AWS control Tower set up - unix1998/technical_notes GitHub Wiki
AWS CloudFormation templates can be written in either JSON or YAML format. However, AWS Control Tower setup cannot be fully automated using CloudFormation templates alone, as the setup typically requires interactive steps through the AWS Management Console. AWS Control Tower primarily provides setup and management through the AWS Management Console, but you can automate certain aspects of managing the environment using CloudFormation, AWS CLI, or SDKs.
Example: Using CloudFormation for AWS Control Tower Account Factory Customizations
While you can't create AWS Control Tower itself using CloudFormation, you can use it to manage resources within the AWS Control Tower environment. For example, you can customize the Account Factory to create new AWS accounts and apply configurations.
Here’s a step-by-step guide and an example CloudFormation template to create an AWS account and configure it within an existing AWS Control Tower setup:
Step-by-Step Guide
-
Prerequisites:
- Ensure AWS Control Tower is already set up in your AWS Organization.
- You have AWS CLI configured on your local machine.
-
Create a CloudFormation Template:
- Below is an example CloudFormation template in JSON format to create a new AWS account through Account Factory.
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS Control Tower Account Factory example", "Resources": { "ControlTowerAccountFactory": { "Type": "Custom::ControlTowerAccountFactory", "Properties": { "ServiceToken": "arn:aws:lambda:us-east-1:123456789012:function:AWSControlTowerAccountFactory", "AccountName": "ExampleAccount", "AccountEmail": "[email protected]", "SSOUserFirstName": "John", "SSOUserLastName": "Doe", "ManagedOrganizationalUnit": "OUName", "AccountTags": { "CostCenter": "1234", "Environment": "Dev" } } } } } -
Deploy the CloudFormation Stack:
- Save the above template to a file named
control-tower-account-factory.json. - Deploy the CloudFormation stack using AWS CLI.
aws cloudformation create-stack --stack-name ControlTowerAccountFactoryStack --template-body file://control-tower-account-factory.json --capabilities CAPABILITY_NAMED_IAM - Save the above template to a file named
Steps to Create and Use the CloudFormation Template
-
Save the Template:
- Save the JSON template to a file, for example,
control-tower-account-factory.json.
- Save the JSON template to a file, for example,
-
Create a CloudFormation Stack:
- Use the AWS CLI to create a new CloudFormation stack.
aws cloudformation create-stack --stack-name ControlTowerAccountFactoryStack --template-body file://control-tower-account-factory.json --capabilities CAPABILITY_NAMED_IAM -
Monitor the Stack Creation:
- Monitor the status of the stack creation.
aws cloudformation describe-stacks --stack-name ControlTowerAccountFactoryStack -
Verify the New Account:
- Once the stack creation is complete, verify that the new AWS account has been created and added to the specified Organizational Unit (OU).
Example Template in YAML Format
Here’s the same template in YAML format:
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Control Tower Account Factory example
Resources:
ControlTowerAccountFactory:
Type: Custom::ControlTowerAccountFactory
Properties:
ServiceToken: arn:aws:lambda:us-east-1:123456789012:function:AWSControlTowerAccountFactory
AccountName: ExampleAccount
AccountEmail: [email protected]
SSOUserFirstName: John
SSOUserLastName: Doe
ManagedOrganizationalUnit: OUName
AccountTags:
CostCenter: "1234"
Environment: Dev
Save this YAML template to a file named control-tower-account-factory.yaml and deploy it similarly using the AWS CLI.
Conclusion
While you can't fully set up AWS Control Tower using CloudFormation alone, you can automate the creation and management of AWS accounts and resources within an existing AWS Control Tower environment using CloudFormation. This example demonstrates how to create a new AWS account using the Account Factory feature of AWS Control Tower with CloudFormation templates. For the initial setup of AWS Control Tower, you need to use the AWS Management Console or AWS CLI.