the deployment instructions below. If not, you will need to update your version of CfCT.
Note: these instructions assume version 2 or higher of the CfCT solution has been installed.
- Copy the files to the Customizations for AWS Control Tower configuration
custom-control-tower-configuration- policies [optional]
- service control policies files (*.json)
- templates [required]
- Copy the template files from the
templatesfolder that are referenced in themanifest.yaml
- Copy the template files from the
- policies [optional]
- Update the manifest.yaml file with the
parameters,organizational unit names,account namesandSSM parametersfor the target environment- Be sure to update
deployment_targetsaccountswith your management account information
- Be sure to update
- Deploy the Customizations for AWS Control Tower configuration by pushing the code to the
AWS CodeCommitrepository or uploading to theAWS S3 Bucket
- Within the Customizations for AWS Control Tower configuration
- (Optional) Change the
Disable <Solution Name>parameter totrueand trigger the CFCT pipeline. This will disable the solution within each of the member accounts/regions. - Remove the solution configuration from the
manifest.yamlfile - (Optional) Delete the parameter (Version 1 only) and template files for the solution
- (Optional) Change the
- Deploy the Customizations for AWS Control Tower configuration
- After the pipeline completes, log into the
management accountand navigate to theCloudFormation StackSetpage- Delete the Stack Instances from the
CustomControlTower-<solution_name>*CloudFormation StackSets - After the Stack Instances are deleted, delete the
CustomControlTower-<solution_name>*CloudFormation StackSets
- Delete the Stack Instances from the