[AWS] Feedback on AWS Control Tower Account Factory(for Terraform)

Anyone using AWS Control Tower Account Factory for Terraform? Thinking about rolling this out to manage setting up new AWS accounts and making sure there are certain baseline things in each. Some teams will manage their own AWS accounts so this would help to make sure certain things are in place already no matter when an account gets created.

Seems like a decent amount of stuff glued together to make this product work.

Once you get it set up, I’d love to hear about your experience

Haha I was hoping you had already done it :smiling_face_with_tear:

I’ve always managed all the accounts since I work at smol companies

We’re working on this

Control Tower is pretty cool, you do have to structure everything correctly downstream

Any issues getting it setup initially?

Eh, it wasn’t as bad the first go -around, we recently had to do some restructuring and there is a lot of implicit IAM shit floating around

Does it make one AFT in each account it creates?

Watched a few videos on it and don’t quite have the mental flow of how it all connects together

You have a parent account that extends all the downstream role management

That parent account manages the others, big note here, if you change the parent account lots of “bad shit” can happen

Still dealing with fallout from changing the parent account

Why would you ever change the parent account? New payer structure, aquisition, etc

When you say managers the others, managers the other accounts or does it create a child account inside each account

Sec, let me draw it with text lol

So the SSO roles that are created via your control tower account are un-editable in those accounts

Even owner accounts in the children cannot change the policies

So is it like this scenario 1

Root OU
– Parent AFT (Account Factory Terraform)
|
|
| – > Dev Account AWS
-> s3 buck it made