• Stars
    star
    417
  • Rank 103,829 (Top 3 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

AWS Control Tower Account Factory

AWS Control Tower Account Factory for Terraform

AWS Control Tower Account Factory for Terraform (AFT) follows a GitOps model to automate the processes of account provisioning and account updating in AWS Control Tower. You'll create an account request Terraform file, which provides the necessary input that triggers the AFT workflow for account provisioning.

For more information on AFT, see Overview of AWS Control Tower Account Factory for Terraform

Getting started

This guide is intended for administrators of AWS Control Tower environments who wish to set up Account Factory for Terraform (AFT) in their environment. It describes how to set up an Account Factory for Terraform (AFT) environment with a new, dedicated AFT management account. This guide follows the deployment steps outlined in Deploy AWS Control Tower Account Factory for Terraform (AFT)

Configure and launch your AWS Control Tower Account Factory for Terraform

Five steps are required to configure and launch your AFT environment.

Step 1: Launch your AWS Control Tower landing zone

Before launching AFT, you must have a working AWS Control Tower landing zone in your AWS account. You will configure and launch AFT from the AWS Control Tower management account.

Step 2: Create a new organizational unit for AFT (recommended)

We recommend that you create a separate OU in your AWS Organization, where you will deploy the AFT management account. Create an OU through your AWS Control Tower management account. For instructions on how to create an OU, refer to Create an organization in the AWS Organizations User Guide.

Step 3: Provision the AFT management account

AFT requires a separate AWS account to manage and orchestrate its own requests. From the AWS Control Tower management account that's associated with your AWS Control Tower landing zone, you'll provision this account for AFT.

To provision the AFT management account, see Provisioning Account Factory Accounts With AWS Service Catalog. When specifying an OU, be sure to select the OU you created in Step 2. When specifying a name, use "AFT-Management".

Note: It can take up to 30 minutes for the account to be fully provisioned. Validate that you have access to the AFT management account.

Step 4: Ensure that the Terraform environment is available for deployment

This step assumes that you are experienced with Terraform, and that you have procedures in place for executing Terraform. AFT supports Terraform Version 0.15.x or later.

Step 5: Call the Account Factory for Terraform module to deploy AFT

The Account Factory for Terraform module must be called while you are authenticated with AdministratorAccess credentials in your AWS Control Tower management account.

AWS Control Tower, through the AWS Control Tower management account, vends a Terraform module that establishes all infrastructure necessary to orchestrate your AWS Control Tower account factory requests. You can view that module in the AFT repository.

Refer to the module’s README file for information about the input required to run the module and deploy AFT.

If you have established pipelines for managing Terraform in your environment, you can integrate this module into your existing workflow. Otherwise, run the module from any environment that is authenticated with the required credentials.

Note: The AFT Terraform module does not manage a backend Terraform state. Be sure to preserve the Terraform state file that’s generated, after applying the module, or set up a Terraform backend using Amazon S3 and DynamoDB.

Certain input variables may contain sensitive values, such as a private ssh key or Terraform token. These values may be viewable as plain text in Terraform state file, depending on your deployment method. It is your responsibility to protect the Terraform state file, which may contain sensitive data. See the Terraform documentation

for more information.

Note: Deploying AFT through the Terraform module requires several minutes. Initial deployment may require up to 30 minutes. As a best practice, use AWS Security Token Service (STS) credentials and ensure that the credentials have a timeout sufficient for a full deployment, because a timeout causes the deployment to fail. The minimum timeout for AWS STS credentials is 60 minutes or more. Alternatively, you can leverage any IAM user that has AdministratorAccess permissions in the AWS Control Tower management account.

Next Steps:

Now that you have configured and deployed AWS Control Tower Account Factory for Terraform, follow the steps outlined in Post-deployment steps and Provision accounts with AWS Control Tower Account Factory for Terraform to begin using your environment.

Collection of Operational Metrics

As of version 1.6.0, AFT collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the documentation here.

Requirements

Name Version
terraform >= 0.15.1, < 2.0.0
aws >= 4.27.0, < 5.0.0

Providers

Name Version
aws >= 4.27.0, < 5.0.0
local n/a

Modules

Name Source Version
aft_account_provisioning_framework ./modules/aft-account-provisioning-framework n/a
aft_account_request_framework ./modules/aft-account-request-framework n/a
aft_backend ./modules/aft-backend n/a
aft_code_repositories ./modules/aft-code-repositories n/a
aft_customizations ./modules/aft-customizations n/a
aft_feature_options ./modules/aft-feature-options n/a
aft_iam_roles ./modules/aft-iam-roles n/a
aft_lambda_layer ./modules/aft-lambda-layer n/a
aft_ssm_parameters ./modules/aft-ssm-parameters n/a
packaging ./modules/aft-archives n/a

