[AWS] Feedback on AWS Control Tower Account Factory(for Terraform)

Actually just start with that then let me look at the docs again

Iirc 1 is about right

Do you have to manually trigger stuff in CodeStar or w/e

Watched some YT video and the guy made it seem weirdly manual inside the console for some steps

There is a lot that’s manual

The api isn’t terribly well instrumented ime

Still better than how we are doing it now haha

It is really nice for containing people who know enough to be dangerous

The first six parameters are required. As a prerequisite, I need to pass the ID of four AWS accounts in my AWS organization:
ct_management_account_id – AWS Control Tower management account
log_archive_account_id – Log Archive account
audit_account_id – Audit account
aft_management_account_id – AFT management account

Did you have to make four different aws accounts at first just to set this up?

Example has it all as different accounts

AWS needs an account factory account factory

I get that you need at least one account, but can those values all be the same account?


  source = "git@github.com:aws-ia/terraform-aws-control_tower_account_factory.git"

  # Required Parameters
  ct_management_account_id    = "123412341234"
  log_archive_account_id      = "234523452345"
  audit_account_id            = "345634563456"
  aft_management_account_id   = "456745674567"
  ct_home_region              = "us-east-1"
  tf_backend_secondary_region = "us-west-2"

What kind of mad lad is making 4 accounts for this :smile:

Yes you need all those

Think of it this way - in a single account you wouldn’t have the ability to limit the base role from accessing information that is considered “sensitive”

The idea being that each of the seperate accounts creates privilege isolation necessary

Because the only role that will be in those is effectively something akin to the root account