AI Resource Provisioning Governance with Control Tower
PythonWhen using AWS Cloud, AWS Control Tower offers a way to set up and govern a new, secure, multi-account AWS environment based on best practices. It enables you to automate the setup of a baseline environment, or landing zone, that is a well-architected, multi-account setup using AWS best practices. With Control Tower, you can enforce and manage policies at scale, using guardrails that you can apply to accounts in your AWS environment.
In the context of Pulumi, you would use it to programmatically manage the setup and governance of your AWS resources, ensuring that everything complies with the policies and standards you've defined in your Control Tower setup.
Let's go through a Pulumi Python program that uses AWS Control Tower to enforce governance across your AWS resources.
Firstly, we'll need to import the necessary modules from Pulumi:
import pulumi import pulumi_aws as awsThen, we can define resources such as
ControlTowerControlandEnabledControl. These resources correspond to the different types of controls within AWS Control Tower:ControlTowerControl: Represents a control in AWS Control Tower. Each control is an AWS-managed rule that detects whether an architecture met the AWS best practice it checks for. You can create, update, or delete a control, and you can also audit its status across your AWS accounts and regions.EnabledControl: Represents an enablement of a control within AWS Control Tower. When you apply controls to AWS accounts or organizational units (OUs), you are essentially ensuring that those best practices are enforced.
Here's how you might define a Control Tower control and an enablement in Pulumi:
# Define a Control Tower control which represents AWS-managed rules to # enforce best practices in your AWS environment. control_tower_control = aws.controltower.ControlTowerControl("exampleControl", target_identifier="arn:aws:organizations::123456789012:root", control_identifier="example-control-identifier" # This identifier comes from the AWS Control Tower documentation and varies based on the specific control you're using. ) # Define an enablement of the control within your AWS environment. This resource # ensures that the defined control is actively being enforced. enabled_control = aws.controltower.EnabledControl("exampleEnabledControl", parameters=[ { "key": "example-key", "value": "example-value" } ], target_identifier="arn:aws:organizations::123456789012:account/210987654321", control_identifier=control_tower_control.control_identifier ) # The target_identifier would be the ARN for the organization's root or a specific account within the organization. # Control identifier is the unique identifier of the control being enacted; in this case, # we're referencing the control we defined above.In the real world, the
target_identifierandcontrol_identifierwould need to be set to your specific AWS organization's ARNs and the particular controls you wish to enforce. Theparameterslist inEnabledControlwill depend on the specific control you're enabling and what configuration it requires.At the end of your Pulumi program, don't forget to export any outputs you need:
# Outputs can be used to export and view information about the resources you have # provisioned after your Pulumi program runs. Here we are exporting the ARNs of # the created resources, which can be useful for further automation or for audit purposes. pulumi.export("control_tower_control_arn", control_tower_control.arn) pulumi.export("enabled_control_arn", enabled_control.arn)Finally, you'd run your Pulumi program using the CLI, which will communicate with AWS to set everything up according to your script. If you want to learn more about the specific resources, you can refer to the following documentation:
Remember, this code is mostly illustrative; you'll need actual values for identifiers and controls relevant to your organization's setup within AWS Control Tower. Use this as a baseline for implementing and applying governance and controls in your cloud environment.