github awslabs/landing-zone-accelerator-on-aws v1.13.0
on GitHub

2 days ago

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Breaking Changes

For users who previously utilized the ACCELERATOR_NO_ORG_MODULE environment variable in the AWSAccelerator-ToolkitProject CodeBuild project to address AWS Control Tower API errors during organizational unit registration, please note the following changes after upgrading to LZA v1.13.0:

  1. Remove the ACCELERATOR_NO_ORG_MODULE variable.
  2. Add four new environment variables to the AWSAccelerator-ToolkitProject:
    - SkipCreateOrganizationalUnit
    - SkipRegisterOrganizationalUnit
    - SkipInviteAccountsToOrganizations
    - SkipMoveAccounts
  3. Set each of these new variables to "yes" to maintain functionality similar to the previous ACCELERATOR_NO_ORG_MODULE setting.
    These changes provide more granular control over specific organizational actions while addressing the same API error concerns.

New Features

Network Refactor

A major architectural enhancement in LZA v1.13.0 transforms how network resources are deployed, significantly improving scalability for customers with complex networking needs. Previously constrained by CloudFormation's 500-resource limit per stack, the LZA now deploys each VPC in its own independent stack, eliminating restrictions on the number of VPCs that can be deployed within an AWS account and region.

CloudFormation Stack Policies

The LZA introduces support for CloudFormation Stack Policies, enabling organizations to prevent unintentional updates or deletions of critical stack resources during CloudFormation stack updates. This new capability allows for granular configuration of protected resource types within LZA-created stacks, helping organizations maintain infrastructure stability while retaining flexibility for controlled updates when needed.

RCPs and Declarative policies

The LZA has expanded its policy management capabilities by adding support for both Resource Control Policies (RCPs) and Declarative Policies. RCPs help establish data perimeters by restricting external access to resources at scale, while Declarative Policies enable you to enforce desired service configurations across your organization - such as ensuring EC2 instances only launch from approved AMIs or automatically blocking public VPC access. Both policy types are enforced centrally within Organizations, providing central governance and security teams with robust preventive controls that maintain compliance with organizational standards, even as services evolve with new features and APIs.

Performance Improvements

  • This release introduces significant performance enhancements through caching. By caching the code built by the installer pipeline, we've eliminated the need for redundant build steps in the core pipeline, reducing execution time by approximately 6 minutes per run.

  • Additionally, we've optimized CloudFormation updates by changing the default behavior to perform direct updates rather than creating change sets. This modification results in approximately 15% faster pipeline execution times, with more significant improvement in large environments. Change sets can still be enabled if preferred.

Contributors

Thank you to the following open-source contributors with features included in this release:

Full Changelog: release/v1.12.0...release/v1.13.0

Check out latest releases or
releases around awslabs/landing-zone-accelerator-on-aws v1.13.0

Don't miss a new landing-zone-accelerator-on-aws release

NewReleases is sending notifications on new releases.

Get notifications