Provision a new account with AFT - AWS Control Tower

Provision a new account with AFT

To provision a new account with AFT, create an account request Terraform file. This file contains the input for parameters in the aft-account-request repository. After creating an account request Terraform file, begin processing your account request by running git push. This command invokes the ct-aft-account-request operation in the AWS CodePipeline, which is created in the AFT management account after account provisioning finishes. For more information, see AFT account provisioning pipeline.

Account request Terraform file parameters

You must include the following parameters in your account request Terraform file. You can view an example account request Terraform file on GitHub.

  • The value of module name must be unique per the AWS account request.

  • The value of module source is the path to the account request Terraform module that AFT provides.

  • The value of control_tower_parameters captures the required input to create an AWS Control Tower account. The value includes the following input fields:

    • AccountEmail

    • AccountName

    • ManagedOrganizationalUnit

    • SSOUserEmail

    • SSOUserFirstName

    • SSOUserLastName


The input that you provide for control_tower_parameters can't be changed during the account provisioning.

The supported formats for specifying ManagedOrganizationalUnit in the aft-account-request repository include OUName and OUName (OU-ID).

  • account_tags captures user-defined keys and values, which can tag AWS accounts according to business criteria. For more information, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

  • The value of change_management_parameters captures additional information, such as why an account request was created and who initiated the account request. The value includes the following input fields:

    • change_reason

    • change_requested_by

  • custom_fields captures additional metadata with keys and values that deploy as SSM parameters in the vended account under /aft/account-request/custom-fields/. You can reference this metadata during account customizations to deploy proper controls. For example, an account that's subject to regulatory compliance might deploy additional AWS Config Rules. The metadata that you collect with custom_fields can invoke additional processing during account provisioning and updating. If a custom field is removed from the account request, the custom field is removed from the SSM Parameter Store for the vended account.

  • (Optional) account_customizations_name captures the account template folder in the aft-account-customizations repository. For more information, see Account customizations.