Release: 1.19.0

Author: AWS

README.md

@@ -57,6 +57,25 @@ Now that you have configured and deployed AWS Control Tower Account Factory for
 ## Collection of Operational Metrics
 As of version 1.6.0, AFT collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [documentation here](https://docs.aws.amazon.com/controltower/latest/userguide/aft-operational-metrics.html).
 
+## Security Considerations
+
+### HCP Terraform / Terraform Enterprise OIDC Workspace Governance
+
+When you enable the HCP Terraform or Terraform Enterprise OIDC integration (`terraform_oidc_integration = true`), AFT configures the `AWSAFTAdmin` IAM role with a trust policy that allows any workspace within your configured TFC/TFE organization and project to assume the role via OIDC. The trust policy uses a `sub` claim condition scoped to your organization, project, and audience, but uses a wildcard (`workspace:*`) for the workspace name.
+
+**Existing mitigations:**
+- The trust policy is scoped to your specific TFC/TFE **organization**, **project**, and **audience** — only workspaces within the configured project can obtain credentials.
+- The `AWSAFTAdmin` role is limited to `sts:AssumeRole` permissions only (to assume `AWSAFTExecution` and `AWSAFTService` roles). It has no direct permissions to access or modify AWS resources.
+
+**Customer responsibility:**
+
+> **Important:** Workspace governance within your configured TFC/TFE project is your responsibility. Any workspace created within the project specified by `terraform_project_name` can assume the `AWSAFTAdmin` role via OIDC. You should take the following steps to secure your environment:
+
+- **Restrict workspace creation:** Limit who can create new workspaces within the TFC/TFE project used by AFT. Use [TFC/TFE team permissions](https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/permissions) to control workspace management access.
+- **Audit workspace access:** Regularly review the workspaces in your AFT project to ensure only authorized workspaces exist.
+- **Use a dedicated project:** Use a dedicated TFC/TFE project exclusively for AFT workspaces. Avoid sharing the project with unrelated workspaces.
+- **Consider workspace-specific scoping (optional):** For additional security, after deployment you can manually modify the `AWSAFTAdmin` trust policy to replace the `workspace:*` wildcard with explicit workspace names (e.g., `workspace:my-aft-workspace`). Note that this customization must be maintained outside of AFT and re-applied after AFT updates.
+
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -145,6 +164,9 @@ As of version 1.6.0, AFT collects anonymous operational metrics to help AWS impr
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to resources deployed by AFT. | `map(any)` | `null` | no |
 | <a name="input_terraform_api_endpoint"></a> [terraform\_api\_endpoint](#input\_terraform\_api\_endpoint) | API Endpoint for Terraform. Must be in the format of https://xxx.xxx. | `string` | `"https://app.terraform.io/api/v2/"` | no |
 | <a name="input_terraform_distribution"></a> [terraform\_distribution](#input\_terraform\_distribution) | Terraform distribution being used for AFT - valid values are oss, tfc, or tfe | `string` | `"oss"` | no |
+| <a name="input_terraform_oidc_aws_audience"></a> [terraform\_oidc\_aws\_audience](#input\_terraform\_oidc\_aws\_audience) | The audience value to use in run identity tokens for HCP dynamic credentials (OIDC). var.aft\_feature\_hcp\_oidc must be set to true to enable OIDC. | `string` | `"aws.workload.identity"` | no |
+| <a name="input_terraform_oidc_hostname"></a> [terraform\_oidc\_hostname](#input\_terraform\_oidc\_hostname) | The hostname of the TFC or TFE instance to use with AWS when configuring dynamic credentials (OIDC). var.aft\_feature\_hcp\_oidc must be set to true to enable OIDC. | `string` | `"app.terraform.io"` | no |
+| <a name="input_terraform_oidc_integration"></a> [terraform\_oidc\_integration](#input\_terraform\_oidc\_integration) | Enable HCP Terraform’s native OpenID Connect integration with AWS to get dynamic credentials for the AWS provider in your HCP Terraform runs | `bool` | `false` | no |
 | <a name="input_terraform_org_name"></a> [terraform\_org\_name](#input\_terraform\_org\_name) | Organization name for Terraform Cloud or Enterprise | `string` | `"null"` | no |
 | <a name="input_terraform_project_name"></a> [terraform\_project\_name](#input\_terraform\_project\_name) | Project name for Terraform Cloud or Enterprise - project must exist before deployment | `string` | `"Default Project"` | no |
 | <a name="input_terraform_token"></a> [terraform\_token](#input\_terraform\_token) | Terraform token for Cloud or Enterprise | `string` | `"null"` | no |

