Followed this guide: https://developer.hashicorp.com/terraform/tutorials/aws/aws-control-tower-aft
Takeaways
- Choosing a different region than tutorial (us-east-2) will confuse you because clicking links from the tutorial will put you on an empty page (e.g. looking for codepipelines)
- Navigating the account hierarchy is confusing
- Which account has control tower? (AFT management)
- How do I login? (AWS Access Portal)
- Which account has CodePipelines? (also AFT management)
- Which account has control tower? (AFT management)
- Setting up control tower & AFT repos (multiple!) requires a lot of manual work
- Structure is very complicated, using multiple modules that set up a lot of infrastructure both for defining the landing zone and the "account request/factory" machinery
- Running AFT terraform is confusing
- Must have "AdminAccess" in control tower managment account
- After provisioning the sandbox account, I can maybe see how one could "request" accounts for dev & stage, assuming you've setup TF modules elsewhere for common parts of your stack
- I never got an email to set up SSO after sandbox account was provisioned. Instead it simply "showed up" in the AWS Access Portal
- Deleting accounts requires manual work
- Creating temporary credentials instead of a persistent access key worked pretty well:
- In CloudShell:
aws sts assume-role --role-arn <AdminAccess role ARN> --role-session-name learn-aft - Had to create a role to assume (couldn't figure out how to assume the aws-managed AdminAccess role)
- Remember to copy security token!
- In CloudShell:
- Forgetting a step can be painful
- I didn't properly create/enroll the AFT Management account, which became obvious when I kept seeing errors about "couldn't assume AWSControlTowerExecution role" because it didn't exist in the management account. I had to fix it by: manually creating the role (which involved unregistering the account to temporarily disable SCP to fix the role after a mistake I made), and then enrolling it... Except I never got it to "enroll" successfully (AWS kept complaining about not being able to assume the role)
- This is really complicated, but I guess necessary in order to remain in compliance with important privacy/security frameworks (PCI?)
- Closing all the accounts was a PITA due to:
- S3 buckets (going to S3 console and clicking "Empty Bucket" was the best way)
- AWS backup recovery points (which was easier thanks to this snippet)
aws backup list-recovery-points-by-backup-vault --backup-vault-name <name> --output json --query 'RecoveryPoints[].[RecoveryPointArn]' | jq -r '.[] | "--recovery-point-arn '\\\"'" + .[0] + "'\\\"'" + .[1]' | xargs -L1 aws backup delete-recovery-point --backup-vault-name <name>
- Then each account could be closed by switching to Control Tower Management (NOT AFT) account root user and navigating to "AWS Organizations", where individually accounts could be checked and closed via the "Actions" menu
Open Questions
- With codepipelines & GitOps "out of the box," I'm curious how to set this up with a proper CI/CD pipeline to validate the account requests & actually test the infrastructure
- HCP?
- DIY in CodePipelines?
- in VCS itself? (where PRs will likely be reviewed anyway)
- Once an account is provisioned, what's the best way to manage its infrastructure?
- account customizations repo? (Unlikely, seems like these are "modules"
- Separate TF repo? (using provisioned account ID in
provider.tf)
- How do you manage access to non-root users across multiple AWS accounts, e.g. giving devs access to shared environments?