AWS Control Tower with Account Factory for Terraform

akhil mittal - Sep 12 - - Dev Community

What is Account Factory For Terraform?

It is simple to generate and modify new accounts that adhere to your organization's security policies using the AWS Control Tower Account Factory for Terraform (AFT) Terraform module. You may take use of Terraform's workflow and Control Tower's governance capabilities by using AFT, which establishes a pipeline for the automatic and reliable generation of AWS Control Tower accounts. This module is maintained by AWS.
This tutorial walks you through the one-time procedures needed to deploy AFT in order to establish the account creation pipeline. Your Control Tower accounts will then be created and customized using AFT. You will deploy the AFT module, go through the customization choices for support accounts, and discover the elements of AFT and its workflow in this lesson.

Implementation

PREREQUISITES:
Before we start our walkthrough, there are some prerequisites which are require, they are:
1) You should have AWS Control Tower environment deployed and active.
2) An AWS Account with credential for non-root user with AdminstratorAccess.
3) A new root email address for a new vended AWS account that you’ll submit through AFT.
4) A new or existing Organizational Units (OU) governed by AWS Control Tower, which is needed as part of new account request parameter in AFT.
5) Integrated development environment (IDE) with Git, Terraform, and AWS Command Line Interface (AWS CLI) installed. Your IDE environment must be configured with AWS credentials to your AFT Management account.
6) Make sure to specify the AWS Control Tower home region in the commands where applicable

STEP 1: Create AWS AFT Organizational Unit and Account

From now on we will be referencing 2 Account:
1) Control Tower management account: Account in which in which we have launched AWS Control Tower.
2) Account Factory management account: This account will be provisioned in this section.

In your Control Tower management account navigate to AWS Control Tower and open Organization from the left pane. Select Create Resources and select Create Organization Unit.

Image description

Name the OU, we have kept it as Learn AFT and then select Root OU as the parent OU.

Image description

Now navigate to Account Factory and select Create Account.

Image description

In Account Email field, enter an email which is not associated with any AWS Account, this will account’s root email address. In IAM Identity Center user email enter an email id you have access to. And select Learn AFT as your Organization Unit. Fill in all other fields as per your preference.

Image description

Account provisioning can take up to 30 minutes.

Step 2: Clone and Fork Examples with configurations

We will be working around 5 repositories, one with the AFT module deployment and 4 that the module requires you to define your account specifications in. The first repository learn-terraform-aws-control-tower-aft, which is one time setup will create the required infrastructure across Control Tower management account & in AFT management account. It will create 327 resources in these accounts and these resources will help us to create an account in our Control Tower and all the Customizations.
AFT supports multiple VCS providers like AWS CodeCommit, GitHub, Bitbucket, and GitHub Enterprise Server. By default, it uses AWS CodeCommit for repositories. In our case, we will use GitHub as VCS.
First Clone the learn-terraform-aws-control-tower-aft containing the AFT module configuration in AFT Management Account.
And for the next 4 repositories into your GitHub account.

1) The learn-terraform-aft-account-request repository repository: provides an example setup for starting AFT-based new account provisioning.
2) The learn-terraform-aft-global-customizations repository repository: provides boilerplate setup for adjustments that will be applied to each account that AFT creates.
3) The learn-terraform-aft-account-customizations repository repository: includes default settings for account-specific adjustments.
4) The learn-terraform-aft-account-provisioning-customizations repository repository: provides default settings that can be applied to accounts at provisioning time. Clone your copies of repositories to your computer.

Step 3: Deploy AFT module

The AFT module is maintained by AWS Team, it will deploy multiple services which will help you to provision and customize account in Control Tower.
In your terminal, navigate to the learn-terraform-aws-control-tower-aft repository you cloned earlier.
1. Update AFT module configuration
Open main.tf file in your IDE, review and configure it according to your requirement. This module provisions resources across the Log, Audit, Control Tower Management, and AFT management accounts in your Landing Zone.
In terraform.tfvars provide your AWS account IDs for ct_management_account_id, log_archive_account_id, audit_account_id, aft_management_account_id. For ct_home_region, use the same region as the one Control Tower is enabled in. And provide your GitHub username in github_username variable.
By setting feature flags, you may disable the default VPC in accounts or enable CloudTrail recording at the organizational level.
2. Apply configuration
After AFT management account is provisioned, we will start deploying AFT module. Configure your terminal with the AWS credentials for a user with AdminstratorAccess in your Control Tower management account.
Initialize the configuration to install the AWS provider and download the AFT module by running terraform init command. Now apply your configuration by running terraform apply to provision all the services. Respond yes to confirm the operation. This will take 15 to 20 mins for deployment.

Image description

NOTE: There are lot of Resources which are created and you might not know why they are beneficial like Private Link Interface endpoints and NAT Gateways which incur highest cost. The need of these are because of Private communication to AWS Services privately without using Public endpoints which gives enhanced data protection and security. NAT Gateway is required for AWS CodeBuild to communicate.

1) Review AFT components and workflow One of the many advantages AFT has over manual provisioning of accounts is the abilty to queue multiple account requests with your configuration. AWS Control Tower currently allows you to create only one account at a time, but AFT uses DynamoDB and SQS to queue your account requests, making batched account creation more efficient.

Image description

First, you must create an account request file with the required attributes for the account to be provisioned. You must also apply for the customization you wish to apply to the account.

Image description

Once you push your files to GitHub repositories, AFT triggers a workflow that will provision and customize your account.

1) CodePipeline launches CodeBuild projects to populate a DynamoDB table item with your new account information. The new item initializes a Lambda that records your account requests in SQS, allowing you to create many new accounts at the same time.
2) The new SQS messages trigger Lambda functions, which process your account request and begin the account vending process in Control Tower. AFT also created an account-specific pipeline to manage the customization of your new account, as well as an execution role in your new account that it may utilize to customize it.
3) When AFT creates a new account, it triggers Lambda functions, which then activate your account-specific pipeline, which applies global and account-specific customizations. If you use Terraform configuration to generate resources in your account, the state of such resources is stored in S3. AFT applies account changes within your new account using the execution role it generated.

Enable CodeStar Connection
We are using GitHub as VCS, we will require CodeStar connection. AFT module sets up a CodeStar Connection, which will watch for the changes to repositories.
Once AFT module sets up AFT management account, login to it and navigate to CodeStar connections in AWSaanagement console and look for ct-aft-github-connection and click on it and select Update pending connection. Follow the workflow to Install a new app and connect it to your personal GitHub account. After configuring it, click Connect to enable the AWS Connector for GitHub.

Grant AFT access to Service Catalog portfolio
Log into the Control Tower management account in the AWS console, navigate to Portfolios in the Service Catalog page and click on the AWS Control Tower Account Factory Portfolio_. Select the Groups, roles, and users tab, then click _Add groups, roles, users. Select the Roles tab, then search for AWSAFTExecution. Check the box next to it and click Add access.

Navigate to your CodePipeline page in your AFT management account. Click Release change after selecting the ct-aft-account-provisioning-customizations pipeline. Then, click the Release button to restart the process.

Deploy an account with AFT
Now we will use AFT to provision a new account in Control Tower. Navigate to your cloned learn-terraform-aft-account-request repository. Open terraform/main.tf, this will contain an instance of aft-account-request. Configure c_ontrol_tower_parameters, account_tags, change_management_parameters, custom_fields, account_customizations_name_ attributes according to the requirement. Now push this code to GitHub repository.
AFT CodePipeline AFT created listens for the changes to your account requests and customization repositories.

Global customizations
Global customizations apply to all AFT accounts. This enables you to automatically enforce security standards or provision standardised resources and infrastructure in each new account, making compliance with your organization's standards easier.
Navigate to cloned learn-terraform-aft-global-customizations repository. Move into terraform folder and create a folder named __main.tf and write a terraform configuration file which will have a customization of your requirement. By default, this configuration does not define any global customizations for your account.

Account customizations
Account customizations are applied to a specific account or set of accounts by AFT. It uses the customizations defined in the repository whose name you specify in the account_customizations_name input variable.
That input variable's value must correspond to a subfolder in your account customizations repository. Account customizations let you to make specific changes to groups of accounts, such as imposing tougher access guardrails on accounts that manage production resources.
Navigate to the cloned repository named learn-terraform-aft-account-customizations and access the appropriate subfolder based on the specified account_customizations_name. Once you're in the correct subfolder, navigate to the terraform directory and open the file named s3.tf. Please note that s3.tf is just an example file, and you can modify it according to your specific customization needs.

Inspect new account
Verify that AFT created your new account by finding the AFT managment account in the list of accounts in your Control Tower Accounts dashboard.

Image description

Conclusion

In conclusion, leveraging the AWS Control Tower Account Factory for Terraform (AFT) brings powerful automation to account creation and customization processes. AFT's ability to queue multiple account requests and apply global and account-specific customizations & Seamlessly integrating Terraform and Control Tower's governance, AFT ensures security policy adherence, efficient workflows, and scalable provisioning. With support for multiple VCS providers like GitHub, businesses can maintain standardized security standards and enhance operational efficiency across their AWS environment.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .