In at this time’s article, we are going to be taught step-by-step how you can deploy Account Manufacturing unit for Terraform (AFT), alongside with that, we are going to allow Cloud Path and default VPCs deletion function to take away default VPC in all areas on each newly created account. After that we are going to have a little bit bug repair on aws-ia
code since we’re leveraging it.
I’ve elevate the problem in right here, you possibly can test it out.
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/393
Prerequisite
- An AWS Management Tower that already setup. If you have not setup one, test it out here
- A Github account.
- Terraform put in. If you have not put in comply with my information on this post.
The next is what we are going to do on this article:
- Setup OU and Account for AFT
- Setup repositories
- Deploy AFT to Management Tower
- Allow Cloud Path and default VPCs deletion function with
bugfix
Let’s get into particulars!
Setup OU and Account.
First, let’s setup a separate OU and account for AFT as AWS advisable. Go to Management Tower console and in Group tab, create a brand new OU and choose Root
as dad or mum OU.
Subsequent, select Account Manufacturing unit tab and provision a brand new account. Choose account’s OU because the OU you simply created and skip Account Manufacturing unit customization
for now.
Wait couple of minutes and you need to have a brand new account in your group.
Setup repositories
Subsequent, go to Github and create following 4 repositories:
-
aft-account-request
for dealing with account request -
aft-global-customizations
for customizing all AFT managed accounts -
aft-account-customizations
for particular customization on AFT managed accounts -
aft-account-provisioning-customizations
for customizing account provision.
After that, please use the code that I already put together to the repositories:
Lastly, clone aws-ia
AFT repository to your Github to create customized model for our personal. I’ll present you later.
Deploy AFT to Management Tower
Now, the principle step, we are going to deploy AFT to our Management Tower. Earlier than you begin, it’s essential to put together:
- An account or function with Administrator coverage on Management Tower administration account (account that you simply deploy AWS Management Tower) and create entry key for it.
- A terraform surroundings with the entry key above.
You probably have by no means accomplished 2 issues above, no fear, take a look at my post, it’ll information you
step-by-step how you can do it.
After all of it setup, create important.tf
file and name to aws-ia
module that you simply simply clone in earlier step. You need to use the next code.
module "aft" {
supply = "github.com/<Your-Github-Org>/terraform-aws-control_tower_account_factory"
# Required Vars
ct_management_account_id = "<your-ct-management-account-id"
log_archive_account_id = "<your-ct-logging-account-id>"
audit_account_id = "<your-ct-audit-account-id>"
aft_management_account_id = "<aft-management-account-id>"
ct_home_region = "<your-region>"
# VCS Vars
vcs_provider = "github"
account_request_repo_name = "<your-github-org>/aft-account-request"
global_customizations_repo_name = "<your-github-org>/aft-global-customizations"
account_customizations_repo_name = "<your-github-org>/aft-account-customization"
account_provisioning_customizations_repo_name = "<your-github-org>/aft-account-provisioning-customization"
}
Insert right data and run terraform apply
to deploy the infrastructure, it’ll provision for us assets like Codebuild, CodePipeline, Step Operate, Lambda, S3,… You possibly can see overview structure with image under.
Earlier than transferring to subsequent step, you will have to replace Codestar connection. AFT will routinely set off by committing code to aft-account-request
repo, to ensure that AFT to trace the code change, it’ll use AWS Codestar.
Entry AFT Administration account, then go to CodeCommit
On the left, select Settings > Connections, you will notice a pending connection. Click on on the connection and select Replace pending connection
.
As you possibly can see, I already enabled the connection, the steps is sort of simple, so you possibly can take it on your self, just some click on and you’re going to get it accomplished.
Lastly, go to Codepipeline
and re-run the ct-aft-account-provisioning-customizations
pipeline, it’ll create a step perform for account provisioning customization, we have to do that so our account provisioning step funciton will not failed.
You possibly can ignore the primary pipeline, I created it for testing.
Allow Cloud Path and default VPCs deletion function with
bugfix
Allow Cloud Path and default VPCs deletion function by including this 2 traces to the code block.
aft_feature_delete_default_vpcs_enabled = true
aft_feature_cloudtrail_data_events = true
Run terraform apply
to use the infrastructure.
Now, let’s create an account by AFT to see if every part is working as anticipated.
Edit terraform/important.tf
file in aft-account-request
repo, you need to use the instance code I supplied on earlier part.
module "sandbox_account_01" {
supply = "./modules/aft-account-request"
control_tower_parameters = {
AccountEmail = "<email-for-new-account>"
AccountName = "sandbox-account-01"
# Syntax for top-level OU
ManagedOrganizationalUnit = "Sandbox""
SSOUserEmail = "<email-for-sso>"
SSOUserFirstName = "<sso first identify>"
SSOUserLastName = "<sso final identify>"
}
account_tags = {
"ABC:Proprietor" = "[email protected]"
"ABC:Division" = "ENT"
"ABC:Surroundings" = "Dev"
"ABC:CostCenter" = "123456"
"ABC:Vended" = "true"
"ABC:DivCode" = "102"
"ABC:BUCode" = "ABC003"
"ABC:Mission" = "123456"
}
change_management_parameters = {
change_requested_by = "John Doe"
change_reason = "testing the account merchandising course of"
}
custom_fields = {
custom1 = "a"
custom2 = "b"
}
# account_customizations_name = "sandbox-customizations"
}
Commit code to the principle department and observe the pipeline. You need to see the pipeline is operating and new account is being provisioned.
After the pipeline have run efficiently, it’ll add an file to DynamoDB
desk and set off a listing of capabilities to provisioned new account. You possibly can verify CloudWatch Logs
to see the way it run.
After couple of minutes, you need to see your account had been provisioned, let verify it if every part is nice.
Cloud Path have been enabled, that is excellent news. Subsequent, let’s examine if default VPCs have been delete in all areas.
Seem to be it is not working, as talked about above there’s a bug within the perform so we have to edit it a little bit bit. Go to file src/aft_lambda/aft_feature_options/aft_delete_default_vpc.py
and within the half the place we are going to iterate by means of areas to delete default VPCs, change the session like under:
You can too verify this link for clearer view.
Now create one other new account, you will notice the default VPCs have been deleted.
Ignore the area which have 1 VPC, I created it for testing.
Congrats! Now you could have formally deployed your Account Manufacturing unit for Terraform.
Conclusion
This text simply solely information you steps to deploy your first Account Manufacturing unit for Terraform, you need to learn the document to be taught extra in regards to the instrument. It is a very attention-grabbing instrument, I like to recommend you to have a deep dive look into it and the worth it convey to us.
You possibly can checkout the code in right here:
AFT Deployment Repo.
Custom AFT module Repo.
Additionally, take a look at my Github!
See you in subsequent publish! Completely satisfied Hacking!