AWS multi-account management with AWS Control Tower Account Factory for Terraform
For many of the AWS business users, a multi-account strategy optimizes operational excellence, security, reliability, and cost. Using AWS Organizations helps centrally govern your environment as you grow and scale workloads on AWS.
AWS Organizations provision accounts and resources; secure and audit their environment for compliance; share resources; control access to accounts, regions, and services; as well as optimize costs and simplify billing.
Additionally, AWS Organizations support the aggregation of health events, consolidated data on the use of access permissions, and centralized management of backups and tagging for multi-account environments.
When you start implementing a multi-account strategy with AWS Organizations, the problem of provisioning and configuring each account for the purpose you plan to use it starts to emerge. This is where the AWS Control Tower service helps you set up and govern a secure, multi-account AWS environment following prescriptive best practices. But even with it, the process can still be further optimized and automated.
One of the preferred methods of managing the multi-account strategy on AWS is adopting the GitOps model by using Terraform. AWS Control Tower Account Factory for Terraform (AFT) is a proposed solution by AWS, and it can be used as part of your company processes.
A detailed chart of the actual implementation of AFT in your AWS Organization.
Implementing the AFT gives you a wide level of customization and the option to integrate the account creation process into external pipelines and processes based on your needs. It can leverage your GitHub Enterprise as well as Terraform Enterprise subscriptions.
The solution works in a separate Organizational Unit and AWS account and leverages the cross-account Roles in the AWS Organizations Management, Audit, Logs, and target accounts. At the source of the AFT are the four Git repositories:
Account requests – handles placing or updating account requests.
AFT account provisioning customizations – manages customizations that are applied to all accounts created by and managed with AFT, before beginning the global customizations stage. (The place where you can add third-party integrations with AWS Lambda, AWS Step Functions, Amazon SNS, Amazon SQS, and other services)
Global customizations – manage customizations that are applied to all accounts created by and managed with AFT.
Account customizations – manage customizations that are applied only to specific accounts created by and managed with AFT.
The first two are only executed during the initial account creation. The second two can be triggered manually to apply retroactively changes that are introduced after some of the accounts are created with different versions of customizations by triggering the aft-invoke-customizations Lambda.
Additionally, the implementation of the AFT allows you to select some additional options for the newly created accounts like:
AWS CloudTrail data events
AWS Enterprise Support plan
Delete the AWS default VPC
Using the GitOps model that automates the process of account provisioning and updating in AWS Control Tower, you leverage the advantage of Infrastructure as code-based account provisioning while allowing you to govern your accounts with AWS Control Tower. It offers flexibility and feature options that can be further enhanced and customized to meet your company's needs.