Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
New Features
Split Large Files with YAML !include directive
The LZA now supports the !include directive in configuration files to modularize and organize complex configurations. This feature allows you to split large configuration files into smaller, more manageable files and include them using relative paths. For more information, please see this page.
IPv6 VPN Connectivity
Expanded networking capabilities now include IPv6 support for VPN connections, providing organizations with modern networking options and enhanced connectivity for IPv6-enabled environments. This feature supports the growing adoption of IPv6 infrastructure while maintaining backward compatibility with existing IPv4 configurations.
CDK Toolkit Upgrade
This release includes an update to the version of the AWS CDK used by the LZA which required updates to the LZA engine's role assumption process for AWS API actions, CDK synthesis, and deployments. Previously, a single customer-specified role handled CDK deployment and synthesis. The new CDK implementation requires a two-step role assumption: first assuming the customer-specified role, then assuming the CDK bootstrap role from the CDK-Toolkit template.
To accommodate this change, we've introduced two new roles. The first is a Bootstrap role in the AWS-CDKToolkit, protected by SCPs and following LZA best practices. This role is only assumable by the management account for CDK deployments. The second is an LZA management role in the management account, responsible for CDK-specific actions on the management account only.
These architectural changes enhance our security posture by providing more granular control over the deployment process and IAM policies. This approach reduces dependency on service roles like AWSControlTowerExecution and allows for greater flexibility in future implementations. For more information, the CDK role assumption change is documented in GitHub Issue #25185.
Uninstaller Local Configuration Support
The LZA Uninstaller now supports the usage of a local configuration directory during uninstallation, simplifying the process for customers automating the creation and cleanup of Landing Zone Accelerator resources.
Bug Fixes
AWS Control Tower
In this release, we've resolved several critical AWS Control Tower integration issues. We've fixed permissions issues that were causing landing zone operations to fail when working with Customer Managed Keys (CMK). The OU registration process has been improved to handle BadRequestException errors gracefully, and we've enhanced operation handling to ensure manifest properties remain unchanged without a corresponding change to the LZA configuration.
SSM Document Configuration Preservation
LZA now preserves existing SSM document settings for runAsEnabled and runAsDefaultUser when updating SSM documents, preventing the solution from overriding customer-configured permissions. This enhancement allows customers to maintain their custom SSM Run As user configurations without interference from LZA pipeline runs.
SCP Detachment Behavior
LZA has updated the service control policy (SCP) detachment logic to fix a bug that could detach more SCP policies than intended. When modifying the configuration file to detach a specific SCP from an Organizational Unit (OU), the LZA may detach additional LZA-managed SCPs from that OU. This is resolved during the next run of the LZA pipeline.
Changes
CDK and SDK Updates
The LZA v1.14.0 includes upgrading the version of the AWS CDK to v2.219.0 and leveraging the AWS CDK Toolkit Library. This update ensures availability of the latest AWS services and features and enabled the LZA to migrate all AWS API interactions to the AWS JS SDK V3, removing the dependency on the AWS JS SDK V2.
CDK Bootstrap ECR Repository
In previous versions of LZA, an Amazon Elastic Container Registry (ECR) repository was automatically created to store docker images used by AWS CDK. While this repository was not used by the LZA, it was included to maintain parity with the typical CDK bootstrapping process and expected resulting resources.
In v1.14.0, the LZA has removed this ECR repository from the bootstrap template. You may still see retained ECR repositories after the update because of the deletion policy specified in the default CDK bootstrap template. These repositories can be manually deleted if desired without impacting LZA operations.
LZA Universal Configuration
The LZA team has released the LZA Universal Configuration which consolidates multiple configuration variants into a unified, modular framework. We have removed sample configurations from this repository and encourage users to reference the LZA Universal Configuration moving forward.
Contributors
We want to extend a special thank the the following external users that have contributed to this release:
Additional Resources
For full details, please see the CHANGELOG.