Anyone using AWS Control Tower Account Factory for Terraform? Thinking about rolling this out to manage setting up new AWS accounts and making sure there are certain baseline things in each. Some teams will manage their own AWS accounts so this would help to make sure certain things are in place already no matter when an account gets created.
Seems like a decent amount of stuff glued together to make this product work.
Once you get it set up, I’d love to hear about your experience
Haha I was hoping you had already done it :smiling_face_with_tear:
I’ve always managed all the accounts since I work at smol companies
We’re working on this
Control Tower is pretty cool, you do have to structure everything correctly downstream
Any issues getting it setup initially?
Eh, it wasn’t as bad the first go -around, we recently had to do some restructuring and there is a lot of implicit IAM shit floating around
Does it make one AFT in each account it creates?
Watched a few videos on it and don’t quite have the mental flow of how it all connects together
You have a parent account that extends all the downstream role management
That parent account manages the others, big note here, if you change the parent account lots of “bad shit” can happen
Still dealing with fallout from changing the parent account
Why would you ever change the parent account? New payer structure, aquisition, etc
When you say managers the others, managers the other accounts or does it create a child account inside each account
Sec, let me draw it with text lol
So the SSO roles that are created via your control tower account are un-editable in those accounts
Even owner accounts in the children cannot change the policies
So is it like this scenario 1
Root OU
– Parent AFT (Account Factory Terraform)
|
|
| – > Dev Account AWS
→ s3 buck it made
