Home

Awesome

AWS Control Tower Account Factory for Terraform

AWS Control Tower Account Factory for Terraform (AFT) follows a GitOps model to automate the processes of account provisioning and account updating in AWS Control Tower. You'll create an account request Terraform file, which provides the necessary input that triggers the AFT workflow for account provisioning.

For more information on AFT, see Overview of AWS Control Tower Account Factory for Terraform

Getting started

This guide is intended for administrators of AWS Control Tower environments who wish to set up Account Factory for Terraform (AFT) in their environment. It describes how to set up an Account Factory for Terraform (AFT) environment with a new, dedicated AFT management account. This guide follows the deployment steps outlined in Deploy AWS Control Tower Account Factory for Terraform (AFT)

Configure and launch your AWS Control Tower Account Factory for Terraform

Five steps are required to configure and launch your AFT environment.

Step 1: Launch your AWS Control Tower landing zone

Before launching AFT, you must have a working AWS Control Tower landing zone in your AWS account. You will configure and launch AFT from the AWS Control Tower management account.

Step 2: Create a new organizational unit for AFT (recommended)

We recommend that you create a separate OU in your AWS Organization, where you will deploy the AFT management account. Create an OU through your AWS Control Tower management account. For instructions on how to create an OU, refer to Create an organization in the AWS Organizations User Guide.

Step 3: Provision the AFT management account

AFT requires a separate AWS account to manage and orchestrate its own requests. From the AWS Control Tower management account that's associated with your AWS Control Tower landing zone, you'll provision this account for AFT.

To provision the AFT management account, see Provisioning Account Factory Accounts With AWS Service Catalog. When specifying an OU, be sure to select the OU you created in Step 2. When specifying a name, use "AFT-Management".

Note: It can take up to 30 minutes for the account to be fully provisioned. Validate that you have access to the AFT management account.

Step 4: Ensure that the Terraform environment is available for deployment

This step assumes that you are experienced with Terraform, and that you have procedures in place for executing Terraform. AFT supports Terraform Version 0.15.x or later.

Step 5: Call the Account Factory for Terraform module to deploy AFT

The Account Factory for Terraform module must be called while you are authenticated with AdministratorAccess credentials in your AWS Control Tower management account.

AWS Control Tower, through the AWS Control Tower management account, vends a Terraform module that establishes all infrastructure necessary to orchestrate your AWS Control Tower account factory requests. You can view that module in the AFT repository.

Refer to the module’s README file for information about the input required to run the module and deploy AFT.

If you have established pipelines for managing Terraform in your environment, you can integrate this module into your existing workflow. Otherwise, run the module from any environment that is authenticated with the required credentials.

Note: The AFT Terraform module does not manage a backend Terraform state. Be sure to preserve the Terraform state file that’s generated, after applying the module, or set up a Terraform backend using Amazon S3 and DynamoDB.

Certain input variables may contain sensitive values, such as a private ssh key or Terraform token. These values may be viewable as plain text in Terraform state file, depending on your deployment method. It is your responsibility to protect the Terraform state file, which may contain sensitive data. See the Terraform documentation

for more information.

Note: Deploying AFT through the Terraform module requires several minutes. Initial deployment may require up to 30 minutes. As a best practice, use AWS Security Token Service (STS) credentials and ensure that the credentials have a timeout sufficient for a full deployment, because a timeout causes the deployment to fail. The minimum timeout for AWS STS credentials is 60 minutes or more. Alternatively, you can leverage any IAM user that has AdministratorAccess permissions in the AWS Control Tower management account.

Next Steps:

Now that you have configured and deployed AWS Control Tower Account Factory for Terraform, follow the steps outlined in Post-deployment steps and Provision accounts with AWS Control Tower Account Factory for Terraform to begin using your environment.

Collection of Operational Metrics

As of version 1.6.0, AFT collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the documentation here.

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.2.0, < 2.0.0
<a name="requirement_aws"></a> aws>= 5.11.0, < 6.0.0

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.11.0, < 6.0.0
<a name="provider_local"></a> localn/a

Modules

NameSourceVersion
<a name="module_aft_account_provisioning_framework"></a> aft_account_provisioning_framework./modules/aft-account-provisioning-frameworkn/a
<a name="module_aft_account_request_framework"></a> aft_account_request_framework./modules/aft-account-request-frameworkn/a
<a name="module_aft_backend"></a> aft_backend./modules/aft-backendn/a
<a name="module_aft_code_repositories"></a> aft_code_repositories./modules/aft-code-repositoriesn/a
<a name="module_aft_customizations"></a> aft_customizations./modules/aft-customizationsn/a
<a name="module_aft_feature_options"></a> aft_feature_options./modules/aft-feature-optionsn/a
<a name="module_aft_iam_roles"></a> aft_iam_roles./modules/aft-iam-rolesn/a
<a name="module_aft_lambda_layer"></a> aft_lambda_layer./modules/aft-lambda-layern/a
<a name="module_aft_ssm_parameters"></a> aft_ssm_parameters./modules/aft-ssm-parametersn/a
<a name="module_packaging"></a> packaging./modules/aft-archivesn/a

Resources

NameType
aws_partition.currentdata source
aws_service.home_region_validationdata source
aws_ssm_parameters_by_path.servicecatalog_regional_datadata source
local_file.python_versiondata source
local_file.versiondata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_account_customizations_repo_branch"></a> account_customizations_repo_branchBranch to source account customizations repo fromstring"main"no
<a name="input_account_customizations_repo_name"></a> account_customizations_repo_nameRepository name for the account customizations files. For non-CodeCommit repos, name should be in the format of Org/Repostring"aft-account-customizations"no
<a name="input_account_provisioning_customizations_repo_branch"></a> account_provisioning_customizations_repo_branchBranch to source account provisioning customization filesstring"main"no
<a name="input_account_provisioning_customizations_repo_name"></a> account_provisioning_customizations_repo_nameRepository name for the account provisioning customizations files. For non-CodeCommit repos, name should be in the format of Org/Repostring"aft-account-provisioning-customizations"no
<a name="input_account_request_repo_branch"></a> account_request_repo_branchBranch to source account request repo fromstring"main"no
<a name="input_account_request_repo_name"></a> account_request_repo_nameRepository name for the account request files. For non-CodeCommit repos, name should be in the format of Org/Repostring"aft-account-request"no
<a name="input_aft_backend_bucket_access_logs_object_expiration_days"></a> aft_backend_bucket_access_logs_object_expiration_daysAmount of days to keep the objects stored in the access logs bucket for AFT backend bucketsnumber365no
<a name="input_aft_enable_vpc"></a> aft_enable_vpcFlag turning use of VPC on/off for AFTbooltrueno
<a name="input_aft_feature_cloudtrail_data_events"></a> aft_feature_cloudtrail_data_eventsFeature flag toggling CloudTrail data events on/offboolfalseno
<a name="input_aft_feature_delete_default_vpcs_enabled"></a> aft_feature_delete_default_vpcs_enabledFeature flag toggling deletion of default VPCs on/offboolfalseno
<a name="input_aft_feature_enterprise_support"></a> aft_feature_enterprise_supportFeature flag toggling Enterprise Support enrollment on/offboolfalseno
<a name="input_aft_framework_repo_git_ref"></a> aft_framework_repo_git_refGit branch from which the AFT framework should be sourced fromstringnullno
<a name="input_aft_framework_repo_url"></a> aft_framework_repo_urlGit repo URL where the AFT framework should be sourced fromstring"https://github.com/aws-ia/terraform-aws-control_tower_account_factory.git"no
<a name="input_aft_management_account_id"></a> aft_management_account_idAFT Management Account IDstringn/ayes
<a name="input_aft_metrics_reporting"></a> aft_metrics_reportingFlag toggling reporting of operational metricsbooltrueno
<a name="input_aft_vpc_cidr"></a> aft_vpc_cidrCIDR Block to allocate to the AFT VPCstring"192.168.0.0/22"no
<a name="input_aft_vpc_endpoints"></a> aft_vpc_endpointsFlag turning VPC endpoints on/off for AFT VPCbooltrueno
<a name="input_aft_vpc_private_subnet_01_cidr"></a> aft_vpc_private_subnet_01_cidrCIDR Block to allocate to the Private Subnet 01string"192.168.0.0/24"no
<a name="input_aft_vpc_private_subnet_02_cidr"></a> aft_vpc_private_subnet_02_cidrCIDR Block to allocate to the Private Subnet 02string"192.168.1.0/24"no
<a name="input_aft_vpc_public_subnet_01_cidr"></a> aft_vpc_public_subnet_01_cidrCIDR Block to allocate to the Public Subnet 01string"192.168.2.0/25"no
<a name="input_aft_vpc_public_subnet_02_cidr"></a> aft_vpc_public_subnet_02_cidrCIDR Block to allocate to the Public Subnet 02string"192.168.2.128/25"no
<a name="input_audit_account_id"></a> audit_account_idAudit Account Idstringn/ayes
<a name="input_backup_recovery_point_retention"></a> backup_recovery_point_retentionNumber of days to keep backup recovery points in AFT DynamoDB tables. Default = Never Expirenumbernullno
<a name="input_cloudwatch_log_group_retention"></a> cloudwatch_log_group_retentionAmount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expirestring"0"no
<a name="input_concurrent_account_factory_actions"></a> concurrent_account_factory_actionsMaximum number of accounts that can be provisioned in parallel.number5no
<a name="input_ct_home_region"></a> ct_home_regionThe region from which this module will be executed. This MUST be the same region as Control Tower is deployed.stringn/ayes
<a name="input_ct_management_account_id"></a> ct_management_account_idControl Tower Management Account Idstringn/ayes
<a name="input_github_enterprise_url"></a> github_enterprise_urlGitHub enterprise URL, if GitHub Enterprise is being usedstring"null"no
<a name="input_gitlab_selfmanaged_url"></a> gitlab_selfmanaged_urlGitLab SelfManaged URL, if GitLab SelfManaged is being usedstring"null"no
<a name="input_global_codebuild_timeout"></a> global_codebuild_timeoutCodebuild build timeoutnumber60no
<a name="input_global_customizations_repo_branch"></a> global_customizations_repo_branchBranch to source global customizations repo fromstring"main"no
<a name="input_global_customizations_repo_name"></a> global_customizations_repo_nameRepository name for the global customization files. For non-CodeCommit repos, name should be in the format of Org/Repostring"aft-global-customizations"no
<a name="input_log_archive_account_id"></a> log_archive_account_idLog Archive Account Idstringn/ayes
<a name="input_log_archive_bucket_object_expiration_days"></a> log_archive_bucket_object_expiration_daysAmount of days to keep the objects stored in the AFT logging bucketnumber365no
<a name="input_maximum_concurrent_customizations"></a> maximum_concurrent_customizationsMaximum number of customizations/pipelines to run at oncenumber5no
<a name="input_terraform_api_endpoint"></a> terraform_api_endpointAPI Endpoint for Terraform. Must be in the format of https://xxx.xxx.string"https://app.terraform.io/api/v2/"no
<a name="input_terraform_distribution"></a> terraform_distributionTerraform distribution being used for AFT - valid values are oss, tfc, or tfestring"oss"no
<a name="input_terraform_org_name"></a> terraform_org_nameOrganization name for Terraform Cloud or Enterprisestring"null"no
<a name="input_terraform_token"></a> terraform_tokenTerraform token for Cloud or Enterprisestring"null"no
<a name="input_terraform_version"></a> terraform_versionTerraform version being used for AFTstring"1.6.0"no
<a name="input_tf_backend_secondary_region"></a> tf_backend_secondary_regionAFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to.string""no
<a name="input_vcs_provider"></a> vcs_providerCustomer VCS Provider - valid inputs are codecommit, bitbucket, github, githubenterprise, gitlab, or gitLab self-managedstring"codecommit"no

Outputs

NameDescription
<a name="output_account_customizations_repo_branch"></a> account_customizations_repo_branchn/a
<a name="output_account_customizations_repo_name"></a> account_customizations_repo_namen/a
<a name="output_account_provisioning_customizations_repo_branch"></a> account_provisioning_customizations_repo_branchn/a
<a name="output_account_provisioning_customizations_repo_name"></a> account_provisioning_customizations_repo_namen/a
<a name="output_account_request_repo_branch"></a> account_request_repo_branchn/a
<a name="output_account_request_repo_name"></a> account_request_repo_namen/a
<a name="output_aft_feature_cloudtrail_data_events"></a> aft_feature_cloudtrail_data_eventsn/a
<a name="output_aft_feature_delete_default_vpcs_enabled"></a> aft_feature_delete_default_vpcs_enabledn/a
<a name="output_aft_feature_enterprise_support"></a> aft_feature_enterprise_supportn/a
<a name="output_aft_management_account_id"></a> aft_management_account_idn/a
<a name="output_aft_vpc_cidr"></a> aft_vpc_cidrn/a
<a name="output_aft_vpc_private_subnet_01_cidr"></a> aft_vpc_private_subnet_01_cidrn/a
<a name="output_aft_vpc_private_subnet_02_cidr"></a> aft_vpc_private_subnet_02_cidrn/a
<a name="output_aft_vpc_public_subnet_01_cidr"></a> aft_vpc_public_subnet_01_cidrn/a
<a name="output_aft_vpc_public_subnet_02_cidr"></a> aft_vpc_public_subnet_02_cidrn/a
<a name="output_audit_account_id"></a> audit_account_idn/a
<a name="output_backup_recovery_point_retention"></a> backup_recovery_point_retentionn/a
<a name="output_cloudwatch_log_group_retention"></a> cloudwatch_log_group_retentionn/a
<a name="output_ct_home_region"></a> ct_home_regionn/a
<a name="output_ct_management_account_id"></a> ct_management_account_idn/a
<a name="output_github_enterprise_url"></a> github_enterprise_urln/a
<a name="output_gitlab_selfmanaged_url"></a> gitlab_selfmanaged_urln/a
<a name="output_global_customizations_repo_branch"></a> global_customizations_repo_branchn/a
<a name="output_global_customizations_repo_name"></a> global_customizations_repo_namen/a
<a name="output_log_archive_account_id"></a> log_archive_account_idn/a
<a name="output_maximum_concurrent_customizations"></a> maximum_concurrent_customizationsn/a
<a name="output_terraform_api_endpoint"></a> terraform_api_endpointn/a
<a name="output_terraform_distribution"></a> terraform_distributionn/a
<a name="output_terraform_org_name"></a> terraform_org_namen/a
<a name="output_terraform_version"></a> terraform_versionn/a
<a name="output_tf_backend_secondary_region"></a> tf_backend_secondary_regionn/a
<a name="output_vcs_provider"></a> vcs_providern/a
<!-- END_TF_DOCS -->