support for ControlTower account creation

[OlafConijn]

Currently the organization.yml supports creation of AWS Accounts using the Organizations Service.

This issue proposes to add support for Control Tower accounts. Control Tower accounts get created by "AWS Control Tower Account Factory" in Service Catalog. Some of the attributes that can be specified in the organization.yml will be directly used as parameters to the Service Catalog product. Others may be used post-creation time, to set up things like the IAM Alias.

⚠️ Organizational Unit support will be different in comparison to "regular" Accounts. A deliberate difference so that Accounts and OUs from Control Tower can evolve separately.

  SharedUsersAccount:
    Type: OC::ControlTower::Account
    Properties:
      AccountName: My Account # passed directly into the SC product
      RootEmail: [email protected]  # passed directly into the SC product
      SSOUserFirstName: "Fred"  # passed directly into the SC product
      SSOUserLastName: "Flintstone"  # passed directly into the SC product
      SSOUserEmail: "[email protected]"  # passed directly into the SC product
      ManagedOrganizationalUnit: "Dev (ou-abc-12def34ghi)" # passed directly into the SC product
      Alias: my-account # used post-creation to set up IAM alias
      PasswordPolicy: !Ref PasswordPolicy  # used post-creation to set up Pwd policies
      Tags:   # used post-creation to set account tags
        budget-alarm-threshold: '100'

When a new account gets added to the model the account gets created in Service Catalog

• if the account already exists in SC/CT it will be a no-op
• if the account already exists as a regular account, this will be an error (todo: import account?)

When a new account gets updated: the provisioned product gets updated
When a new account gets removed: the provisioned product gets terminated