際際滷

際際滷Share a Scribd company logo

ControlTower_AFT_CommunityDayNordics.pdf

Masoom Tulsiani
Masoom Tulsiani

AWS Community Day Nordics 2024, 7th May 2024 AWS Control Tower Account Factory for Terraform (AFT) Deploy and Customize AWS Landing Zone using AWS Control Tower Account Factory for Terraform (AFT) AWSs ControlTower & Best Practices from Customers experiences. This session will show how to Deploy and Customize AWS accounts using Account Factory for Terraform (AFT) for Provisioning new accounts & Customizations.

1 of 19
NORDICS DGI Byens CPH Conference 2024
NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) CloudFormation Control Tower Account Factory for Terraform (AFT) Terraform Landing Zone Accelerator (LZA) - CDK
NORDICS AFT Components
IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
ControlTower_AFT_CommunityDayNordics.pdf
NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = 111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
AFT Pipeline ct-aft-account-provisioning-customizations ct-aft-customization
State machine aft-account-provisioning-framework
Account Import in AFT
NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = masoom.tulsiani@rackspace.com" AccountName = CommunityDaySandbox" ManagedOrganizationalUnit = Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = Masoom" SSOUserLastName = Tulsiani" } account_tags = { "Project" = CommunityDay }
NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
$150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines 3 Pipelines - $ 6 KMS Key 2 KMS AFT Keys - $ 5 5 DynamoDBTables
ControlTower_AFT_CommunityDayNordics.pdf
Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.
NORDICS Thank you! Twitter: @CloudJedi_ masoom.tulsiani@rackspace.com

More Related Content

ControlTower_AFT_CommunityDayNordics.pdf

  • 1. NORDICS DGI Byens CPH Conference 2024
  • 2. NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
  • 3. NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
  • 4. NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) CloudFormation Control Tower Account Factory for Terraform (AFT) Terraform Landing Zone Accelerator (LZA) - CDK
  • 6. IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
  • 7. AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
  • 9. NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = 111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
  • 10. NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
  • 14. NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = masoom.tulsiani@rackspace.com" AccountName = CommunityDaySandbox" ManagedOrganizationalUnit = Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = Masoom" SSOUserLastName = Tulsiani" } account_tags = { "Project" = CommunityDay }
  • 15. NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
  • 16. $150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines 3 Pipelines - $ 6 KMS Key 2 KMS AFT Keys - $ 5 5 DynamoDBTables
  • 18. Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.