Automating multi-account setup with AWS Control Tower lifecycle events
TypeScriptTo automate a multi-account setup with AWS Control Tower, we will leverage Pulumi, an infrastructure-as-code tool that will help us programmatically define and deploy AWS resources. Using Pulumi, we can create various AWS Control Tower resources, such as landing zones for initial setup and Control Tower Controls for enforcing policies.
The resources we'll focus on are:
aws-native.controltower.LandingZone
: This resource automates the creation of AWS Control Tower Landing Zones, which serve as a starting point for any multi-account environment.aws.organizations.Account
: This resource helps to manage accounts within the AWS organization, enabling us to create new accounts as part of the multi-account setup.aws.controltower.ControlTowerControl
: Controls in AWS Control Tower allow us to enforce certain policies or best practices across the accounts in our organization.
Here's an example of how you can use Pulumi with TypeScript to create these resources:
import * as aws from '@pulumi/aws'; import * as awsNative from '@pulumi/aws-native'; // Creating an AWS Control Tower Landing Zone const landingZone = new awsNative.controltower.LandingZone("landingZone", { // Specify the version of the landing zone. You need to provide the specific version number. version: "2.0", // Include any necessary tags. These tags will apply to all resources associated with the landing zone. tags: [ { key: "Name", value: "MyLandingZone", }, ], // Assume you have a manifest file, which provides the landing zone configuration in accordance with // AWS Control Tower specifications. This file should be placed in an S3 bucket and referenced here. manifest: "<S3-uri-of-manifest-file>", }); // Creating a new account within the AWS Organization const account = new aws.organizations.Account("subAccount", { // The name of the account name: "my-sub-account", // Email associated with the account (must be unique) email: "email@example.com", // The parent ID of the organizational unit in which this account resides parentId: landingZone.arn.apply(arn => arn.split("/")[1]), // Assuming landingZone ARN has the parent ID // The role name for an IAM role that the Organizations service will preconfigure in the new member account roleName: "OrganizationAccountAccessRole", // Additional properties like IAM user access to billing, tags, etc., can be defined here }); // Creating AWS Control Tower Control to enforce policies const controlTowerControl = new aws.controltower.ControlTowerControl("passwordPolicyControl", { // The identifier of the target landing zone targetIdentifier: landingZone.arn, // The control identifier defining the password policy (replace with the actual identifier) controlIdentifier: "strong-password-policy", }); // Exporting the Control Tower landing zone and account ARN for further reference export const landingZoneArn = landingZone.arn; export const accountArn = account.arn;
This Pulumi program creates a Control Tower landing zone, a new account, and a Control Tower Control. The landing zone acts as a base setup, the new account is part of our multi-account strategy, and the control ensures we maintain our desired policies across accounts.
Remember that you will need to replace placeholders like
<S3-uri-of-manifest-file>
and"strong-password-policy"
with actual values corresponding to your use case.You can run this program with the Pulumi CLI by first setting up your AWS credentials and then running
pulumi up
to deploy these resources to your AWS environment.The export statements at the end of the program allow you to output the ARN of the landing zone and the new account, which can be useful for reference in subsequent operations or other Pulumi stacks.
To learn more about each resource and property, you can visit the following documentation: