From 9e083ee06ed734cefd3b586d986360dbe38d454d Mon Sep 17 00:00:00 2001
From: "docs-sourcer[bot]"
<99042413+docs-sourcer[bot]@users.noreply.github.com>
Date: Thu, 9 Apr 2026 14:33:35 +0000
Subject: [PATCH] Updated with the [latest
changes](https://github.com/gruntwork-io/terraform-aws-control-tower/releases/tag/v2.0.0)
from the `terraform-aws-control-tower@v2.0.0` source branch.
---
.../control-tower-account-factory-async.md | 20 +--
.../control-tower-account-factory.md | 18 +-
.../control-tower-account-tagger.md | 16 +-
.../control-tower-app-account-baseline.md | 168 +++++++++++++++---
.../control-tower-controls.md | 16 +-
.../control-tower-execution-role.md | 16 +-
.../control-tower-landing-zone.md | 16 +-
...ntrol-tower-multi-account-factory-async.md | 18 +-
.../control-tower-multi-account-factory.md | 18 +-
...er-provisioned-product-artifact-updater.md | 16 +-
...control-tower-security-account-baseline.md | 168 +++++++++++++++---
.../organizational-units.md | 16 +-
.../sso-groups/sso-groups.md | 16 +-
.../sso-permission-sets.md | 18 +-
14 files changed, 392 insertions(+), 148 deletions(-)
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory-async/control-tower-account-factory-async.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory-async/control-tower-account-factory-async.md
index f56a7a15e..16b3710e1 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory-async/control-tower-account-factory-async.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory-async/control-tower-account-factory-async.md
@@ -9,15 +9,15 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Account Factory Async
-View Source
+View Source
Release Notes
-This is a OpenTofu/Terraform module that will trigger the creation of a new AWS account by using Control Tower. This module differs from [control-tower-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v1.4.1/modules/control-tower-account-factory) by introducing an [asynchrous pattern](#asynchrous-pattern) to help better handle certain types of drift.
+This is a OpenTofu/Terraform module that will trigger the creation of a new AWS account by using Control Tower. This module differs from [control-tower-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v2.0.0/modules/control-tower-account-factory) by introducing an [asynchrous pattern](#asynchrous-pattern) to help better handle certain types of drift.
Under the hood, this module uses AWS Service Catalog to trigger Control Tower, as Control Tower does not currently expose any APIs to trigger it directly.
@@ -92,7 +92,7 @@ This is usually accompanied by this module returning outputs that look like the
Unfortunately, this is an unrecoverable error from an AWS Provider perspective, as the provider has no insight into the fact that Service Catalog is in a bad state when it fails in this fashion, and retries will not help.
-The easiest way to recover from this error is to make a small update to one of the variables that are passed into this module. For example, if you are integrating with this module via the [../control-tower-multi-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v1.4.1/modules/control-tower-multi-account-factory) module, you could change the value of something in the relevant file in the directory referenced by the `account_requests_folder`, then revert your change.
+The easiest way to recover from this error is to make a small update to one of the variables that are passed into this module. For example, if you are integrating with this module via the [../control-tower-multi-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v2.0.0/modules/control-tower-multi-account-factory) module, you could change the value of something in the relevant file in the directory referenced by the `account_requests_folder`, then revert your change.
e.g.
@@ -125,7 +125,7 @@ This workaround should only be done to correct up to five Service Catalog provis
module "control_tower_account_factory_async" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory-async?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory-async?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -221,7 +221,7 @@ module "control_tower_account_factory_async" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory-async?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory-async?ref=v2.0.0"
}
inputs = {
@@ -574,11 +574,11 @@ The URL of the AWS SSO login page for this account
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory/control-tower-account-factory.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory/control-tower-account-factory.md
index 73c428608..c48fe1762 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory/control-tower-account-factory.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-account-factory/control-tower-account-factory.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Account Factory
-View Source
+View Source
Release Notes
@@ -89,7 +89,7 @@ This is usually accompanied by this module returning outputs that look like the
Unfortunately, this is an unrecoverable error from an AWS Provider perspective, as the provider has no insight into the fact that Service Catalog is in a bad state when it fails in this fashion, and retries will not help.
-The easiest way to recover from this error is to make a small update to one of the variables that are passed into this module. For example, if you are integrating with this module via the [../control-tower-multi-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v1.4.1/modules/control-tower-multi-account-factory) module, you could change the value of something in the relevant file in the directory referenced by the `account_requests_folder`, then revert your change.
+The easiest way to recover from this error is to make a small update to one of the variables that are passed into this module. For example, if you are integrating with this module via the [../control-tower-multi-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v2.0.0/modules/control-tower-multi-account-factory) module, you could change the value of something in the relevant file in the directory referenced by the `account_requests_folder`, then revert your change.
e.g.
@@ -122,7 +122,7 @@ This workaround should only be done to correct up to five Service Catalog provis
module "control_tower_account_factory" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -243,7 +243,7 @@ module "control_tower_account_factory" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-factory?ref=v2.0.0"
}
inputs = {
@@ -620,11 +620,11 @@ The URL of the AWS SSO login page for this account
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-account-tagger/control-tower-account-tagger.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-account-tagger/control-tower-account-tagger.md
index ec4c7be14..6230d72ec 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-account-tagger/control-tower-account-tagger.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-account-tagger/control-tower-account-tagger.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Account Tagger
-View Source
+View Source
Release Notes
@@ -62,7 +62,7 @@ This module assume that the account is managed by AWS Control Tower and has two
module "control_tower_account_tagger" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-tagger?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-tagger?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -103,7 +103,7 @@ module "control_tower_account_tagger" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-tagger?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-account-tagger?ref=v2.0.0"
}
inputs = {
@@ -143,11 +143,11 @@ inputs = {
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-app-account-baseline/control-tower-app-account-baseline.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-app-account-baseline/control-tower-app-account-baseline.md
index bf8135b34..9dd730ec2 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-app-account-baseline/control-tower-app-account-baseline.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-app-account-baseline/control-tower-app-account-baseline.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Account Baseline App with Control Tower Integration
-View Source
+View Source
Release Notes
@@ -40,7 +40,7 @@ Once you assume the `AWSControlTowerExecution` role, you should be able to compl
module "control_tower_app_account_baseline" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-app-account-baseline?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-app-account-baseline?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -172,6 +172,9 @@ module "control_tower_app_account_baseline" {
# expired IAM certs. For example, cron(0 20 * * ? *) or rate(5 minutes).
cleanup_expired_certs_schedule_expression = "rate(1 hour)"
+ # The name of the IAM managed policy that denies CloudShell access.
+ cloudshell_deny_policy_name = "deny-cloudshell-full-access"
+
# Set to false to create an S3 bucket of name var.cloudtrail_s3_bucket_name in
# this account for storing CloudTrail logs (e.g., if this is the logs
# account). Set to true to assume the bucket specified in
@@ -227,6 +230,12 @@ module "control_tower_app_account_baseline" {
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false
+ # When true, create a managed IAM policy that denies all CloudShell actions.
+ # This is a preventive control for CIS 1.22 (IAM.27). The policy is not
+ # attached to anything by default; the operator should attach it to relevant
+ # IAM entities to prevent future non-compliance.
+ enable_cloudshell_deny = true
+
# When true, enable the Encrypted Volumes check in AWS Config. This check
# identifies EBS volumes that are not encrypted. This check is useful for
# identifying and encrypting EBS volumes, which can help reduce the risk of
@@ -620,6 +629,10 @@ module "control_tower_app_account_baseline" {
# these are running at a time.
reserved_concurrent_executions = 1
+ # Manages S3 account-level Public Access Block configuration. All four
+ # settings should be true for CIS v3.0.0 S3.1 compliance.
+ s3_account_public_access_block = {"block_public_acls":true,"block_public_policy":true,"ignore_public_acls":true,"restrict_public_buckets":true}
+
# The AWS region (e.g., us-east-1) where all the findings will be aggregated.
# If null, no region will be designated as an aggregate region and findings
# will only be visible to the region where it was reported. NOTE: this can
@@ -633,14 +646,24 @@ module "control_tower_app_account_baseline" {
security_hub_associate_to_admin_account_id = ""
# When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
- # SecurityHub. Set this to false if you are using Steampipe instead.
- security_hub_enable_cis_1_4_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.4 checks.
+ security_hub_enable_cis_1_4_check = false
+
+ # When true, enable the CIS benchmark v3.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v3.0 checks. Enabled by default.
+ security_hub_enable_cis_3_0_check = true
+
+ # When true, enable the CIS benchmark v5.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v5.0 checks.
+ security_hub_enable_cis_5_0_check = false
# When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
- # SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
- # var.security_hub_enable_cis_1_4_check should also be set to false. Set this
- # to false if you are using Steampipe instead.
- security_hub_enable_cis_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.2 checks.
+ security_hub_enable_cis_check = false
# Map of AWS Accounts to add as members to this account's SecurityHub
# configuration. The keys in this map should each be a unique value (e.g., the
@@ -694,7 +717,7 @@ module "control_tower_app_account_baseline" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-app-account-baseline?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-app-account-baseline?ref=v2.0.0"
}
inputs = {
@@ -829,6 +852,9 @@ inputs = {
# expired IAM certs. For example, cron(0 20 * * ? *) or rate(5 minutes).
cleanup_expired_certs_schedule_expression = "rate(1 hour)"
+ # The name of the IAM managed policy that denies CloudShell access.
+ cloudshell_deny_policy_name = "deny-cloudshell-full-access"
+
# Set to false to create an S3 bucket of name var.cloudtrail_s3_bucket_name in
# this account for storing CloudTrail logs (e.g., if this is the logs
# account). Set to true to assume the bucket specified in
@@ -884,6 +910,12 @@ inputs = {
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false
+ # When true, create a managed IAM policy that denies all CloudShell actions.
+ # This is a preventive control for CIS 1.22 (IAM.27). The policy is not
+ # attached to anything by default; the operator should attach it to relevant
+ # IAM entities to prevent future non-compliance.
+ enable_cloudshell_deny = true
+
# When true, enable the Encrypted Volumes check in AWS Config. This check
# identifies EBS volumes that are not encrypted. This check is useful for
# identifying and encrypting EBS volumes, which can help reduce the risk of
@@ -1277,6 +1309,10 @@ inputs = {
# these are running at a time.
reserved_concurrent_executions = 1
+ # Manages S3 account-level Public Access Block configuration. All four
+ # settings should be true for CIS v3.0.0 S3.1 compliance.
+ s3_account_public_access_block = {"block_public_acls":true,"block_public_policy":true,"ignore_public_acls":true,"restrict_public_buckets":true}
+
# The AWS region (e.g., us-east-1) where all the findings will be aggregated.
# If null, no region will be designated as an aggregate region and findings
# will only be visible to the region where it was reported. NOTE: this can
@@ -1290,14 +1326,24 @@ inputs = {
security_hub_associate_to_admin_account_id = ""
# When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
- # SecurityHub. Set this to false if you are using Steampipe instead.
- security_hub_enable_cis_1_4_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.4 checks.
+ security_hub_enable_cis_1_4_check = false
+
+ # When true, enable the CIS benchmark v3.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v3.0 checks. Enabled by default.
+ security_hub_enable_cis_3_0_check = true
+
+ # When true, enable the CIS benchmark v5.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v5.0 checks.
+ security_hub_enable_cis_5_0_check = false
# When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
- # SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
- # var.security_hub_enable_cis_1_4_check should also be set to false. Set this
- # to false if you are using Steampipe instead.
- security_hub_enable_cis_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.2 checks.
+ security_hub_enable_cis_check = false
# Map of AWS Accounts to add as members to this account's SecurityHub
# configuration. The keys in this map should each be a unique value (e.g., the
@@ -1554,6 +1600,15 @@ An expression that defines how often to run the Lambda function to clean up expi
+
+
+
+The name of the IAM managed policy that denies CloudShell access.
+
+
+
+
+
@@ -1635,6 +1690,15 @@ If set to true, the KMS Customer Managed Keys (CMK) with the name in
+
+
+
+When true, create a managed IAM policy that denies all CloudShell actions. This is a preventive control for CIS 1.22 (IAM.27). The policy is not attached to anything by default; the operator should attach it to relevant IAM entities to prevent future non-compliance.
+
+
+
+
+
@@ -2649,6 +2713,38 @@ The amount of reserved concurrent executions for this lambda function or -1 if u
+
+
+
+Manages S3 account-level Public Access Block configuration. All four settings should be true for CIS v3.0.0 S3.1 compliance.
+
+
+
+
+```hcl
+object({
+ block_public_acls = optional(bool)
+ ignore_public_acls = optional(bool)
+ block_public_policy = optional(bool)
+ restrict_public_buckets = optional(bool)
+ })
+```
+
+
+
+
+```hcl
+{
+ block_public_acls = true,
+ block_public_policy = true,
+ ignore_public_acls = true,
+ restrict_public_buckets = true
+}
+```
+
+
+
+
@@ -2670,19 +2766,37 @@ AWS Account to join this account's Security Hub to. Must have already received a
-When true, enable the CIS benchmark v1.4 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead.
+When true, enable the CIS benchmark v1.4 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v1.4 checks.
+
+
+
+
+
+
+
+
+When true, enable the CIS benchmark v3.0 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v3.0 checks. Enabled by default.
+
+
+
+When true, enable the CIS benchmark v5.0 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v5.0 checks.
+
+
+
+
+
-When true, enable the CIS benchmark v1.2 ruleset for automatic checks in SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then security_hub_enable_cis_1_4_check should also be set to false. Set this to false if you are using Steampipe instead.
+When true, enable the CIS benchmark v1.2 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v1.2 checks.
-
+
@@ -2785,6 +2899,14 @@ The name of the IAM role used by the AWS Lambda Function used for automatically
+
+
+
+The ARN of the IAM managed policy that denies CloudShell access. Only set if enable_cloudshell_deny is true.
+
+
+
+
@@ -2903,11 +3025,11 @@ A map of ARNs of the service linked roles created from
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-controls/control-tower-controls.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-controls/control-tower-controls.md
index a6df2928b..1bbae7695 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-controls/control-tower-controls.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-controls/control-tower-controls.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Controls
-View Source
+View Source
Release Notes
@@ -36,7 +36,7 @@ For a full list of preventive, detective and proactive controls, see the [AWS Co
module "control_tower_controls" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-controls?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-controls?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -72,7 +72,7 @@ module "control_tower_controls" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-controls?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-controls?ref=v2.0.0"
}
inputs = {
@@ -107,11 +107,11 @@ inputs = {
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-execution-role/control-tower-execution-role.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-execution-role/control-tower-execution-role.md
index fa2febd37..d349cedda 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-execution-role/control-tower-execution-role.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-execution-role/control-tower-execution-role.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Execution Role
-View Source
+View Source
Release Notes
@@ -36,7 +36,7 @@ https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html
module "control_tower_execution_role" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-execution-role?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-execution-role?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -62,7 +62,7 @@ module "control_tower_execution_role" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-execution-role?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-execution-role?ref=v2.0.0"
}
inputs = {
@@ -119,11 +119,11 @@ The ARN of the Control Tower Execution Role
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-landing-zone/control-tower-landing-zone.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-landing-zone/control-tower-landing-zone.md
index a3f94be93..c6d02bc6c 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-landing-zone/control-tower-landing-zone.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-landing-zone/control-tower-landing-zone.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Landing Zone
-View Source
+View Source
Release Notes
@@ -117,7 +117,7 @@ The goal of the import is to have a plan with no operations to be performed. If
module "control_tower_landing_zone" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-landing-zone?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-landing-zone?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -218,7 +218,7 @@ module "control_tower_landing_zone" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-landing-zone?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-landing-zone?ref=v2.0.0"
}
inputs = {
@@ -544,11 +544,11 @@ The amount of time allowed for the update operation to take before being conside
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory-async/control-tower-multi-account-factory-async.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory-async/control-tower-multi-account-factory-async.md
index b44c3cab0..622ce7b23 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory-async/control-tower-multi-account-factory-async.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory-async/control-tower-multi-account-factory-async.md
@@ -9,15 +9,15 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Multi-Account Factory Async
-View Source
+View Source
Release Notes
-This OpenTofu/Terraform module provisions multiple AWS accounts using AWS Control Tower Account Factory. Under the hood, it leverages the [control-tower-account-factory-async](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v1.4.1/modules/control-tower-account-factory-async) module for account creation. It also includes a separate mechanism to detect and remediate drifted or outdated AWS Service Catalog products asynchronously, outside of OpenTofu/Terraform, using an EventBridge rule, SQS, Lambda, and AWS Step Functions.
+This OpenTofu/Terraform module provisions multiple AWS accounts using AWS Control Tower Account Factory. Under the hood, it leverages the [control-tower-account-factory-async](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v2.0.0/modules/control-tower-account-factory-async) module for account creation. It also includes a separate mechanism to detect and remediate drifted or outdated AWS Service Catalog products asynchronously, outside of OpenTofu/Terraform, using an EventBridge rule, SQS, Lambda, and AWS Step Functions.
## Background and Justification
@@ -265,7 +265,7 @@ After successful migration:
module "control_tower_multi_account_factory_async" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory-async?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory-async?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -409,7 +409,7 @@ module "control_tower_multi_account_factory_async" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory-async?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory-async?ref=v2.0.0"
}
inputs = {
@@ -784,11 +784,11 @@ The data from all the AWS accounts created.
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory/control-tower-multi-account-factory.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory/control-tower-multi-account-factory.md
index 449aea5cc..34b700f69 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory/control-tower-multi-account-factory.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-multi-account-factory/control-tower-multi-account-factory.md
@@ -9,16 +9,16 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Multi-Account Factory
-View Source
+View Source
Release Notes
This is a Terraform module that will trigger the creation of multiple new AWS accounts by using Control Tower. Under
-the hood, this module uses the [control-tower-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v1.4.1/modules/control-tower-account-factory) module.
+the hood, this module uses the [control-tower-account-factory](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v2.0.0/modules/control-tower-account-factory) module.
## Sample Usage
@@ -33,7 +33,7 @@ the hood, this module uses the [control-tower-account-factory](https://github.co
module "control_tower_multi_account_factory" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -131,7 +131,7 @@ module "control_tower_multi_account_factory" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-multi-account-factory?ref=v2.0.0"
}
inputs = {
@@ -334,11 +334,11 @@ The data from all the AWS accounts created.
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-provisioned-product-artifact-updater/control-tower-provisioned-product-artifact-updater.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-provisioned-product-artifact-updater/control-tower-provisioned-product-artifact-updater.md
index b6de9275d..ab6e0917b 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-provisioned-product-artifact-updater/control-tower-provisioned-product-artifact-updater.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-provisioned-product-artifact-updater/control-tower-provisioned-product-artifact-updater.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Control Tower Provisioned Product Artifact Updater
-View Source
+View Source
Release Notes
@@ -77,7 +77,7 @@ When a new Provisioning Artifact is published in AWS Service Catalog, any accoun
module "control_tower_provisioned_product_artifact_updater" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-provisioned-product-artifact-updater?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-provisioned-product-artifact-updater?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
@@ -175,7 +175,7 @@ module "control_tower_provisioned_product_artifact_updater" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-provisioned-product-artifact-updater?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-provisioned-product-artifact-updater?ref=v2.0.0"
}
inputs = {
@@ -272,11 +272,11 @@ inputs = {
diff --git a/docs/reference/modules/terraform-aws-control-tower/control-tower-security-account-baseline/control-tower-security-account-baseline.md b/docs/reference/modules/terraform-aws-control-tower/control-tower-security-account-baseline/control-tower-security-account-baseline.md
index 472bc9604..5fc891012 100644
--- a/docs/reference/modules/terraform-aws-control-tower/control-tower-security-account-baseline/control-tower-security-account-baseline.md
+++ b/docs/reference/modules/terraform-aws-control-tower/control-tower-security-account-baseline/control-tower-security-account-baseline.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Account Baseline Security with Control Tower Integration
-View Source
+View Source
Release Notes
@@ -34,7 +34,7 @@ by Control Tower, including setting up Amazon Guard Duty, Macie, IAM users, IAM
module "control_tower_security_account_baseline" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -160,6 +160,9 @@ module "control_tower_security_account_baseline" {
# name.
cleanup_expired_certs_schedule_namespace = "cleanup-expired-iam-certs-scheduled"
+ # The name of the IAM managed policy that denies CloudShell access.
+ cloudshell_deny_policy_name = "deny-cloudshell-full-access"
+
# The ID of the your management (root) AWS account where Control Tower is
# enabled. Only used if create_control_tower_execution_role is set to true.
control_tower_management_account_id = null
@@ -204,6 +207,12 @@ module "control_tower_security_account_baseline" {
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false
+ # When true, create a managed IAM policy that denies all CloudShell actions.
+ # This is a preventive control for CIS 1.22 (IAM.27). The policy is not
+ # attached to anything by default; the operator should attach it to relevant
+ # IAM entities.
+ enable_cloudshell_deny = true
+
# When true, enable the Encrypted Volumes check in AWS Config. This check
# identifies EBS volumes that are not encrypted. This check is useful for
# identifying and encrypting EBS volumes, which can help reduce the risk of
@@ -664,6 +673,10 @@ module "control_tower_security_account_baseline" {
# these are running at a time.
reserved_concurrent_executions = 1
+ # Manages S3 account-level Public Access Block configuration. All four
+ # settings should be true for CIS v3.0.0 S3.1 compliance.
+ s3_account_public_access_block = {"block_public_acls":true,"block_public_policy":true,"ignore_public_acls":true,"restrict_public_buckets":true}
+
# The AWS region (e.g., us-east-1) where all the findings will be aggregated.
# If null, no region will be designated as an aggregate region and findings
# will only be visible to the region where it was reported. NOTE: this can
@@ -671,14 +684,24 @@ module "control_tower_security_account_baseline" {
security_hub_aggregate_region = null
# When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
- # SecurityHub. Set this to false if you are using Steampipe instead.
- security_hub_enable_cis_1_4_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.4 checks.
+ security_hub_enable_cis_1_4_check = false
+
+ # When true, enable the CIS benchmark v3.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v3.0 checks. Enabled by default.
+ security_hub_enable_cis_3_0_check = true
+
+ # When true, enable the CIS benchmark v5.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v5.0 checks.
+ security_hub_enable_cis_5_0_check = false
# When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
- # SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
- # var.security_hub_enable_cis_1_4_check should also be set to false. Set this
- # to false if you are using Steampipe instead.
- security_hub_enable_cis_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.2 checks.
+ security_hub_enable_cis_check = false
# List of AWS Accounts (ID and Email) to add as members to this account's
# SecurityHub configuration.
@@ -774,7 +797,7 @@ module "control_tower_security_account_baseline" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v2.0.0"
}
inputs = {
@@ -903,6 +926,9 @@ inputs = {
# name.
cleanup_expired_certs_schedule_namespace = "cleanup-expired-iam-certs-scheduled"
+ # The name of the IAM managed policy that denies CloudShell access.
