Skip to content

fix: Add Control Tower 4.0 compatibility#344

Merged
cyphronix merged 10 commits into
aws-samples:mainfrom
pavanvooturi31:ct4-compatibility-fixes-complete
May 22, 2026
Merged

fix: Add Control Tower 4.0 compatibility#344
cyphronix merged 10 commits into
aws-samples:mainfrom
pavanvooturi31:ct4-compatibility-fixes-complete

Conversation

@pavanvooturi31
Copy link
Copy Markdown
Contributor

@pavanvooturi31 pavanvooturi31 commented May 14, 2026

Summary

Adds Control Tower 4.0 compatibility to SRA. CT 4.0 removed several StackSets that SRA relied on for account discovery and configuration.

Changes

  • Account Discovery: Falls back to CT Landing Zone API (ListLandingZones/GetLandingZone) when legacy StackSets (AWSControlTowerBP-BASELINE-CONFIG, AWSControlTowerBP-BASELINE-CLOUDWATCH) do not exist. Further falls back to Organizations API name-based matching.
  • Config Delivery Bucket: Discovers bucket name from AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET StackSet (CT 4.0 uses random suffix). Falls back to legacy aws-controltower-logs-{acct}-{region} pattern. Stored as SSM parameter (CT-only, gated by CONTROL_TOWER == true).
  • Config Aggregator: Gracefully handles missing aggregator (NoSuchConfigurationAggregatorException) since CT 4.0 uses org-level aggregator. Added pUpdateConfigAggregator toggle and flexible aggregator name.
  • Config Service-Linked Role: Added pCreateConfigServiceLinkedRole toggle (CT 4.0 may already have it).
  • Bedrock solutions: Same StackSet fallback pattern applied to bedrock_org and bedrock_guardrails.

Testing

Deployed and validated in CT 4.0 environment (us-east-2). Config delivery channel correctly uses CT 4.0 bucket name. Config Aggregator update gracefully skipped.

Backward Compatibility

All changes use try/catch with fallback to legacy behavior. Existing CT 3.x deployments are unaffected. Non-CT environments are unaffected (config-delivery-bucket-name SSM parameter only created when CONTROL_TOWER=true).

Pavan Kumar Vooturi added 10 commits April 14, 2026 15:31
Add Control Tower 4.0 compatibility fixes
11154b2
Update sra-easy-setup template
479c37e
Add CT 4.0 Landing Zone API fallback for account discovery
a618963
Auto-discover Config delivery bucket name from CT StackSet
b35617d
Auto-discover Config delivery bucket from CT StackSet and pass via dy…
979acc4 
…namic reference
Remove dynamic SSM reference from Easy Setup - let nested stack resol…
05ab80f 
…ve its own SSM parameters
Handle missing Config Aggregator gracefully in CT 4.0 environments
bfbd21d
Gate config delivery bucket SSM parameter to CT-only environments
55fc638
Fix linter issues: extract CT 4.0 helper, fix mypy type annotation, r…
d463e5b 
…emove analysis docs
Fix remaining flake8 plugin errors: docstrings, string concat, raise …
f1eb882 
…chaining, else-after-return
@pavanvooturi31 pavanvooturi31 force-pushed the ct4-compatibility-fixes-complete branch from cd32e6a to f1eb882 Compare May 19, 2026 19:24
cyphronix
cyphronix approved these changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cyphronix cyphronix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed, tested, and approved.

@cyphronix cyphronix merged commit 5b339b6 into aws-samples:main May 22, 2026
6 checks passed
@cyphronix cyphronix mentioned this pull request May 22, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphronix cyphronix cyphronix approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pavanvooturi31 @cyphronix