Working on a project where we are migrating to Control Tower from ADF and opted for Self-managed during setup as the use case is to use SSO of the existing AWSOrganisation.
Requirements
Use the existing SSO roles for staff access instead of those supplied with Control Tower Existing IAM Identity Center/ SSO configurationneeds as part of the ADF Framework to be retained, so people keep their access New SSO usersshould not be created It seems the value of control_tower_parameters in Account Factory for Terraform (AFT) in the account request Terraform file has SSO as mandatory parameter.
AWS Control Tower Account Factory requires you to enter an AWS SSO email address, so it seems like there's no way around but to have SSO parameters entered in "account enrollment":
How can you opt out of specifying SSO parameters ( SSOUserEmail, SSOUserFirstName, SSOUserLastName) during the account request so that the existing SSO is used?
SSOUserEmail SSOUserFirstName SSOUserLastName
#
module "sandbox_account_01" {
source = "./modules/aft-account-request"
control_tower_parameters = {
AccountEmail = "[email protected]"
AccountName = "sandbox-account-01"
# Syntax for top-level OU
ManagedOrganizationalUnit = "Sandbox"
# Syntax for nested OU
# ManagedOrganizationalUnit = "Sandbox (ou-xfe5-a8hb8ml8)"
SSOUserEmail = "[email protected]"
SSOUserFirstName = "John"
SSOUserLastName = "Doe"
}
It seems according to some posts that AFT pipline fails on below scenarios
- If an SSO user already exists, the AFT pipeline fails.
- If the SSO details are not provided to the module /modules/aft-account-request, the AFT pipeline fails.