Resources

Name Type
aws_partition.current data source
local_file.version data source

Inputs

Name Description Type Default Required
account_customizations_repo_branch Branch to source account customizations repo from string "main" no
account_customizations_repo_name Repository name for the account customizations files. For non-CodeCommit repos, name should be in the format of Org/Repo string "aft-account-customizations" no
account_provisioning_customizations_repo_branch Branch to source account provisioning customization files string "main" no
account_provisioning_customizations_repo_name Repository name for the account provisioning customizations files. For non-CodeCommit repos, name should be in the format of Org/Repo string "aft-account-provisioning-customizations" no
account_request_repo_branch Branch to source account request repo from string "main" no
account_request_repo_name Repository name for the account request files. For non-CodeCommit repos, name should be in the format of Org/Repo string "aft-account-request" no
aft_feature_cloudtrail_data_events Feature flag toggling CloudTrail data events on/off bool false no
aft_feature_delete_default_vpcs_enabled Feature flag toggling deletion of default VPCs on/off bool false no
aft_feature_enterprise_support Feature flag toggling Enterprise Support enrollment on/off bool false no
aft_framework_repo_git_ref Git branch from which the AFT framework should be sourced from string null no
aft_framework_repo_url Git repo URL where the AFT framework should be sourced from string "https://github.com/aws-ia/terraform-aws-control_tower_account_factory.git" no
aft_management_account_id AFT Management Account ID string n/a yes
aft_metrics_reporting Flag toggling reporting of operational metrics bool true no
aft_vpc_cidr CIDR Block to allocate to the AFT VPC string "192.168.0.0/22" no
aft_vpc_endpoints Flag turning VPC endpoints on/off for AFT VPC bool true no
aft_vpc_private_subnet_01_cidr CIDR Block to allocate to the Private Subnet 01 string "192.168.0.0/24" no
aft_vpc_private_subnet_02_cidr CIDR Block to allocate to the Private Subnet 02 string "192.168.1.0/24" no
aft_vpc_public_subnet_01_cidr CIDR Block to allocate to the Public Subnet 01 string "192.168.2.0/25" no
aft_vpc_public_subnet_02_cidr CIDR Block to allocate to the Public Subnet 02 string "192.168.2.128/25" no
audit_account_id Audit Account Id string n/a yes
cloudwatch_log_group_retention Amount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expire string "0" no
concurrent_account_factory_actions Maximum number of accounts that can be provisioned in parallel. number 5 no
ct_home_region The region from which this module will be executed. This MUST be the same region as Control Tower is deployed. string n/a yes
ct_management_account_id Control Tower Management Account Id string n/a yes
github_enterprise_url GitHub enterprise URL, if GitHub Enterprise is being used string "null" no
global_codebuild_timeout Codebuild build timeout number 60 no
global_customizations_repo_branch Branch to source global customizations repo from string "main" no
global_customizations_repo_name Repository name for the global customization files. For non-CodeCommit repos, name should be in the format of Org/Repo string "aft-global-customizations" no
log_archive_account_id Log Archive Account Id string n/a yes
maximum_concurrent_customizations Maximum number of customizations/pipelines to run at once number 5 no
terraform_api_endpoint API Endpoint for Terraform. Must be in the format of https://xxx.xxx. string "https://app.terraform.io/api/v2/" no
terraform_distribution Terraform distribution being used for AFT - valid values are oss, tfc, or tfe string "oss" no
terraform_org_name Organization name for Terraform Cloud or Enterprise string "null" no
terraform_token Terraform token for Cloud or Enterprise string "null" no
terraform_version Terraform version being used for AFT string "0.15.5" no
tf_backend_secondary_region AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. string "" no
vcs_provider Customer VCS Provider - valid inputs are codecommit, bitbucket, github, or githubenterprise string "codecommit" no

Outputs

Name Description
account_customizations_repo_branch n/a
account_customizations_repo_name n/a
account_provisioning_customizations_repo_branch n/a
account_provisioning_customizations_repo_name n/a
account_request_repo_branch n/a
account_request_repo_name n/a
aft_feature_cloudtrail_data_events n/a
aft_feature_delete_default_vpcs_enabled n/a
aft_feature_enterprise_support n/a
aft_management_account_id n/a
aft_vpc_cidr n/a
aft_vpc_private_subnet_01_cidr n/a
aft_vpc_private_subnet_02_cidr n/a
aft_vpc_public_subnet_01_cidr n/a
aft_vpc_public_subnet_02_cidr n/a
audit_account_id n/a
cloudwatch_log_group_retention n/a
ct_home_region n/a
ct_management_account_id n/a
github_enterprise_url n/a
global_customizations_repo_branch n/a
global_customizations_repo_name n/a
log_archive_account_id n/a
maximum_concurrent_customizations n/a
terraform_api_endpoint n/a
terraform_distribution n/a
terraform_org_name n/a
terraform_version n/a
tf_backend_secondary_region n/a
vcs_provider n/a

More Repositories

1

taskcat

Test all the CloudFormation things! (with TaskCat)
Python
1,163
star
2

ecs-blueprints

Configure and deploy complete ECS solutions with Terraform or CDK
Python
234
star
3

terraform-aws-vpc

AWS VPC Module
HCL
87
star
4

terraform-aws-eks-blueprints-addon

Terraform AWS module which creates an EKS addon (helm release + IRSA)
HCL
58
star
5

terraform-aws-ipam

Terraform Module for create AWS IPAM Resources
HCL
50
star
6

terraform-aws-mwaa

Terraform module for Amazon MWAA(Apache Airflow)
HCL
40
star
7

terraform-aws-iam-identity-center

HCL
29
star
8

terraform-aws-network-hubandspoke

HCL
28
star
9

cfn-ecr-aws-soci-index-builder

Go
27
star
10

terraform-repo-template

Terraform Module Template
HCL
26
star
11

terraform-aws-globalnetwork

AWS Global Network Module
HCL
22
star
12

terraform-aws-label

AWS Label Module
HCL
22
star
13

terraform-aws-eks-ack-addons

Terraform AWS module which provisions ACK addons on EKS
HCL
20
star
14

terraform-adobe-magento

Adobe Magento
HCL
19
star
15

cloudformation-github-resource-providers

GitHub CFN Registry resource
TypeScript
18
star
16

terraform-aws-rds-aurora

AWS RDS Aurora Module
HCL
17
star
17

cloudformation-aws-marketplace-saas

AWS Marketplace Build Tools
14
star
18

cfn-ps-apache-superset

HTML
13
star
19

terraform-aws-ecs-fargate

AWS ECS Fargate Module
HCL
13
star
20

terraform-aws-runtask-iam-access-analyzer

HCL
12
star
21

terraform-aws-mendix-private-cloud

This AWS Partner Solution uses Terraform to deploy a Mendix infrastructure in the AWS Cloud.
Smarty
12
star
22

terraform-aws-networkfirewall

Terraform module to deploy AWS Network Firewall
HCL
12
star
23

cfn-ps-linux-bastion

HTML
11
star
24

terraform-aws-codebuild

AWS CodeBuild Module
HCL
10
star
25

cfn-ps-clickhouse-cluster

HTML
10
star
26

standards-terraform

AWS I&A Terraform Module Standards
CSS
10
star
27

copier-terraform-repo-template

Jinja
9
star
28

terraform-aws-cloudwan

AWS Terraform Module for creating AWS CloudWAN
HCL
9
star
29

cloudformation-cloudflare-resource-providers

Cloudflare CFN Registry resource
TypeScript
9
star
30

cfn-ps-aws-vpc

HTML
9
star
31

aws-ia-documentation-base-common

"Docs 2.1" docs-as-code boilerplate
CSS
8
star
32

terraform-aws-ec2-image-builder

Terraform module for EC2 Image Builder
HCL
7
star
33

cloudformation-pagerduty-resource-providers

PagerDuty CFN Registry resource
TypeScript
7
star
34

cloudformation-dynatrace-resource-providers

Dynatrace CFN Registry resource
TypeScript
6
star
35

terraform-hashicorp-cloud_workspace

Terraform Cloud Workspace
HCL
6
star
36

terraform-aws-rds-custom-for-oracle

HCL
6
star
37

terraform-aws-genai-document-ingestion-rag

RAG ingestion pipeline module with Amazon OpenSearch and Bedrock
Python
6
star
38

cfn-ps-amazon-selling-partner-api

HTML
5
star
39

cfn-abi-aws-reference-guide

HTML
5
star
40

cloudformation-snowflake-resource-providers

SnowFlake CFN Registry resource
TypeScript
5
star
41

cfn-ps-hashicorp-nomad

HTML
4
star
42

terraform-aws-tf-cloud-agents

Creates self-hosted Terraform Cloud Agent on AWS (https://registry.terraform.io/modules/aws-ia/tf-cloud-agents/aws/latest)
HCL
4
star
43

cfn-ps-amazon-rds

HTML
4
star
44

terraform-aws-ecs-cluster

AWS ECS
HCL
4
star
45

cfn-ps-git2s3

Python
4
star
46

terraform-awscc-dropshare

Terraform Module to create resources for a Dropshare Connection with AWS S3 and AWS CloudFront.
HCL
4
star
47

terraform-aws-route53-recovery-controller

Terraform Module to deploy Route53 Application Recovery Controller components
HCL
4
star
48

cfn-ps-databricks-unified-data-analytics-platform

HTML
3
star
49

cfn-ps-microfocus-amc-es

TSQL
3
star
50

cfn-ps-duo-mfa

HTML
3
star
51

cfn-ps-datalake-foundation

HTML
3
star
52

cfn-ps-sudo-consultants-serverless-wordpress

HTML
3
star
53

terraform-cloudera-cdp

This Amazon Web Services (AWS) Partner Solution uses a Terraform module to deploy Cloudera Data Platform (CDP) in the AWS Cloud.
HCL
3
star
54

cloudformation-gitlab-resource-providers

GitLab CFN Registry resource
Java
3
star
55

cfn-ps-sumo-logic-cloudsiem

Python
3
star
56

cloudformation-fastly-resource-providers

Fastly CFN Registry resource
TypeScript
3
star
57

cfn-abi-crowdstrike-fcs

Python
3
star
58

cfn-abi-trend-cloudone

Python
3
star
59

cfn-ps-microsoft-iis

HTML
3
star
60

terraform-aws-vpc_endpoints

Terraform AWS VPC endpoints module
Python
3
star
61

cfn-ps-fsx-windows-file-server

HTML
3
star
62

cfn-ps-cisco-asav-ravpn

HTML
3
star
63

cfn-ps-illumina-dragen

HTML
2
star
64

terraform-hashicorp-cts-alb_listener-nia

HCL
2
star
65

cfn-ps-github-enterprise

HTML
2
star
66

cfn-ps-qingcloud-kubesphere

HTML
2
star
67

cfn-ps-freeradius-mfa-workspaces

HTML
2
star
68

cfn-ps-f5-big-ip-virtual-edition-ha

HTML
2
star
69

.github

Org template
2
star
70

cloudformation-newrelic-resource-providers

NewRelic CFN Registry resource
Java
2
star
71

cfn-ps-snyk-security

HTML
2
star
72

cfn-ps-progress-openedge

HTML
2
star
73

cfn-ps-red-hat-rhel-with-ha

Shell
2
star
74

workshop-taskcat

In this workshop, we cover AWS CloudFormation best practices, tips on authoring AAA templates, and hands-on building of a CI/CD pipeline to validate templates before they are published.
CSS
2
star
75

cfn-ps-citrix-daas

PowerShell
1
star
76

cfn-ps-uipath-automation-suite

HTML
1
star
77

cfn-ps-hashicorp-vault

Shell
1
star
78

cfn-ps-ammos-smallsat-toolkit

HTML
1
star
79

cfn-ps-quantiphi-lex-kendra-backend

HTML
1
star
80

cfn-ps-taskcat-ci

HTML
1
star
81

cfn-ps-vesoft-nebula-graph-cloud

HTML
1
star
82

cfn-ps-eks-mulesoft-runtime-fabric

HTML
1
star
83

cfn-ps-starrocks-starrocks

HTML
1
star
84

cfn-ps-trendmicro-deepsecurity

HTML
1
star
85

cfn-ps-compliance-pci-fsbp-remediation

HTML
1
star
86

cfn-ps-microsoft-sql-fci-fsx

HTML
1
star
87

cfn-ps-iridium-cloudconnect-sbd

HTML
1
star
88

cfn-ps-splunk-enterprise

HTML
1
star
89

ecs-consul-mesh-extension

Amazon ECS Hashicorp Consul extension
TypeScript
1
star
90

cloudformation-rollbar-resource-providers

TypeScript
1
star
91

cloudformation-databricks-resource-providers

DataBricks CFN Registry resource
TypeScript
1
star
92

terraform-aws-resiliencehub-app

AWS Resilience Hub via Terraform to manage the resilience of your applications
HCL
1
star
93

cloudformation-bigid-resource-providers

BigID CFN Registry resource
TypeScript
1
star
94

cfn-ps-salesforce-connect-appsync-rds-postgresql

Java
1
star
95

cfn-ps-uipath-robot

HTML
1
star
96

cfn-ps-uipath-orchestrator

HTML
1
star
97

cfn-ps-ct-newrelic-one

HTML
1
star
98

cfn-ps-mongodb-atlas

HTML
1
star
99

cfn-ps-codepipeline-bluegreen-deployment

HTML
1
star
100

cloudformation-okta-resource-providers

Okta CFN Registry resource
TypeScript
1
star