Skip to main content

AWS Control Tower - One year using it

ยท 3 min read
Carlos Angulo Mascarell
info

In this post I'm going to talk about my experience with Control Tower Account Factory for Terraform.

Summary

Control Tower Account Factory for Terraform is solution aiming to facilitate account creation and governance. You can use it to define what out-of-the-box resources your accounts will have, as well as, add new resources to all the enrolled accounts. It is based on the next workflow:

graph LR account_request[Account Creation Request] global_cus[Apply Global Customization] spec_cus[Apply Account Customization] account_request-->global_cus global_cus-->spec_cus

(simplified) Full schema here

Let's say we want to create an account, here is an example:

module "arepabank" {
source = "./modules/aft-account-request"

control_tower_parameters = {
AccountEmail = "arepabank-dev-aa50424c@outlook.com"
AccountName = "arepabank-dev"
}

custom_fields = {
client = "arepa"
env = "dev"
}
account_customizations_name = "dev" # you can use this to group account by stage or client
}

Then, depending what you have in the global customization repo (example here) you can define resources to be created in ALL the accounts. A use case is to define a role in all the accounts (deployment role), this one can only be assumed by one IAM user (deployment user).

resource "aws_iam_role" "iac_deployer" {
name = "iac-deployer-${local.account_name}"
path = "/deployments/"
assume_role_policy = data.aws_iam_policy_document.allow_shared_users_to_assume_role.json
managed_policy_arns = [data.aws_iam_policy.admin.arn]
}

data "aws_iam_policy" "admin" {
name = "AdministratorAccess"
}

data "aws_iam_policy_document" "allow_shared_users_to_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [local.shared_iac_deployer_user]
}
}
}

locals {
shared_iac_deployer_user = "arn:aws:iam::2146903:user/deployments/iac-deployer-shared"
}

Terraform Code in the Global Customization

Based on the account customization repository (example here) and folder named as the account_customizations_name parameter, only the resources defined there will be created. We can use this to create different resources per stage, for example different ec2 instances:

dev/
ec2.micro.tf
tst/
ec2.small.tf
acc/
ec2.medium.tf
prd/
ec2.large.tf

Each ec2.*.tf file will contain different configuration.

resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
}

ec2.t3.micro.tf

Is it worth it?

For personal projects and ephemeral workloads: No. Let me list the reasons

  • There are fixed costs, no matter if you enroll accounts or not. Next are the main ones:
    • VPC Endpoints. In my first two post I had to fork the official repo and add flags to disable them.
    • KMS keys. I also tried to disable it but major changes were required because it was highly coupled with other resources.
    • Log Archive account costs: Only S3, KMS and AWS Config services. Less than the previous two, 4$ maximum.
  • AWS CodePipelines, CodeBuild and VPC costs are too high for personal projects. There is a customizations-pipeline for each account. This means if you want to update all accounts, all pipelines should be executed. I had 12 accounts enrolled and I paid more than 60$ one month. The same work done in the pipelines could be in GitHub workflows as I did in my previous post

AWS Costs - worst months

For my personal projects I'm going to look for a custom solution with cost based on usage.

References:

Git Repositories

About me

I'm a Software Engineer with experience as Developer and DevOps. The technologies I have worked with are DotNet, Terraform and AWS. For the last one, I have the Developer Associate certification. I define myself as a challenge-seeker person and team player. I simply give it all to deliver high-quality solutions. On the other hand, I like to analyze and improve processes, promote productivity and document implementations (yes, I'm a developer that likes to document ๐Ÿง‘โ€๐Ÿ’ป).

You can check my experience here.

Personal Blog - cangulo.github.io GitHub - Carlos Angulo Mascarell - cangulo
LinkedIn - Carlos Angulo Mascarell
Twitter - @AnguloMascarell

Did you like it? Share It!


Comments