+ cloudshell_deny_policy_name = "deny-cloudshell-full-access"
+
# The ID of the your management (root) AWS account where Control Tower is
# enabled. Only used if create_control_tower_execution_role is set to true.
control_tower_management_account_id = null
@@ -947,6 +973,12 @@ inputs = {
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false
+ # When true, create a managed IAM policy that denies all CloudShell actions.
+ # This is a preventive control for CIS 1.22 (IAM.27). The policy is not
+ # attached to anything by default; the operator should attach it to relevant
+ # IAM entities.
+ enable_cloudshell_deny = true
+
# When true, enable the Encrypted Volumes check in AWS Config. This check
# identifies EBS volumes that are not encrypted. This check is useful for
# identifying and encrypting EBS volumes, which can help reduce the risk of
@@ -1407,6 +1439,10 @@ inputs = {
# these are running at a time.
reserved_concurrent_executions = 1
+ # Manages S3 account-level Public Access Block configuration. All four
+ # settings should be true for CIS v3.0.0 S3.1 compliance.
+ s3_account_public_access_block = {"block_public_acls":true,"block_public_policy":true,"ignore_public_acls":true,"restrict_public_buckets":true}
+
# The AWS region (e.g., us-east-1) where all the findings will be aggregated.
# If null, no region will be designated as an aggregate region and findings
# will only be visible to the region where it was reported. NOTE: this can
@@ -1414,14 +1450,24 @@ inputs = {
security_hub_aggregate_region = null
# When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
- # SecurityHub. Set this to false if you are using Steampipe instead.
- security_hub_enable_cis_1_4_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.4 checks.
+ security_hub_enable_cis_1_4_check = false
+
+ # When true, enable the CIS benchmark v3.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v3.0 checks. Enabled by default.
+ security_hub_enable_cis_3_0_check = true
+
+ # When true, enable the CIS benchmark v5.0 ruleset for automatic checks in
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v5.0 checks.
+ security_hub_enable_cis_5_0_check = false
# When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
- # SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
- # var.security_hub_enable_cis_1_4_check should also be set to false. Set this
- # to false if you are using Steampipe instead.
- security_hub_enable_cis_check = true
+ # SecurityHub. Set this to false if you are using Steampipe instead or if you
+ # wish to disable the CIS v1.2 checks.
+ security_hub_enable_cis_check = false
# List of AWS Accounts (ID and Email) to add as members to this account's
# SecurityHub configuration.
@@ -1817,6 +1863,15 @@ Namespace all Lambda scheduling resources created by this module with this name.
+
+
+
+The name of the IAM managed policy that denies CloudShell access.
+
+
+
+
+
@@ -1889,6 +1944,15 @@ If set to true, the KMS Customer Managed Keys (CMK) with the name in
+
+
+
+When true, create a managed IAM policy that denies all CloudShell actions. This is a preventive control for CIS 1.22 (IAM.27). The policy is not attached to anything by default; the operator should attach it to relevant IAM entities.
+
+
+
+
+
@@ -3096,6 +3160,38 @@ The amount of reserved concurrent executions for this lambda function or -1 if u
+
+
+
+Manages S3 account-level Public Access Block configuration. All four settings should be true for CIS v3.0.0 S3.1 compliance.
+
+
+
+
+```hcl
+object({
+ block_public_acls = optional(bool)
+ ignore_public_acls = optional(bool)
+ block_public_policy = optional(bool)
+ restrict_public_buckets = optional(bool)
+ })
+```
+
+
+
+
+```hcl
+{
+ block_public_acls = true,
+ block_public_policy = true,
+ ignore_public_acls = true,
+ restrict_public_buckets = true
+}
+```
+
+
+
+
@@ -3108,19 +3204,37 @@ The AWS region (e.g., us-east-1) where all the findings will be aggregated. If n
-When true, enable the CIS benchmark v1.4 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead.
+When true, enable the CIS benchmark v1.4 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v1.4 checks.
+
+
+
+
+
+
+
+
+When true, enable the CIS benchmark v3.0 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v3.0 checks. Enabled by default.
+
+
+
+When true, enable the CIS benchmark v5.0 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v5.0 checks.
+
+
+
+
+
-When true, enable the CIS benchmark v1.2 ruleset for automatic checks in SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then security_hub_enable_cis_1_4_check should also be set to false. Set this to false if you are using Steampipe instead.
+When true, enable the CIS benchmark v1.2 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead or if you wish to disable the CIS v1.2 checks.
-
+
@@ -3325,6 +3439,14 @@ Any types represent complex values of variable type. For details, please consult
+
+
+
+The ARN of the IAM managed policy that denies CloudShell access. Only set if enable_cloudshell_deny is true.
+
+
+
+
@@ -3473,11 +3595,11 @@ A map of usernames to that user's AWS Web Console password, encrypted with that
diff --git a/docs/reference/modules/terraform-aws-control-tower/organizational-units/organizational-units.md b/docs/reference/modules/terraform-aws-control-tower/organizational-units/organizational-units.md
index 115e15af1..e73d7b8da 100644
--- a/docs/reference/modules/terraform-aws-control-tower/organizational-units/organizational-units.md
+++ b/docs/reference/modules/terraform-aws-control-tower/organizational-units/organizational-units.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# Organizational Units Data Source
-View Source
+View Source
Release Notes
@@ -44,7 +44,7 @@ The output `ous` returns a list of organizational units, which have the followin
module "organizational_units" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/organizational-units?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/organizational-units?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
@@ -70,7 +70,7 @@ module "organizational_units" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/organizational-units?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/organizational-units?ref=v2.0.0"
}
inputs = {
@@ -123,11 +123,11 @@ If set to true, this module will look for the specified organizational unit (OU)
diff --git a/docs/reference/modules/terraform-aws-control-tower/sso-groups/sso-groups.md b/docs/reference/modules/terraform-aws-control-tower/sso-groups/sso-groups.md
index 36d94dfc2..ab85e9469 100644
--- a/docs/reference/modules/terraform-aws-control-tower/sso-groups/sso-groups.md
+++ b/docs/reference/modules/terraform-aws-control-tower/sso-groups/sso-groups.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# SSO Groups
-View Source
+View Source
Release Notes
@@ -74,7 +74,7 @@ inputs = {
module "sso_groups" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-groups?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-groups?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -114,7 +114,7 @@ module "sso_groups" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-groups?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-groups?ref=v2.0.0"
}
inputs = {
@@ -210,11 +210,11 @@ ARN of the SSO Admin instance where the Permission Set should be provisioned. Th
diff --git a/docs/reference/modules/terraform-aws-control-tower/sso-permission-sets/sso-permission-sets.md b/docs/reference/modules/terraform-aws-control-tower/sso-permission-sets/sso-permission-sets.md
index bf483e347..07be0b03d 100644
--- a/docs/reference/modules/terraform-aws-control-tower/sso-permission-sets/sso-permission-sets.md
+++ b/docs/reference/modules/terraform-aws-control-tower/sso-permission-sets/sso-permission-sets.md
@@ -9,11 +9,11 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
-
+
# SSO Permission Sets
-View Source
+View Source
Release Notes
@@ -79,7 +79,7 @@ access to the AWS Account with the IAM permissions defined on the Permission Set
Permission sets are normally bound to groups using your IDP.
-For an example of a manual binding see the [sso-groups module](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v1.4.1/modules/aws-sso/sso-groups).
+For an example of a manual binding see the [sso-groups module](https://github.com/gruntwork-io/terraform-aws-control-tower/tree/v2.0.0/modules/aws-sso/sso-groups).
### What are permission boundaries?
@@ -113,7 +113,7 @@ For more information on permission boundaries, see the [official documentation](
module "sso_permission_sets" {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v2.0.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
@@ -168,7 +168,7 @@ module "sso_permission_sets" {
# ------------------------------------------------------------------------------------------------------
terraform {
- source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v1.4.1"
+ source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v2.0.0"
}
inputs = {
@@ -335,11 +335,11 @@ The name of the permission set that was created.