AWS re:Invent 2021 - Account provisioning & customization using Terraform with AWS Control Tower
ฝัง
- เผยแพร่เมื่อ 15 ธ.ค. 2021
- If you create AWS accounts on a regular basis and need to make sure that those accounts meet all of your users’ needs while also meeting your business and security policies, infrastructure-as-code (IaC) tools are essential for automation, including the popular IaC solution Terraform. Join this session to learn about the newly launched AWS Control Tower Account Factory for Terraform (AFT), which enables you to provision AWS Control Tower managed accounts through Terraform IaC pipelines. Learn how you can use a Terraform IaC pipeline to initiate one-click account creation and then trigger additional customizations to enhance the new account.
Learn more about re:Invent 2021 at bit.ly/3IvOLtK
Subscribe:
More AWS videos bit.ly/2O3zS75
More AWS events videos bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers-including the fastest-growing startups, largest enterprises, and leading government agencies-are using AWS to lower costs, become more agile, and innovate faster.
#AWS #AmazonWebServices #CloudComputing - วิทยาศาสตร์และเทคโนโลยี
I love it... "It's GitOps! But, the moment you want anything to really happen, after you push to a git repo, you gotta trigger a step function." :D
so much enthusiasm in spekers voice
true, so passionate.. it's heartwarming
Great talk as a first introduction.
One major shortcoming of AFT is that it doesn‘t provide an easy build-in framework to customize accounts in multiple regions. You need to implement a lot of the multi-region capability inside you single global/account customization and since TF doesn‘t support dynamic providers you need to render multiple providers using the Jinja2 templates. Having separate CodeBuild stages and TF executions for each region of an account would have made the TF code much easier, but that is something AFT doesn’t support as of 2024.
Nice demo! I would love to see how this works with Terraform Cloud. I am assuming the Terraform Backend variables are different or not needed for the aft module if you're TF Cloud?
I was trying that last few days using GitHub as VCS. I managed to fully run the initial setup of Terraform workspace using v1.1.7. You need to have 3 variables on your Terraform Cloud project, the AWS IAM user Access Key Id, the Secret Key, both as most projects, and last the Terraform Cloud token Id you generate for the user account. It is not possible to use federated accounts at this time. The variables file need to be update to include the Terraform Cloud token Id reference and you need to add an entry selecting Terraform Cloud, as the standard if not declared is the CLI version. If you look into the project GitHub examples folders, there are some examples with mixed set up types. Hope this helps with your project.
@Vikrant Verma, great question, i too would like to know if this is possible? Would love for AWS support to respond to this question
Do you need a management account under each OU to automate accounts within it?
No.
Thank you for wonderful session. How can we import existing account using AFT?
You can't - or - you can but it would be so complex that's likely easier to recreate them, since they're supposed to be basically sandboxes
@@MatteoMiThis is not true. To import an existing account enrolled to CT to be managed by AFT is very easy. It is even documented.
Of course, if you have existing resources in that account that conflict with TF resources you want to create through customizations, then you would need to either recreate them or import them into the global or account customization TF state for that account.
There's 20+ moving pieces in the system for something so f-Ing simple.
Give us the APIs we need (like controls enablement, including parameters...) and integrate them into the aws terraform provider and we are done.
If I have a Terraform repo and pipeline already (something most people will have, if they are really using terraform), all I need is a module that creates the account and then I go ahead and customize it (this is just a fancy word for deploying stuff into the account). I do need to assume a role in the target account, and that might be worthwhile using terragrunt for, but... It's nothing I can't easily implement in my current system, without opting into this humungous beast, you call AFT...
And... The fact one has to still delete default vpcs, because you have no way for me to get an account without them to begin with, is just laughable. (If you are going to say that you can configure control tower not to leave the default vpcs in there, let me tell you that this particular toggle has no public api, so... If you wanna use it, you go into the gui to click it out, or you script your way around removing them...).
Why does control tower and everything around it look like a partner, who probably wasn't paid particularly well, builds and maintains this for aws, using their own, utterly bad, standards, rather then aws standards?
The reason people love aws is that it was always api first. Control Tower is the complete opposite, however, and as a product ecosystem I hate it utterly.
Thanks for taking the time to share your feedback. I've gone ahead and forwarded this through to our Control Tower team for review. ^CM