[Control Tower] Support and documentation for using CDK with Control Tower
See original GitHub issue❓ General Issue
Have AWS Control Tower enabled. This has multiple S3 SCP guardrails.
When doing a cdk deploy pipeline
the artifact and supporting S3 buckets are not able to be created.
Error is
API: s3:SetBucketEncryption Access Denied
The Question
Need documentation, guidance, and relevant fixes to be able to use CDK pipelines within AWS Control Tower managed accounts.
Environment
AWS Control Tower
- CDK CLI Version:
cdk version 1.74.0 (build e86602f)
- Module Version:
- Node.js Version:
- OS:
- Language (Version):
Other information
Issue Analytics
- State:
- Created 3 years ago
- Reactions:8
- Comments:10 (4 by maintainers)
Top Results From Across the Web
aws-cdk/aws-controltower module - AWS Documentation
For more information on the resources and properties available for this service, see the CloudFormation documentation for AWS::ControlTower. (Read the CDK ...
Read more >@aws-cdk/aws-controltower - npm
Start using @aws-cdk/aws-controltower in your project by running `npm i ... available for this service, see the CloudFormation documentation ...
Read more >Control tower & cdk bootstrap : r/aws - Reddit
Control tower doesn't have an api, so basically it needs to be the source of creation and you can do 'global' after market...
Read more >Building and governing multi-accounts using AWS Control ...
Many AWS customers are implementing multi-account strategies in order to more easily manage their cloud infrastructure and improve their ...
Read more >Customizations for Control Tower (CfCT)
This solution enables customers to easily add customizations to their AWS Control Tower landing zone using an AWS CloudFormation template and service ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@dannyburke1 - To answer your question the GuardRails that I found blocking me were these:
bootstrap won’t work with those enabled, we’ve disabled them temporarily to allow work, I’ve opened an AWS Support ticket as well to ask what the recommended course of action. that said there are plenty other guardrails that will likely block CDK work, but not the bootstrap process:
and others… we really need some recommended best practices for using CDK with Control Tower + SCPs it appears. It seems like we’ll need an easy way to exclude CDK from SCP control and while assumerole idea works, it’s not a very good automation friendly way in my view.
Doesn’t update to SCPs managed by Control Tower cause configuration drift and will be overwritten on a next CT template version update?