// the find
aws-ia/terraform-aws-control_tower_account_factory
AWS Control Tower Account Factory
AWS Control Tower Account Factory for Terraform (AFT) is the official AWS module for vending new AWS accounts in a Control Tower environment via GitOps. You drop a Terraform file into a request repo, and a CodePipeline/Step Functions workflow provisions the account, applies customizations, and optionally deletes default VPCs or enables CloudTrail data events. This is squarely for platform/cloud engineering teams running multi-account AWS organizations.
The GitOps model is the right call — account requests are code, so they're reviewable, auditable, and repeatable. Multi-VCS support (CodeCommit, GitHub, GitLab, Bitbucket, Azure DevOps) means you're not locked into CodeCommit like you were with early Control Tower tooling. The separation between global customizations, account-type customizations, and provisioning customizations gives you real layering without hacking around Service Catalog. The OIDC integration for HCP Terraform/TFE avoids storing long-lived credentials in SSM, which is a meaningful security improvement over the token-based alternative.
The OIDC trust policy wildcards on workspace name within the project — the README calls this out honestly, but 'customer responsibility' for workspace governance is a footgun at scale; any workspace someone sneaks into that project gets `AWSAFTExecution` rights across your entire org. Initial deployment takes up to 30 minutes and requires STS credentials with a 60-minute minimum timeout, which is awkward in environments with short-lived credential policies. The repo explicitly does not accept pull requests, so if you hit a bug you're filing an issue and waiting — you can't just fork and patch. CloudWatch log groups default to never-expire retention, which will quietly accumulate costs if you don't set `cloudwatch_log_group_retention`.