Amazon Control Tower · Arazzo Workflow

AWS Control Tower Enable Control and Confirm

Version 1.0.0

Enable a control on an organizational unit, poll the async operation to completion, then read back the enabled control.

1 workflow 1 source API 1 provider
View Spec View on GitHub ComplianceGovernanceLanding ZoneMulti-AccountSecurityControlsArazzoWorkflows

Provider

amazon-control-tower

Workflows

enable-control
Enable a control on an OU and wait for the operation to succeed.
Calls enableControl, then repeatedly checks getControlOperation until the operation status is no longer IN_PROGRESS, branching to getEnabledControl on success.
3 steps inputs: controlIdentifier, parameters, targetIdentifier outputs: enabledControl, enabledControlArn, operationIdentifier, operationStatus
1
enableControl
enableControl
Start the asynchronous enable-control operation on the target OU and capture the operation identifier and the new enabled control ARN.
2
pollControlOperation
getControlOperation
Check the status of the enable-control operation. Repeats while the operation is still IN_PROGRESS, and proceeds to read the enabled control once it has SUCCEEDED.
3
getEnabledControl
getEnabledControl
Retrieve the enabled control's details, including its status summary and drift status summary, now that the operation has completed.

Source API Descriptions

openapi
controlTowerApi https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/openapi/amazon-control-tower-openapi.yml

Arazzo Workflow Specification

amazon-control-tower-enable-control-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: AWS Control Tower Enable Control and Confirm
  summary: Enable a control on an organizational unit, poll the async operation to completion, then read back the enabled control.
  description: >-
    Activates a control (guardrail) on a target organizational unit. Because
    enabling a control is asynchronous, the workflow starts the operation,
    captures the returned operation identifier and enabled control ARN, polls
    the control operation until it leaves the IN_PROGRESS state, and finally
    retrieves the enabled control so the caller has its current status and drift
    summary. Each step spells out its request inline so the flow can be read and
    executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: controlTowerApi
  url: ../openapi/amazon-control-tower-openapi.yml
  type: openapi
workflows:
- workflowId: enable-control
  summary: Enable a control on an OU and wait for the operation to succeed.
  description: >-
    Calls enableControl, then repeatedly checks getControlOperation until the
    operation status is no longer IN_PROGRESS, branching to getEnabledControl on
    success.
  inputs:
    type: object
    required:
    - controlIdentifier
    - targetIdentifier
    properties:
      controlIdentifier:
        type: string
        description: The ARN of the control (guardrail) to activate.
      targetIdentifier:
        type: string
        description: The ARN of the organizational unit to apply the control to.
      parameters:
        type: array
        description: Optional list of control input parameters (key/value pairs).
        items:
          type: object
          properties:
            key:
              type: string
            value: {}
  steps:
  - stepId: enableControl
    description: >-
      Start the asynchronous enable-control operation on the target OU and
      capture the operation identifier and the new enabled control ARN.
    operationId: enableControl
    requestBody:
      contentType: application/json
      payload:
        controlIdentifier: $inputs.controlIdentifier
        targetIdentifier: $inputs.targetIdentifier
        parameters: $inputs.parameters
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      operationIdentifier: $response.body#/operationIdentifier
      enabledControlArn: $response.body#/arn
  - stepId: pollControlOperation
    description: >-
      Check the status of the enable-control operation. Repeats while the
      operation is still IN_PROGRESS, and proceeds to read the enabled control
      once it has SUCCEEDED.
    operationId: getControlOperation
    requestBody:
      contentType: application/json
      payload:
        operationIdentifier: $steps.enableControl.outputs.operationIdentifier
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      status: $response.body#/controlOperation/status
    onSuccess:
    - name: stillRunning
      type: goto
      stepId: pollControlOperation
      criteria:
      - context: $response.body
        condition: $.controlOperation.status == "IN_PROGRESS"
        type: jsonpath
    - name: operationDone
      type: goto
      stepId: getEnabledControl
      criteria:
      - context: $response.body
        condition: $.controlOperation.status == "SUCCEEDED"
        type: jsonpath
  - stepId: getEnabledControl
    description: >-
      Retrieve the enabled control's details, including its status summary and
      drift status summary, now that the operation has completed.
    operationId: getEnabledControl
    requestBody:
      contentType: application/json
      payload:
        enabledControlIdentifier: $steps.enableControl.outputs.enabledControlArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      enabledControl: $response.body#/enabledControl
      status: $response.body#/enabledControl/statusSummary/status
      driftStatus: $response.body#/enabledControl/driftStatusSummary/driftStatus
  outputs:
    enabledControlArn: $steps.enableControl.outputs.enabledControlArn
    operationIdentifier: $steps.enableControl.outputs.operationIdentifier
    operationStatus: $steps.pollControlOperation.outputs.status
    enabledControl: $steps.getEnabledControl.outputs.enabledControl