{"id":38021,"date":"2022-04-30T23:35:00","date_gmt":"2022-04-30T18:05:00","guid":{"rendered":"https:\/\/blazeclan.com\/manage-an-aws-landing-zone-using-aws-control-tower-account-factory-for-terraform\/"},"modified":"2024-03-19T11:13:00","modified_gmt":"2024-03-19T05:43:00","slug":"manage-an-aws-landing-zone-using-aws-control-tower-account-factory-for-terraform","status":"publish","type":"post","link":"https:\/\/blazeclan.com\/en-eu\/blog\/manage-an-aws-landing-zone-using-aws-control-tower-account-factory-for-terraform\/","title":{"rendered":"Manage an AWS Landing Zone using AWS Control Tower Account Factory for Terraform"},"content":{"rendered":"\n

An AWS Landing Zone provides the perfect platform for customers to set up a secure, multi-account AWS environment based on AWS best practices. This is done by implementing the initial security baseline, core AWS accounts, and resources.<\/p>\n\n\n\n

The AWS Control Tower has become the de facto standard for quick and easy deployment of the Landing Zone on AWS. A Control Tower deployment offers a baseline architecture, which can further be customized and built using Customizations for AWS Control Tower<\/a>. This customization uses AWS CloudFormation under the hood and is hence suitable for customers who are well versed with AWS CloudFormation to manage the infrastructure-as-Code.<\/p>\n\n\n\n

AWS Control Tower Account Factory for Terraform<\/h2>\n\n\n\n

The AWS Control Tower team has recently released a Terraform Module called the AWS Control Tower Account Factory for Terraform (AFT) for those who want to leverage HashiCorp\u2019s Terraform to work alongside the AWS Control Tower.<\/p>\n\n\n\n

The AFT Module supplements an existing Control Tower deployment and helps to provide and manage a landing zone environment using configuration repositories and deployment pipelines. The module is maintained by the AWS Control Tower team.<\/p>\n\n\n\n

AFT Components and Work Flow<\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

AFT uses deployment pipelines to provision, customize, and manage a landing zone. These pipelines are triggered by changes made to a number of source code repositories. AFT supports GitHub, GitHub Enterprise, AWS CodeCommit, and Bitbucket as the choice for storing your source code.<\/p>\n\n\n\n

These deployment pipelines and other relevant resources are provisioned by deploying the AFT module within an existing AWS Control Tower environment. Most of the resources for AFT are provisioned within a dedicated AWS account (referred to as the AFT Management Account) as shown in the above diagram. The AFT module works with Terraform Open Source (OSS), Terraform Cloud, and Terraform Enterprise.<\/p>\n\n\n\n

AFT pipelines use configuration defined across 4 different source code repositories \u2013<\/p>\n\n\n\n

Repository Name (Default)<\/strong><\/td>Repository Purpose<\/strong><\/td><\/tr>
aft-account-request<\/td>New account provisioning request using AFT<\/td><\/tr>
aft-global-customizations<\/td>Specify customizations to apply to all accounts created by AFT<\/td><\/tr>
aft-account-customizations<\/td>Specify account-related customizations<\/td><\/tr>
aft-account-provisioning-customizations<\/td>Specify provisioning-time customizations to apply to accounts<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Note<\/em> \u2013 The repository names given above can be customized as needed.<\/em><\/p>\n\n\n\n

Workflow<\/strong> \u2013 Developers push changes to the respective repositories as needed, which triggers the following AFT workflow to provision and customize the account(s) \u2013<\/p>\n\n\n\n

    \n
  1. An AWS CodePipeline pipeline downloads the source code (Terraform files), and runs them within CodeBuild, which inserts an item in a DynamoDB table. The insertion of the item triggers a Lambda function which puts the request into an SQS-FIFO queue. The use of an SQS-FIFO queue within the workflow enables placing multiple requests simultaneously.<\/li>\n\n\n\n
  2. Another Lambda function then reads the message placed on the queue and invokes the AWS Control Tower account vending machine within the Control Tower Management account. Once an account is provisioned by Control Tower, the workflow moves back to the AFT Management account for further processing.<\/li>\n\n\n\n
  3. Lambda functions within the AFT management account trigger an account-specific customization pipeline for further customizations to the vendor account(s).<\/li>\n<\/ol>\n\n\n\n

    AFT Deployment<\/h3>\n\n\n\n

    Pre-requisites<\/h4>\n\n\n\n