# Customize accounts with Account Factory Customization (AFC)
**Note**
Single account provision, update and customization must target an organizational unit (OU) with AWSControlTowerBaseline enabled. If an OU does not have the AWSControlTowerBaseline enabled, you can activate account auto-enrollment or use ResetEnabledBaseline and ResetEnabledControl APIs on EnabledBaselines and EnabledControls on that OU to enroll accounts. For details of AWSControlTowerBaseline, see: [Baseline types that apply at the OU level](types-of-baselines.md#ou-baseline-types).
AWS Control Tower allows you to customize new and existing AWS accounts when you provision their resources from the AWS Control Tower console. After you set up Account Factory customization, AWS Control Tower automates this process for future provisioning, so you don't have to maintain any pipelines. Customized accounts are available for use immediately after the resources are provisioned.
**Provision new accounts with blueprints**
Your customized accounts are provisioned in the AWS Control Tower Account Factory, through CloudFormation templates, or with Terraform. You'll define a template that serves as customized account *blueprint*. Your blueprint describes the specific resources and configurations you require when an account is provisioned. Pre-defined blueprints, built and managed by AWS partners, also are available. For more information about partner-managed blueprints, see the [AWS Service Catalog Getting Started Library](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/getting-started-library.html).
**Apply blueprints to existing accounts**
You can apply customized blueprints to existing accounts, also, by following the **Update account** steps in the AWS Control Tower console. For details, see [Update the account in the console](updating-account-factory-accounts.md#update-account-in-console).
**Definition: Your hub account**
Your account blueprints are stored in an AWS account, which for our purposes is referred to as a *hub account*. Blueprints are stored in the form of an Service Catalog product. We call this product a blueprint, to distinguish it from any other Service Catalog products. To learn more about how to create Service Catalog products, see [Creating products](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/productmgmt-cloudresource.html) in the *AWS Service Catalog Administrator Guide*.
**Note**
AWS Control Tower contains *proactive controls*, which monitor CloudFormation resources in AWS Control Tower. Optionally, you can activate these controls in your landing zone. When you apply proactive controls, they check to make sure that the resources you're about to deploy to your accounts are compliant with your organization's policies and procedures. For more information about proactive controls, see [Proactive controls](https://docs.aws.amazon.com//controltower/latest/userguide/proactive-controls.html).
For more information about working with AFC, see [Automate account customization using Account Factory Customization in AWS Control Tower](https://aws.amazon.com//blogs/mt/automate-account-customization-using-account-factory-customization-in-aws-control-tower/).
**Prerequisites**
Before you begin to create customized accounts with AWS Control Tower Account Factory, you must have an AWS Control Tower landing zone environment deployed, and you must have an organizational unit (OU) registered with AWS Control Tower, where your newly created accounts will be placed.
**Preparation for customization**
+ *Designate a hub account:* You may create a new account to serve as the hub account, or you may use an existing AWS account. We strongly recommend that you do not use the AWS Control Tower management account as your blueprint hub account.
+ *Add the necessary role:* If you plan to enroll AWS accounts into AWS Control Tower and customize them, you must first add the `AWSControlTowerExecution` role to those accounts, as you would for any other account you are enrolling into AWS Control Tower.
+ *Configure partner blueprints (optional): *If you plan to use partner blueprints that have marketplace subscription requirements, you must configure these from your AWS Control Tower management account before you deploy the partner blueprints as account factory customization blueprints.
**Topics**
+ [Set up for customization](afc-setup-steps.md)
+ [Create a customized account from a blueprint](create-afc-customized-account.md)
+ [Customize accounts with AFC as you enroll them](enroll-and-customize.md)
+ [Add a blueprint to an AWS Control Tower account](add-blueprint-to-account.md)
+ [Update a blueprint](update-a-blueprint.md)
+ [Remove a blueprint from an account](remove-a-blueprint.md)
+ [Partner blueprints](partner-blueprints.md)
+ [Considerations for Account Factory Customizations (AFC)](#af-limitations)
+ [In case of a blueprint error](#af-error)
+ [Customizing your policy document for AFC blueprints based on CloudFormation](#custom-policy-document)
+ [Additional permissions required for creating a Terraform-based Service Catalog product](#custom-policy-document-tf)
+ [Transition to the AWS Service Catalog External product type](#service-catalog-external-product-type)
# Set up for customization
The next sections give steps to set up Account Factory for the customization process. We recommend that you set up [delegated admin](https://docs.aws.amazon.com//accounts/latest/reference/using-orgs-delegated-admin.html) for the hub account, before you begin these steps.
**Summary**
+ **Step 1. Create the required role.** Create an IAM role that grants permission for AWS Control Tower to have access to the (hub) account, where the Service Catalog products, also called blueprints, are stored.
+ **Step 2. Create the AWS Service Catalog product.** Create the AWS Service Catalog product (also called a “blueprint product”) that you'll need for baselining the custom account.
+ **Step 3. Review your custom blueprint.** Inspect the AWS Service Catalog product (blueprint) that you created.
+ **Step 4. Call your blueprint to create a customized account.** Enter the blueprint product information and the role information into the proper fields in Account Factory, in the AWS Control Tower console, while creating the account.
# Step 1. Create the required role
Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. When assumed, the role grants AWS Control Tower access to administer the resources in the hub account. The role must be named **AWSControlTowerBlueprintAccess**.
AWS Control Tower assumes this role to create a Portfolio resource on your behalf in AWS Service Catalog, then to add your blueprint as a Service Catalog Product to this Portfolio, and then to share this Portfolio, and your blueprint, with your member account during account provisioning.
You'll create the `AWSControlTowerBlueprintAccess` role, as explained in the following sections. You can set up the role in an enrolled or an unenrolled account.
**Navigate to the IAM console to set up the required role.**
**To set up the AWSControlTowerBlueprintAccess role in an enrolled AWS Control Tower account**
1. Federate or sign in as the principal in the AWS Control Tower management account.
1. From the federated principal in the management account, assume or switch roles to the `AWSControlTowerExecution` role in the enrolled AWS Control Tower account that you select to serve as the blueprint hub account.
1. From the `AWSControlTowerExecution` role in the enrolled AWS Control Tower account, create the `AWSControlTowerBlueprintAccess` role with proper permissions and trust relationships.
**Important**
To comply with AWS best practices guidance, it's important that you sign out of the `AWSControlTowerExecution` role immediately after you create the `AWSControlTowerBlueprintAccess` role.
To prevent unintended changes to resources, the `AWSControlTowerExecution` role is intended for use by AWS Control Tower only.
If your blueprint hub account isn't enrolled in AWS Control Tower, the `AWSControlTowerExecution` role won't exist in the account, and there's no need to assume it before you continue with setting up the `AWSControlTowerBlueprintAccess` role.
**To set up the AWSControlTowerBlueprintAccess role in an unenrolled member account**
1. Federate or sign in as a principal in the account that you wish to designate as the hub account, by means of your preferred method.
1. When signed in as the principal in the account, create the `AWSControlTowerBlueprintAccess` role with proper permissions and trust relationships.
The **AWSControlTowerBlueprintAccess** role must be set up to grant trust to two principals:
+ The principal (user) that runs AWS Control Tower in the AWS Control Tower management account.
+ The role named `AWSControlTowerAdmin` in the AWS Control Tower management account.
Here's an example trust policy, similar to one you will need to include for your role. This policy demonstrates the best practice of granting least-privilege access. When you make your own policy, replace the term *YourManagementAccountId* with the actual acccount ID of your AWS Control Tower management account, and replace the term *YourControlTowerUserRole* with the identifier of the IAM role for your management account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/service-role/AWSControlTowerAdmin",
"arn:aws:iam::111122223333:role/YourControlTowerUserRole"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
**Required permissions policy**
AWS Control Tower requires that the managed policy named `AWSServiceCatalogAdminFullAccess` must be attached to the `AWSControlTowerBlueprintAccess` role. This policy provides permissions that AWS Service Catalog looks for when it allows AWS Control Tower to administer your portfolio and AWS Service Catalog Product resources. You can attach this policy when you're creating the role in the IAM console.
**Additional permissions may be required**
If you store your blueprints in Amazon S3, AWS Control Tower also requires the `AmazonS3ReadOnlyAccess` permission policy for the `AWSControlTowerBlueprintAccess` role.
The AWS Service Catalog Terraform type of product requires you to add some additional permissions to the AFC custom IAM policy, if you don't utilize the default **Admin** policy. It requires these in addition to the permissions required to create the resources that you define in your terraform template.
# Step 2. Create the AWS Service Catalog product
To create an AWS Service Catalog product, follow the steps at [Creating products](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/productmgmt-cloudresource.html) in the *AWS Service Catalog Administrator Guide*. You'll add your account blueprint as a template when you create the AWS Service Catalog product.
**Important**
As a result of HashiCorp's updated Terraform licensing, AWS Service Catalog changed support for *Terraform Open Source* products and provisioned products to a new product type, called *External*. To learn more about how this change effects AFC, including how to update your existing account blueprints to the External product type, review [Transition to External product type](af-customization-page.md#service-catalog-external-product-type).
**Summary of steps to create a blueprint**
+ Create or download an CloudFormation template or Terraform tar.gz configuration file that will become your account blueprint. Some template examples are given later in this section.
+ Sign in to the AWS account where you store your Account Factory blueprints (sometimes called the hub account).
+ Navigate to the AWS Service Catalog console. Choose **Product list**, and then choose **Upload new product**.
+ In the **Product details** pane, enter details for your blueprint product, such as a name and description.
+ Select **Use a template file** and then select **Choose file**. Select or paste the template or configuration file you've developed or downloaded for use as your blueprint.
+ Choose **Create product** at the bottom of the console page.
You can download an CloudFormation template from the AWS Service Catalog reference architecture repository. [One example from that repository helps set up a backup plan for your resources](https://github.com/aws-samples/aws-service-catalog-reference-architectures/blob/master/backup/backup-tagoptions.yml).
Here's an example template, for a fictitious company called **Best Pets**. It helps set up a connection to their pet database.
```
Resources:
ConnectionStringGeneratorLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- "sts:AssumeRole"
ConnectionStringGeneratorLambda:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Join ['-', ['ConnectionStringGenerator', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
Description: Retrieves the connection string for this account to access the Pet Database
Role: !GetAtt ConnectionStringGeneratorLambdaRole.Arn
Runtime: nodejs22.x
Handler: index.handler
Timeout: 5
Code:
ZipFile: >
export const handler = async (event, context) => {
const awsAccountId = context.invokedFunctionArn.split(“:”)[4]
const connectionString= “fake connection for account ” + awsAccountId;
const response = {
statusCode: 200,
body: connectionString
};
return response;
};
ConnectionString:
Type: Custom::ConnectionStringGenerator
Properties:
ServiceToken: !GetAtt ConnectionStringGeneratorLambda.Arn
PetDatabaseConnectionString:
DependsOn: ConnectionString
# For example purposes we're using SSM parameter store.
# In your template, use secure alternatives to store
# sensitive values such as connection strings.
Type: AWS::SSM::Parameter
Properties:
Name: pet-database-connection-string
Description: Connection information for the BestPets pet database
Type: String
Value: !GetAtt ConnectionString.Value
```
# Step 3. Review your custom blueprint
You can view your blueprint in the AWS Service Catalog console. For more information, see [Managing products](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/catalogs_products.html#productmgmt-menu) in the *Service Catalog Adminstrator Guide*.
# Step 4. Call your blueprint to create a customized account
When you follow the **Create account** workflow in the AWS Control Tower console, you'll see an optional section where you can enter information about the blueprint you'd like to use for customizing accounts.
**Prerequisites**
You must set up your customization hub account and add at least one blueprint (Service Catalog product) before you can enter that information into the AWS Control Tower console and begin to provision customized accounts.
**Create or update a customized account in the AWS Control Tower console.**
1. Enter the account ID for the account that contains your blueprints.
1. From that account, select an existing Service Catalog product (existing blueprint).
1. Select the proper version of the blueprint (Service Catalog product), if you have more than one version.
1. (Optional) You can add or change a blueprint provisioning policy at this point in the process. The blueprint provisioning policy is written in JSON and attached to an IAM role, so it can provision the resources that are specified in the blueprint template. AWS Control Tower creates this role in the member account so that Service Catalog can deploy resources using CloudFormation stack sets. The role is named `AWSControlTower-BlueprintExecution-bp-xxxx`. The `AdministratorAccess` policy is applied here by default.
1. Choose the AWS Region or Regions in which you wish to deploy accounts based on this blueprint.
1. If your blueprint contains parameters, you can enter the values for the parameters into additional fields in the AWS Control Tower workflow. The additional values may include: a GitHub repository name, a GitHub branch, an Amazon ECS cluster name, and a GitHub identity for the repository owner.
1. You can customize accounts at a later time by following the **Account update** process, if your hub account or blueprints are not yet ready.
For more details, see [Create a customized account from a blueprint](create-afc-customized-account.md).
# Create a customized account from a blueprint
After you have created custom blueprints, you can start creating custom accounts in AWS Control Tower account factory.
**Follow these steps to deploy a custom blueprint when you're creating a new AWS account:**
1. Go to AWS Control Tower in the AWS Management Console.
1. Select **Account factory** and **Create account**.
1. Enter account details such as account name and email address.
1. Configure IAM Identity Center details with email address and user name.
1. Select a registered OU where your account will be added.
1. Expand the **Account factory customization** section.
1. Enter the account ID of the blueprint hub account that contains your Service Catalog products and choose **Validate**. For more information about a blueprint hub account, see [Customize accounts with Account Factory Customization (AFC)](af-customization-page.md).
1. Select the dropdown menu that contains all blueprints from your Service Catalog Product List (all custom and partner blueprints). Choose a blueprint and corresponding version to deploy.
1. If your blueprint contains parameters, these fields are displayed for you to populate. Default values are pre-populated.
1. Finally, select where you'll deploy your blueprint, either **Home Region** or **All governed Regions**. Global resources such as Route 53 or IAM, may need to be deployed to a single Region only. Regional resources, such as Amazon EC2 instances or Amazon S3 buckets, could be deployed to all governed Regions
1. After all fields are completed, select **Create account**.
**Note**
Blueprints created with Terraform can deploy to one Region only, not multiple Regions.
You can view the progress of your account provisioning on the **Organization** page. When your account provisioning is complete, the resources specified by your blueprint are already deployed within it. To view the details of the account and blueprint, go to the **Account details** page.
# Customize accounts with AFC as you enroll them
To enroll and customize accounts in the AWS Control Tower console.
1. Navigate to the AWS Control Tower console and select **Organization** from the left navigation.
1. You will see a list of your available accounts. Identify the account you would like to enroll with a custom blueprint. The **State** column for that account should reflect the account in a **Not enrolled** status.
1. Select the radio button to the left of the account and choose the **Actions** dropdown menu, in the top right of the screen. Here you will select the **Enroll** option.
1. Complete the **Access configuration** section with the account's IAM Identity Center information.
1. Select the registered OU where your account will become a member.
1. Complete the **Account factory customization** section using the same steps as 7-12 of the **Create account** procedure. For more information, see [Provision Account Factory accounts with AWS Service Catalog](https://docs.aws.amazon.com/controltower/latest/userguide/provision-as-end-user.html).
You can view the status of your account progress on the **Organization** page. When your account enrollment is complete, the resources specified by the blueprint are already deployed within it.
# Add a blueprint to an AWS Control Tower account
To add a blueprint to an existing AWS Control Tower member account, follow the **Update account** workflow in the AWS Control Tower console, and choose a new blueprint to add to the account. For more information, see [Update and move Account Factory accounts with AWS Control Tower or with AWS Service Catalog](https://docs.aws.amazon.com/controltower/latest/userguide/updating-account-factory-accounts.html#update-account-in-console).
**Note**
If you add a new blueprint to an account, the existing blueprint is overwritten.
**Note**
One blueprint may be deployed per AWS Control Tower account.
# Update a blueprint
The following procedures describe how to update custom blueprints and how to deploy them.
**To update your custom blueprints**
1. Update your CloudFormation template or Terraform tar.gz file (blueprint) with your new configurations.
1. Save the updated blueprint as a new version in AWS Service Catalog.
**To deploy your updated blueprint**
1. Navigate to the **Organization** page in the AWS Control Tower console.
1. Filter the **Organization** page by blueprint name and version.
1. Follow the **Update account** process, and deploy the latest blueprint version in your account.
**If a blueprint update is unsuccessful**
AWS Control Tower allows blueprint updates when the provisioned product is in the `AVAILABLE` state. If your provisioned product is in a `TAINTED` state, the update will fail. We recommend the following workaround:
1. In the AWS Service Catalog console, manually update the `TAINTED` provisioned product to change the state to `AVAILABLE`. For more information, see [Updating provisioned products](https://docs.aws.amazon.com//servicecatalog/latest/userguide/enduser-update.html).
1. Then, follow the update account process from AWS Control Tower to fix the blueprint deployment error.
*We recommend this manual step because:* When you remove a blueprint, it can cause resources in the member account to be removed. Removing resources may affect your existing workloads. For this reason, we recommend this method rather than the alternative way of updating a blueprint—which is by removing and replacing the original blueprint—especially if you are running production workloads.
# Remove a blueprint from an account
To remove a blueprint from an account, follow the **Update account** workflow to remove the blueprint and return the account to the AWS Control Tower default configurations.
As you enter the **Update account** workflow in the console, you will see that all of the account details are populated, and the customization details are not populated. If you leave these AFC details blank, AWS Control Tower removes the blueprint from the account. You will see a warning message before the action begins.
**Note**
AWS Control Tower adds a blueprint to an account only if you select a blueprint during the **Create account** or **Update account** process.
# Partner blueprints
AWS Control Tower Account Factory Customization (AFC) provides access to pre-defined customization blueprints that are built and managed by AWS Partners. These partner blueprints help you customize your accounts for specific use cases. Each partner's blueprints help you build customized accounts, which are pre-configured to work with the product offerings from that particular partner.
To view a complete list of AWS Control Tower partner blueprints, navigate to the Service Catalog **Getting Started Library** in your console. Search for the source type **AWS Control Tower Blueprints**.
## Considerations for Account Factory Customizations (AFC)
+ AFC supports customization using a single AWS Service Catalog blueprint product only.
+ The AWS Service Catalog blueprint products must be created in the hub account, and in the same Region as the AWS Control Tower landing zone home Region.
+ The `AWSControlTowerBlueprintAccess` IAM role must be created with the proper name, permissions, and trust policy.
+ AWS Control Tower supports two deployment options for blueprints: deploy to the home Region only, or deploy to all Regions governed by AWS Control Tower. Selection of Regions is not available.
+ When you update a blueprint in a member account, the blueprint hub account ID and the AWS Service Catalog blueprint product cannot be changed.
+ AWS Control Tower doesn't support removing an existing blueprint and adding a new blueprint in a single blueprint update operation. You can remove a blueprint and then add a new blueprint in separate operations.
+ AWS Control Tower changes behavior, based on whether you are creating or enrolling customized accounts, or non-customized accounts. If you are not creating or enrolling customized accounts with blueprints, AWS Control Tower creates an Account Factory provisioned product (through Service Catalog) in the AWS Control Tower management account. If you are specifying customization when creating or enrolling accounts with blueprints, AWS Control Tower does not create an Account Factory provisioned product in the AWS Control Tower management account.
## In case of a blueprint error
**Error while applying a blueprint**
If an error occurs during the process of applying a blueprint to an account—either a new account or an existing account that you are enrolling into AWS Control Tower—the recovery procedure is the same. The account will exist, but it is not customized, and it is not enrolled into AWS Control Tower. To continue, follow the steps to enroll the account into AWS Control Tower, and add the blueprint at time of enrollment.
**Error while creating the `AWSControlTowerBlueprintAccess` role, and workarounds**
When you create the `AWSControlTowerBlueprintAccess` role from an AWS Control Tower account, you must be signed in as the principal using the `AWSControlTowerExecution` role. If you are signed in as any other, the `CreateRole` operation is prevented by an SCP, as shown in the artifact that follows:
```
{
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWSControlTowerExecution",
"arn:aws:iam::*:role/stacksets-exec-*"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/aws-controltower-*",
"arn:aws:iam::*:role/*AWSControlTower*",
"arn:aws:iam::*:role/stacksets-exec-*"
],
"Effect": "Deny",
"Sid": "GRIAMROLEPOLICY"
}
```
The following workarounds are available:
+ (Most recommended) Assume the `AWSControlTowerExecution` role and create the `AWSControlTowerBlueprintAccess` role. If you choose this workaround, be sure to sign out from the `AWSControlTowerExecution` role immediately afterward, to prevent unintended changes to resources.
+ Sign into an account that is not enrolled in AWS Control Tower, and therefore not subject to this SCP.
+ Temporarily edit this SCP to permit the operation.
+ (Strongly not recommended) Use your AWS Control Tower management account as your hub account, so it is not subject to the SCP.
## Customizing your policy document for AFC blueprints based on CloudFormation
When you enable a blueprint through account factory, AWS Control Tower directs CloudFormation to create a StackSet on your behalf. CloudFormation requires access to your managed account to create CloudFormation stacks in the StackSet. Although CloudFormation already has administrator privileges in the managed account through the `AWSControlTowerExecution` role, this role is not assumable by CloudFormation.
As part of enabling a blueprint, AWS Control Tower creates a role in the member account, which CloudFormation may assume to complete the StackSet management tasks. The simplest way to enable your customized blueprint through account factory is to use an *allow-all* policy, because those policies are compatible with any blueprint template.
However, best practices suggest that you must restrict the permissions for CloudFormation in the target account. You can provide a customized policy, which AWS Control Tower applies to the role it creates for CloudFormation to use. For example, if your blueprint creates an SSM Parameter called *something-important*, you could provide the following policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFormationActionsOnStacks",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "arn:aws:cloudformation:*:*:stack/*"
},
{
"Sid": "AllowSsmParameterActions",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "arn:*:ssm:*:*:parameter/something-important"
}
]
}
```
------
The `AllowCloudFormationActionsOnStacks` statement is required for all AFC custom policies; CloudFormation uses this role to create stack instances, therefore it requires permission to perform CloudFormation actions on stacks. The `AllowSsmParameterActions` section is specific to the template being enabled.
**Resolve permission issues**
When you enable a blueprint with a restricted policy, you may find that there are insufficient permissions to enable the blueprint. To resolve these issues, revise your policy document and update the member account's blueprint preferences to use the corrected policy. To check that the policy is sufficient to enable the blueprint, ensure that the CloudFormation permissions are granted, and that you can create a stack directly using that role.
## Additional permissions required for creating a Terraform-based Service Catalog product
When you're creating an AWS Service Catalog External product with a Terraform configuration file for AFC, AWS Service Catalog requires certain permissions to be added to your AFC custom IAM policy, in addition to permissions required to create the resources defined in your template. If you choose the default full **Admin** policy, you do not need to add these extra permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"resource-groups:CreateGroup",
"resource-groups:ListGroupResources",
"resource-groups:DeleteGroup",
"resource-groups:Tag"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
}
]
}
```
------
For more information about creating Terraform products using the External product type in AWS Service Catalog, see [Step 5: Create launch roles](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/getstarted-launchrole-Terraform.html) in the Service Catalog Administrator Guide.
## Transition to the AWS Service Catalog External product type
AWS Service Catalog changed support for *Terraform Open Source* products and provisioned products to a new product type, called *External*. To learn more about this transition, review [Updating existing Terraform Open Source products and provisioned products to the External product type](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/update_terraform_open_source_to_external.html) in the *AWS Service Catalog administrator guide*.
This change effects existing accounts that you created or enrolled with AWS Control Tower account factory customization. To transition these accounts to the *External* product type, you need to make changes in both AWS Service Catalog and AWS Control Tower.
**To transition to the External product type**
1. Upgrade your existing Terraform Reference Engine for AWS Service Catalog to include support for both *External* and *Terraform Open Source* product types. For instructions about updating your Terraform Reference Engine, review the [AWS Service Catalog GitHub Repository](https://github.com/aws-samples/service-catalog-engine-for-terraform-os).
1. In AWS Service Catalog, duplicate any existing *Terraform Open Source* products (blueprints), with the duplicates using the new *External* product type. **Do not terminate the existing Terraform Open Source blueprints**.
1. In AWS Control Tower, update each account using a *Terraform Open Source* blueprint to use the new *External* blueprint.
1. To update a blueprint, you must first remove the *Terraform Open Source* blueprint completely. For more details, review [Remove a blueprint from an account](https://docs.aws.amazon.com/controltower/latest/userguide/remove-a-blueprint.html).
1. Add the new *External* blueprint to the same account. For more details, review [Add a blueprint to an AWS Control Tower account](https://docs.aws.amazon.com/controltower/latest/userguide/add-blueprint-to-account.html).
1. After all accounts using *Terraform Open Source* blueprints are updated to *External* blueprints, return to AWS Service Catalog and terminate any products that use *Terraform Open Source* as the product type.
1. Going forward, all accounts created or enrolled using AWS Control Tower account factory customization must reference blueprints using the *CloudFormation* or *External* product type.
For blueprints created using the *External* product type, AWS Control Tower only supports account customizations that use Terraform templates and the Terraform reference engine. To learn more, review [Set up for customization](https://docs.aws.amazon.com/controltower/latest/userguide/afc-setup-steps.html).
**Note**
AWS Control Tower does not support *Terraform Open Source* as a product type when creating new accounts. To learn more about these changes, review [Updating existing Terraform Open Source products and provisioned products to the *External* product type](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/update_terraform_open_source_to_external.html) in the *AWS Service Catalog administrator guide*. AWS Service Catalog will support customers through this product type transition, as needed. Contact your account representative to request assistance.