VERSION

@@ -1 +1 @@
-1.18.1
+1.19.0

examples/bitbucket+tf_enterprise/main.tf

@@ -21,4 +21,6 @@ module "aft" {
   terraform_api_endpoint = "https://terraform.example.com/api/v2/"
   terraform_token        = "EXAMPLE-uoc1c1qsw7poexampleewjeno1pte3rw"
   terraform_org_name     = "ExampleOrg"
+  # Enable OIDC
+  terraform_oidc_integration = true
 }

examples/githubenterprise+tf_cloud/main.tf

@@ -21,4 +21,6 @@ module "aft" {
   terraform_distribution = "tfc"
   terraform_token        = "EXAMPLE-uoc1c1qsw7poexampleewjeno1pte3rw"
   terraform_org_name     = "ExampleOrg"
+  # Enable OIDC
+  terraform_oidc_integration = true
 }

examples/gitlabselfmanaged+tf_cloud/main.tf

@@ -21,4 +21,6 @@ module "aft" {
   terraform_distribution = "tfc"
   terraform_token        = "EXAMPLE-uoc1c1qsw7poexampleewjeno1pte3rw"
   terraform_org_name     = "ExampleOrg"
+  # Enable OIDC
+  terraform_oidc_integration = true
 }

main.tf

@@ -190,6 +190,13 @@ module "aft_iam_roles" {
     aws.log_archive    = aws.log_archive
     aws.aft_management = aws.aft_management
   }
+
+  terraform_oidc_integration  = var.terraform_oidc_integration
+  terraform_oidc_aws_audience = var.terraform_oidc_aws_audience
+  terraform_oidc_hostname     = var.terraform_oidc_hostname
+  terraform_org_name          = var.terraform_org_name
+  terraform_distribution      = var.terraform_distribution
+  terraform_project_name      = var.terraform_project_name
 }
 
 module "aft_lambda_layer" {
@@ -274,6 +281,8 @@ module "aft_ssm_parameters" {
   terraform_version                                           = var.terraform_version
   terraform_org_name                                          = var.terraform_org_name
   terraform_project_name                                      = var.terraform_project_name
+  terraform_oidc_integration                                  = var.terraform_oidc_integration
+  terraform_oidc_aws_audience                                 = var.terraform_oidc_aws_audience
   aft_feature_cloudtrail_data_events                          = var.aft_feature_cloudtrail_data_events
   aft_feature_enterprise_support                              = var.aft_feature_enterprise_support
   aft_feature_delete_default_vpcs_enabled                     = var.aft_feature_delete_default_vpcs_enabled

modules/aft-backend/main.tf

@@ -5,6 +5,8 @@ data "aws_caller_identity" "current" {
   provider = aws.primary_region
 }
 
+data "aws_partition" "current" {}
+
 # S3 Resources
 #tfsec:ignore:aws-s3-enable-bucket-logging
 resource "aws_s3_bucket" "primary-backend-bucket" {
@@ -304,6 +306,37 @@ resource "aws_s3_bucket_versioning" "aft_access_logs_primary_backend_bucket" {
 resource "aws_kms_key" "aft_access_logs_primary_backend_bucket" {
   provider            = aws.primary_region
   enable_key_rotation = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "EnableRootAccountAccess"
+        Effect    = "Allow"
+        Principal = { AWS = "arn:${data.aws_partition.current.partition}:iam::${var.aft_management_account_id}:root" }
+        Action    = "kms:*"
+        Resource  = "*"
+      },
+      {
+        Sid       = "AllowS3LoggingServiceAccess"
+        Effect    = "Allow"
+        Principal = { Service = "logging.s3.amazonaws.com" }
+        Action = [
+          "kms:GenerateDataKey",
+          "kms:Encrypt"
+        ]
+        Resource = "*"
+        Condition = {
+          ArnLike = {
+            "aws:SourceArn" = aws_s3_bucket.primary-backend-bucket.arn
+          }
+          StringEquals = {
+            "aws:SourceAccount" = var.aft_management_account_id
+          }
+        }
+      }
+    ]
+  })
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "aft_access_logs_primary_backend_bucket" {

modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml

@@ -77,6 +77,9 @@ phases:
           TF_PROJECT_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/project-name" --query "Parameter.Value" --output text)
           TF_WORKSPACE_NAME="ct-aft-account-provisioning-customizations"
           TF_CONFIG_PATH="./temp_configuration_file.tar.gz"
+          TF_HCP_OIDC_ENABLED=$(aws ssm get-parameter --name /aft/config/terraform/oidc-integration | jq --raw-output ".Parameter.Value")
+          TF_HCP_OIDC_AUDIENCE=$(aws ssm get-parameter --name /aft/config/terraform/oidc-aws-audience | jq --raw-output ".Parameter.Value")
+
           cd $DEFAULT_PATH/terraform
           if ls *.jinja >/dev/null 2>&1; then
             for f in *.jinja; do
@@ -90,7 +93,19 @@ phases:
           for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
           cd $DEFAULT_PATH
           tar -czf temp_configuration_file.tar.gz -C terraform --exclude .git --exclude venv .
-          python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py --operation "deploy" --organization_name $TF_ORG_NAME --workspace_name $TF_WORKSPACE_NAME --assume_role_arn $AFT_ADMIN_ROLE_ARN --assume_role_session_name $ROLE_SESSION_NAME --api_endpoint $TF_ENDPOINT --api_token $TF_TOKEN --terraform_version $TF_VERSION --config_file $TF_CONFIG_PATH --project_name "$TF_PROJECT_NAME"
+          python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py \
+            --operation "deploy" \
+            --organization_name $TF_ORG_NAME \
+            --workspace_name $TF_WORKSPACE_NAME \
+            --assume_role_arn $AFT_ADMIN_ROLE_ARN \
+            --assume_role_session_name $ROLE_SESSION_NAME \
+            --api_endpoint $TF_ENDPOINT \
+            --api_token $TF_TOKEN \
+            --terraform_version $TF_VERSION \
+            --config_file $TF_CONFIG_PATH \
+            --project_name "$TF_PROJECT_NAME" \
+            --hcp_oidc_enabled "$TF_HCP_OIDC_ENABLED" \
+            --hcp_oidc_audience "$TF_HCP_OIDC_AUDIENCE"
         fi
 
   build:

modules/aft-code-repositories/buildspecs/ct-aft-account-request.yml

@@ -76,6 +76,9 @@ phases:
           TF_PROJECT_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/project-name" --query "Parameter.Value" --output text)
           TF_WORKSPACE_NAME="ct-aft-account-request"
           TF_CONFIG_PATH="./temp_configuration_file.tar.gz"
+          TF_HCP_OIDC_ENABLED=$(aws ssm get-parameter --name /aft/config/terraform/oidc-integration | jq --raw-output ".Parameter.Value")
+          TF_HCP_OIDC_AUDIENCE=$(aws ssm get-parameter --name /aft/config/terraform/oidc-aws-audience | jq --raw-output ".Parameter.Value")
+
           cd $DEFAULT_PATH/terraform
           if ls *.jinja >/dev/null 2>&1; then
             for f in *.jinja; do
@@ -89,7 +92,19 @@ phases:
           for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
           cd $DEFAULT_PATH
           tar -czf temp_configuration_file.tar.gz -C terraform --exclude .git --exclude venv .
-          python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py --operation "deploy" --organization_name $TF_ORG_NAME --workspace_name $TF_WORKSPACE_NAME --assume_role_arn $AFT_ADMIN_ROLE_ARN --assume_role_session_name $ROLE_SESSION_NAME --api_endpoint $TF_ENDPOINT --api_token $TF_TOKEN --terraform_version $TF_VERSION --config_file $TF_CONFIG_PATH --project_name "$TF_PROJECT_NAME"
+          python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py \
+            --operation "deploy" \
+            --organization_name $TF_ORG_NAME \
+            --workspace_name $TF_WORKSPACE_NAME \
+            --assume_role_arn $AFT_ADMIN_ROLE_ARN \
+            --assume_role_session_name $ROLE_SESSION_NAME \
+            --api_endpoint $TF_ENDPOINT \
+            --api_token $TF_TOKEN \
+            --terraform_version $TF_VERSION \
+            --config_file $TF_CONFIG_PATH \
+            --project_name "$TF_PROJECT_NAME" \
+            --hcp_oidc_enabled "$TF_HCP_OIDC_ENABLED" \
+            --hcp_oidc_audience "$TF_HCP_OIDC_AUDIENCE"
         fi
 
   build:

modules/aft-customizations/buildspecs/aft-account-customizations-terraform.yml

@@ -134,6 +134,8 @@ phases:
             TF_PROJECT_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/project-name" --query "Parameter.Value" --output text)
             TF_WORKSPACE_NAME=$VENDED_ACCOUNT_ID-aft-account-customizations
             TF_CONFIG_PATH="./temp_configuration_file.tar.gz"
+            TF_HCP_OIDC_ENABLED=$(aws ssm get-parameter --name /aft/config/terraform/oidc-integration | jq --raw-output ".Parameter.Value")
+            TF_HCP_OIDC_AUDIENCE=$(aws ssm get-parameter --name /aft/config/terraform/oidc-aws-audience | jq --raw-output ".Parameter.Value")
 
             cd $DEFAULT_PATH/$CUSTOMIZATION/terraform
             if ls *.jinja >/dev/null 2>&1; then
@@ -150,7 +152,19 @@ phases:
             
             cd $DEFAULT_PATH/$CUSTOMIZATION
             tar -czf temp_configuration_file.tar.gz -C terraform --exclude .git --exclude venv .
-            python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py --operation "deploy" --organization_name $TF_ORG_NAME --workspace_name $TF_WORKSPACE_NAME --assume_role_arn $AFT_ADMIN_ROLE_ARN --assume_role_session_name $ROLE_SESSION_NAME --api_endpoint $TF_ENDPOINT --api_token $TF_TOKEN --terraform_version $TF_VERSION --config_file $TF_CONFIG_PATH --project_name "$TF_PROJECT_NAME"
+            python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py \
+              --operation "deploy" \
+              --organization_name $TF_ORG_NAME \
+              --workspace_name $TF_WORKSPACE_NAME \
+              --assume_role_arn $AFT_ADMIN_ROLE_ARN \
+              --assume_role_session_name $ROLE_SESSION_NAME \
+              --api_endpoint $TF_ENDPOINT \
+              --api_token $TF_TOKEN \
+              --terraform_version $TF_VERSION \
+              --config_file $TF_CONFIG_PATH \
+              --project_name "$TF_PROJECT_NAME" \
+              --hcp_oidc_enabled "$TF_HCP_OIDC_ENABLED" \
+              --hcp_oidc_audience "$TF_HCP_OIDC_AUDIENCE"
           fi
         fi
   post_build: