Making AWS ControlTower Account Factory easier with Resourcely

Turning the Account Factory for Terraform modules into a smart UI
AUTHOR
Chris Reuter
PUBLISH DATE
November 20, 2024

AWS accounts are a critical object for structuring, securing, and managing your AWS cloud resources. While they are foundational for best practices cloud usage, they can be annoying and tedious to set up appropriately.

In this blog we’ll cover how you can make AWS account usage ubiquitous by providing an easy way to provision them, while ensuring that security, cost, organizational, and other standards that your company wants to follow are met. We’ll do so by starting with an existing Terraform module, turning it into a simple UI for developers to interact with, and adding guidance and guardrails around that UI experience.

Importance of AWS Accounts

AWS Accounts provide logical separation of concerns. With them you can:

  • Isolate and secure your resources
    • Isolating resources reduces the blast radius of potential breaches or malicious activity
    • Secure different accounts with different IAM roles, permission sets, or policies
  • Manage costs
    • Separate billing reporting and tracking make cost optimization easier
  • Compliance and governance
    • Some industries are subject to strict regulation, requiring data governance practices such as isolation
  • Scalability and management
    • Organizing resources into accounts and separating access makes it easier as usage grows: your AWS organization won’t become a cesspool of mixed resources with no clear hierarchy

Companies use AWS accounts for a variety of use cases, from dev/staging/prod, to cost & budget tracking, to organizational or project-based separation.

AWS ControlTower Account Factory for Terraform

Module description

The AWS ControlTower Account Factory for Terraform (AFT) sets up an account factory for AWS, building a framework that allows users to provision new accounts seamlessly. Like with any Terraform module, it can be complicated and hard for a developer to implement…especially one who doesn’t often work with Terraform.

The AFT module creates many resources:

  • CloudWatch logging queries
  • Multiple IAM roles, policies, and policy attachments
  • Lambdas with VPC configs for initiating accounts

…and requires 15 inputs that developers may need help, guidance, and a sensible path when deviating from defaults.

Adding a UI

To simplify our experience with Terraform and make it easier for developers to create AWS accounts that meet our standards, let’s import this module into Resourcely in order to automatically create a guided UI for this module.

Importing

Log in to Resourcely (create your free account here), click Create Blueprint, and then Import a module from external source.

Resourcely automatically detects inputs, assigns types, defaults, and more:

We’ll select the fields we care about, optionally select how to organize each variable on the next screen, and then we’ll have a Resourcely Blueprint built on top of this Terraform module. Immediately, a smart UI is created where users don’t need to interact with Terraform in order to take advantage of this module:

Guiding user inputs

Descriptions, defaults, and suggestions

Notice that our UI already has defaults and descriptions, automatically taken from the Terraform module’s variables.tf. We can make changes to these easily in the variables frontmatter. Let’s take a variable and make improvements:

vcs_provider variable frontmatter:

  vcs_provider:
    suggest: "github"
    desc: Customer VCS Provider - valid inputs are codecommit, bitbucket, github, or
      githubenterprise
    required: false
    type: resource.aws_ssm_parameter.value
    group: Repository

Resulting form input:

We can add a global value to this frontmatter to populate a dropdown box for developers to select from (instead of having to type in one of the valid inputs manually).

We create a Preset collection:

…and add it to our new vcs_provider variable frontmatter, and change our description:

  vcs_provider:
    suggest: "github"
    desc: Customer VCS Provider
    required: false
    type: resource.aws_ssm_parameter.value
    group: Repository
    global_value: vcs_providers

Here is what the form looks like for this variable now:

Policies

We can use Guardrails to better limit user inputs, and give them an easy way to request an exception to the rules we put in place. Let’s consider our logging expiration-related variables. Our Terraform module instructs a default of 365 days for log_archive_bucket_object_expiration_days, which has been reflected in our variable frontmatter:

  log_archive_bucket_object_expiration_days:
    default: 365
    desc: Amount of days to keep the objects stored in the AFT logging bucket
    required: false
    type: resource.aws_s3_bucket_lifecycle_configuration.rule.noncurrent_version_expiration.noncurrent_days
    group: General

Let’s say we want to require logging to between 1 and 2 years for compliance or regulatory reasons. With the existing Terraform module, there would be no way to control that. With Resourcely Guardrails, it is easy.

From Foundry, navigate to Author a Guardrail and enter the following Guardrail:

GUARDRAIL "require logging to be less than 364 and greater than 730 days"
  WHEN aws_s3_bucket_lifecycle_configuration
    REQUIRE rule.noncurrent_version_expiration.noncurrent_days > 364 AND rule.noncurrent_version_expiration.noncurrent_days < 730 

If you start manually typing the above Guardrail you will notice Foundry’s autocomplete feature that make it easy to write new Guardrails.

Add metadata, save the Guardrail, and navigate back to the Author a Blueprint tab. On the developer form you can now see the Guardrail in action:

Embedding the Guardrail rules into the form allows users to know when they have deviated from a policy or rule before CI, so they aren’t wasting valuable cycles waiting for policies to evaluate and then making configuration changes.

This Guardrail will also be evaluated as part of our Terraform plan, and terraform apply will be blocked until the appropriate team can review and approve this exception.

Conclusion

We’ve walked through creating a Blueprint for setting up ControlTower Account Factory. We did this by quickly converting a Terraform module into a Resourcely Blueprint. With an Account Factory, you can encourage and simplify the use of AWS accounts: isolating your resources into logical groups, tracking costs and budgeting, and meeting compliance requirements.

The next step on your journey is to create a Blueprint for developers to use, that provisions accounts using the Account Factory that you just set up. You can do this yourself in Resourcely: sign up for free today, and import the account-provisioning module using the same process that we used above.

Ready to get started?

Set up a time to talk to our team to get started with Resourcely.

Get in touch

More posts

View all
September 23, 2024

Insights from the a16z Security Theme Week 2024

Takeaways from meeting dozens of security leaders at Fortune 250 companies
December 4, 2024

Making encryption easy for developers

From complex infrastructure as code to streamlined, encrypted-by-default resources
November 11, 2024

Configuration perspectives: AWS S3

Best practices for configuring S3 using Terraform, while taking into account input from a variety of stakeholders

Talk to a Human

See Resourcely in action and learn how it can help you secure and manage your cloud infrastructure today!