AWS Account Vending – platformdev.org

Have you ever had a request to build hundreds of AWS Accounts?

Organizations can have several business units with individually managed budgets and cost centers. Tracking costs at the AWS account level is an easier method opposed to managing charge backs between teams. Developers from different business units are not competing for resource limits as they could in a shared AWS account. Lastly, it could be beneficial having separate AWS accounts for Development and Production.

One option I’ve implemented for automating large scale account creation is an open source tool called Account Factory for Terraform or AFT. It follows a GitOps model where a developer commits an account request terraform file to a Git repository which triggers an event to provision the account using the Control Tower API. Organization enrollment, service catalog, and account customization are handled by AFT.

AFT allows for further account customization through additional terraform or creating AWS Lambda functions invoked by an AFT state machine.

A major benefit of AFT, each account provisioned is managed by three account specific state files.

Account-A-customization-state-file (Sets up the CodePipeline for Global & Account Customization repositories)
Account-A-global-customizations-state-file (Terraform code stored in the aft-global-customizations repository)
Account-A-account-customizations-state-file (Terraform code stored in the aft-account-customizations repository under /terraform/<account_name>)

Managing accounts in this fashion reduces the number of resources stored in a state file as well as the blast radius when changes are made to an account. Prior to using AFT for multiple account provisioning, I have seen the limitations of using Terraform to manage global resources for all accounts in a single state file. As a result Terraform apply executions were sometimes 30 minutes long!

AFT source code is configured and installed in a separate management account in AWS. The pipelines, state machines, IAM roles, events, logs, etc are executed from this account.

AFT Architecture

The AFT management account contains IAM credentials for cross account access to the organization’s main Control Tower account and the provisioned account (target account). This allows terraform to provision resources such as VPC’s, S3 buckets, IAM roles in the target account or resources such as SSO in the main Control Tower account. The options are limitless.

I encourage you to explore this tool if you are looking for a multi-account provisioning solution in AWS.

Reference:

https://github.com/aws-ia/terraform-aws-control_tower_account_factory

Related Posts

Internal Development Platform

Python CI with Github Actions