Can I use Control Tower to automatically deploy infrastructure *other* than VPC

Here are the common approaches I've taken with customers, each has their pros and cons and it's really more about what the customer's preferred method is:

1. Use Service-Managed StackSets that are tied to OU: this allows for a more managed approach where CloudFormation will trap events from Organizations and deploy and/or remove stack from accounts. That means, that once you create an account via Control Tower, these Stacks will be automatically provisioned.

• This is done using Service-Managed Permissions, you can control the behavior but when an account is added to an OU (created or moved) CloudFormation will automatically create a Stack Instance. You can control if you want these to be retained if an account is removed.

2. Use Lifecycle Events to trigger off <something>, these are most commonly Lambdas that implement the logic (e.g. deploy CloudFormation template or add Stack Instances), but also sending an SNS notifications that'll be trapped by your preferred provisioner (say Terraform). This gives greater flexibility but requires more management/responsibility from the customer.
3. (Somewhat related to #2) Defined Service Catalog Portfolios per OU or type and have both shared Products available to accounts but also some provisioned into accounts. This allows for a combination of control and management.

• I have done this using the Lifecycle Events and a (fairly) short Lambda that checks for a Portfolio matching the OU name, if found - it leverages the AWSControlTowerExecution Role to assume and provision into the target accounts. You may want to consider a different matching and/or clean up too.

Customizations for Control Tower is an implementation of #2 and (IMHO) fits well for customers that have used the AWS Landing Zone solution previously or are familiar with it.

P.S. Control Tower "on it's own" doesn't go into the deployment side.