aws-ia/terraform-aws-control_tower_account_factory 1.19.0

on GitHub

Add OpenID Connect (OIDC) integration support for Terraform Enterprise and HCP Terraform workspaces. Customers can now deploy AWS resources without managing short-lived credentials by setting terraform_oidc_integration = true. This establishes a trust relationship between AWS and your Terraform workspaces using OIDC, replacing the existing approach of storing AWS access keys in Terraform. (#318)

• Note: if you are currently leveraging an OIDC provider for Terraform in the AFT management account, you must delete that provider prior to opting-in to this integration. AFT will re-create that provider for you upon deployment.
• For more details, see: https://docs.aws.amazon.com/controltower/latest/userguide/aft-getting-started.html#aft-configure-and-launch

Remove ScanProvisionedProducts API pre-check and hard concurrency limit. AFT no longer calls ScanProvisionedProducts on every account request invocation, reducing Service Catalog API call volume. This change improves performance for customers with many enrolled accounts. Removes the concurrent_account_factory_actions limit — AFT now relies on native Service Catalog concurrency controls modifiable via Service Quota.

Cache provisioned_product_exists result during account request processing, reducing API calls in the import-existing-account flow by 50%.

Cache SSM parameter values within Lambda invocations. SSM parameters are now fetched once per Lambda execution, reducing latency.

Bugfix: Fix custom field SSM parameters being deleted and re-created on every provisioning run. (#531)

Bugfix: Fix S3 access logs bucket KMS key policy missing logging.s3.amazonaws.com permissions. (#526)

Bugfix: Fix hardcoded concurrency threshold in invoke_customizations Step Function that ignored the maximum_concurrent_customizations setting. The threshold now correctly uses the configured value for all batches of customizations. (#604)

Update black dependency