{"id":1,"date":"2024-03-20T01:42:41","date_gmt":"2024-03-20T01:42:41","guid":{"rendered":"http:\/\/platformdev.org\/?p=1"},"modified":"2024-09-09T03:08:33","modified_gmt":"2024-09-09T03:08:33","slug":"aws-account-vending","status":"publish","type":"post","link":"https:\/\/platformdev.org\/index.php\/2024\/03\/20\/aws-account-vending\/","title":{"rendered":"AWS Account Vending"},"content":{"rendered":"\n<p class=\"has-kenta-primary-active-color has-text-color has-link-color wp-elements-685504461de989be9a8e96e437cf51f4\"><em>Have you ever had a request to build hundreds of AWS Accounts?<\/em><\/p>\n\n\n\n<p class=\"has-kenta-accent-active-color has-text-color has-link-color wp-elements-bc612fea6c45c56ecb194699f0f61197\">Organizations can have several business units with individually managed budgets and cost centers. Tracking costs at the AWS account level is an easier method opposed to managing charge backs between teams. Developers from different business units are not competing for resource limits as they could in a shared AWS account. Lastly, it could be beneficial having separate AWS accounts for Development and Production.<\/p>\n\n\n\n<p class=\"has-kenta-accent-color has-text-color has-link-color wp-elements-46171f3e5f6db1530eca7378ec769c5e\">One option I&#8217;ve implemented for automating large scale account creation is an open source tool called Account Factory for Terraform or <strong><u><a href=\"https:\/\/docs.aws.amazon.com\/controltower\/latest\/userguide\/aft-overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">AFT<\/a><\/u><\/strong>. It follows a GitOps model where a developer commits an account request terraform file to a Git repository which triggers an event to provision the account using the Control Tower API. Organization enrollment, service catalog, and account customization are handled by AFT.<\/p>\n\n\n\n<p>AFT allows for further account customization through additional terraform or creating AWS Lambda functions invoked by an AFT state machine.<\/p>\n\n\n\n<p>A major benefit of AFT, each account provisioned is managed by three account specific state files.<\/p>\n\n\n\n<ul style=\"background-color:#818181\" class=\"has-background\">\n<li><strong><em>Account-A-customization-state-file<\/em><\/strong> (Sets up the CodePipeline for Global &amp; Account Customization repositories)<\/li>\n\n\n\n<li><strong><em>Account-A-global-customizations-state-file<\/em><\/strong> (Terraform code stored in the aft-global-customizations repository)<\/li>\n\n\n\n<li><strong><em>Account-A-account-customizations-state-file<\/em><\/strong> (Terraform code stored in the aft-account-customizations repository under \/terraform\/&lt;account_name&gt;)<\/li>\n<\/ul>\n\n\n\n<p class=\"has-kenta-accent-color has-text-color has-link-color wp-elements-ac0508c0897feb4d6ac0a3ce1a6061df\">Managing accounts in this fashion reduces the number of resources stored in a state file as well as the blast radius when changes are made to an account. Prior to using AFT for multiple account provisioning, I have seen the limitations of using Terraform to manage global resources for all accounts in a single state file. As a result Terraform apply executions were sometimes 30 minutes long!<\/p>\n\n\n\n<p class=\"has-kenta-accent-color has-text-color has-link-color wp-elements-7b8926ad193ab3f1b9f5e1d499e8e5ae\">AFT source code is configured and installed in a separate management account in AWS. The pipelines, state machines, IAM roles, events, logs, etc are executed from this account.<\/p>\n\n\n\n<p><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/docs.aws.amazon.com\/images\/controltower\/latest\/userguide\/images\/high-level-aft-diagram.png\">AFT Architecture<\/a><\/p>\n\n\n\n<p class=\"has-kenta-accent-color has-text-color has-link-color wp-elements-9210888a0bb97c4de8ad5a86dfe1fccd\">The AFT management account contains IAM credentials for cross account access to the organization\u2019s main Control Tower account and the provisioned account (target account). This allows terraform to provision resources such as VPC&#8217;s, S3 buckets, IAM roles in the target account or resources such as SSO in the main Control Tower account. The options are limitless.<\/p>\n\n\n\n<p class=\"has-kenta-accent-color has-text-color has-link-color wp-elements-be1eef071b804a89735a5aee887cdc08\">I encourage you to explore this tool if you are looking for a multi-account provisioning solution in AWS.<\/p>\n\n\n\n<p><strong><em>Reference:<\/em><\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/aws-ia\/terraform-aws-control_tower_account_factory\">https:\/\/github.com\/aws-ia\/terraform-aws-control_tower_account_factory<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you ever had a request to build hundreds of AWS Accounts? Organizations can have several business units with individually managed budgets and cost centers. Tracking costs at the AWS account level is an easier method opposed to managing charge backs between teams. Developers from different business units are not competing for resource limits as [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[1],"tags":[7,9,8],"_links":{"self":[{"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/posts\/1"}],"collection":[{"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/comments?post=1"}],"version-history":[{"count":3,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/posts\/1\/revisions"}],"predecessor-version":[{"id":214,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/posts\/1\/revisions\/214"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/media\/139"}],"wp:attachment":[{"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/media?parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/categories?post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/platformdev.org\/index.php\/wp-json\/wp\/v2\/tags?post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}