Understanding AWS Control Tower Account Factory for Terraform (AFT)

Introduction

Initially around 2018, the multi-account provisioning system in AWS was called Landing Zone. AWS Landing Zone helped the users to setup multi account AWS environment with all the recommended best practices. Later it was rebranded to AWS Control Tower with some additional features. It provides a central management of multi account AWS organization.

After IAC was getting evolved in the IT industry, most of the organization wanted to leverage IAC to provision and customize AWS accounts. Since AWS Control Tower do not come with an API, it was not possible to automated it using IAC (Terraform). AWS then collaborated with hashicorp to build a new product named as Account Factory for Terraform(AFT) which solves this problem.

What is AWS Control Tower?

AWS developed Control Tower to automate the setup of landing zone which helps to run secure and scalable workloads. AWS Control Tower is a well architected account management system. It offers a streamlined workflow for vending and managing multi AWS accounts centrally. It helps to keep the accounts aligned with all the prescriptive best practices and offers centralized governance, guardrails with controls that can be centrally managed. Under the hood it orchestrates other AWS services such as AWS Organizations, AWS Service Catalog, AWS IAM Identity Center, Configs, etc.

AWS Control Tower basically automates the setup of landing zone using a multi account AWS environment, centralized identity management for all the accounts using AWS SSO, centralized logging using cloudtrail & configs to the centralized logging account, preventive and detective guardrails deployed to the governed accounts, etc.

AWS Control Tower also comes with a built in account factory which helps the customer to provision standardized accounts with a pre approved account configuration. It also comes with a dashboard which can help the AWS account administrators to see provisioned accounts across your enterprise, controls enabled for policy enforcement, controls enabled for continuous detection of policy non-conformance, and noncompliant resources organized by accounts and OUs.

Possible Automations of Control Tower landing zone & Account Vendings

Before diving into AFT and how it works, lets see what are possible automation ideas beside AFT which can be used to automate usage of control tower and vending of new accounts with customizations.

1. As discussed earlier, there were no public API endpoints available for control tower which can be used directly write automation around control tower, vending and customizing new account. So users ends up provisioning the account in the click-ops way using control tower console.
2. CfCT: In May’2021, AWS came up with Customizations for AWS Control Tower (CfCT). It is a gitops driven pipeline to provision and customize the AWS accounts using cloudformation and SCPs.
3. Custom Terraform Module: One other way to automate landing zone and account provisioning is creating your own terraform custom module by targeting control tower underlying services such as AWS Organizations, AWS Service Catalog, etc.
4. AFT: In Nov’2021, AWS in collaboration with Hashicorp came up with this product call AWS Control Tower Account Factory for Terraform (AFT). In this blog, we will be going through this service and try to understand its underlying architecture.

What is AFT?

AWS Control Tower Account Factory for Terraform (AFT) is a terraform module which is developed and owned by AWS Control Tower team in collaboration with Hashicorp. It helps in automating the provisioning and customization of new accounts to comply with organization security guidelines.

It uses a gitops driven automation to provision and customize AWS Control Tower accounts. Source configuration can be stored in any repository type that is supported by code star i.e. AWS CodeCommit, GitHub, GitHub Enterprise, BitBucket.

As AFT is a open source module, AWS or Hashicorp user can customize the module as per their organization need. It can be customized to deploy additional guardrails, network configurations, roles, etc.

AFT also comes built in with additional feature options capabilities such as automated enrollment of account to enterprise support, AWS cloudtrail data events for S3, automatic deletion of default VPCs in all regions.

Pre-requisites

1. AWS Control Tower: AWS Control Tower needs to be already enabled in AWS organization account.
2. AFT OU & Account: Provision a AFT account in a separate AFT OU using control tower where all the resources needed to run the AFT will reside.
3. AdministratorAccess Policy User: An IAM user with administrator policy to deploy AFT.
4. Terraform v0.15+: Terraform v0.15+ installed locally.
5. AWS CLI: AWS CLI installed.

AFT currently supports the below execution environments:

• Terraform Open Source
• Terraform Cloud
• Terraform Enterprise

There 2 steps to use AFT. The first is to bootstrap and deploy the AFT module and then use it to deploy and customize the control tower accounts.

Deployment of AFT: Code Overview

As we already discussed earlier that AFT is a terraform module available in github repository. To deploy AFT, we can reference the terraform module as shown in the above picture and pass in the required variables. Once we deploy it, it will deploy all the resources need for the AFT to run. Let's dive in and look into high level overview of the code.

1. source: To deploy AFT, a open source github repository needs to be referenced as shown in the screenshot.
2. CT Account IDs: Account IDs of the control tower accounts & regions need to passed in to the respective variables such as ct_mangement_account_id, log_archive_account_id etc.
3. Optional Parameters: Here the parameters such as terraform_distribution and vcs_provider needs to be passed.
4. Feature Flags: As we discussed in the previous section that AFT comes with few built in feature flags. This can be enabled and disables by passing the bool values to this variables.

These were some of the high level variables needed to deploy AFT. There many more optional variables which can be used to customize the AFT. You can reference those variables here.

AFT Repositories

Once the AFT code is deployed, it will provision 4 git repositories which will be used for different purposes. Let's discuss in details what are the use cases of these repositories:

1. aft-global-customizations: This repository is for deploying customization to all the vended aws accounts with a standard set of resources. This will be helpful in the scenario where an org has to deploy certain resources in all the account for security or audit purposes.
2. aft-account-customizations: This repository is used to deploy customization to a specific account depending on the value of the account_customizations_name parameter in the aft-account-request repository.
3. aft-account-provisioning-customizations: This repository is for customizing the account while vending which is hooked up with a step function to customize the provisioning process for new accounts.
4. aft-account-request: This repository is where you will drop the terraform template to request AFT to provision a new account. This will trigger the account vending pipeline and vends the account. This repository serves as a central source of truth for the account creation process.

AFT Components Overview

Once AFT module is deployed, it deploys various AWS resources which work in conjunction with other resources to help vend a AWS account and customize it. When we push a account request template to the aft-account-request repository, AFT kickoff the workflow as shown in the above diagram to vend a new account and customize it.

1. As soon as the code is pushed to the remote repository, a codepipeline is kicked off which used the codebuild to create an entry in a dynamodb table with the account details we mentioned in the account template. DynamoDb then used dynamodb stream to trigger a lambda function that sends the details to a SQS queue.
2. The SQS queue then triggers another lambda function which kicks off account vending process in the Control Tower.
3. Once a new account is created by Control Tower, AFT then triggers additional Lambda functions which kicks off account specific pipeline to apply global and account specific customizations.

Vending a New Account

Once AFT is deployed and the git repositories mentioned above are available, we can start using those repositories and vend a new account. In this section we will see how to vend a new account.

Vending a new account is as easy as dropping a terraform template to the aft-account-request repository which will trigger the complete AFT process and vend a new a account within couple of minutes.

First of all, clone the aft-account-request repository. Create a terraform template for a new account as mentioned below and place it in the terraform directory. Once the code is pushed to the remote repository, it will trigger a codepipeline and create a dynamodb item which in turns trigger the complete account vending process in the backend and in couple of minutes a new account will be available to be used.

Lets review a sample account template:

1. control_tower_parameters: These are the required control tower parameters needed by the control tower to create a new account.
2. account_tags: This enabled to apply tags to the new account based on the organization need.
3. change_management_parameters: This helps to track the changes to the account request. We can add the fields like change_requested_by and change_reason so that we can track it in future.
4. custom_fields : This attribute let us define additional metadata for the account which can be used in account customization and provisioning configuration.
   account_customizations_name: This attribute helps to customize the account using aft-account-customizations repository.

Conclusion

In this blog, we have learned about how to manage AWS Control Tower in an automated way using AFT. AFT offers automated gitops driven approach which automates the complete provisioning and management of the account vending and customization using AFT pipelines. It gives the best of both the world, AWS & Terraform to manage the multi-account setup in AWS. Also it is supported by AWS and Hashicorp for any operational support needed.