1. Using aws controltower with us-east-1

    TypeScript

    Control Tower is a service by AWS that automates the set-up and governance of a secure, multi-account AWS environment, known as a landing zone. When using Pulumi to provision resources related to AWS Control Tower, we can automate the process of setting up a landing zone and apply controls to manage the environment.

    Below is a TypeScript program using Pulumi AWS provider, illustrating how to set up AWS Control Tower's landing zone and enabled controls using the aws-native.controltower.LandingZone and aws-native.controltower.EnabledControl resources. These resources help you to define a landing zone configuration and enforce governance rules across your AWS accounts.

    First, ensure that Pulumi and AWS CLI are installed and configured on your machine. Pulumi uses AWS credentials configured for your AWS CLI to interact with your AWS account.

    Here's how the program would look:

    import * as pulumi from '@pulumi/pulumi'; import * as aws_native from '@pulumi/aws-native'; // Creating a Control Tower Landing Zone const landingZone = new aws_native.controltower.LandingZone("myLandingZone", { version: "2.0", // Specify the version of the landing zone // Specify the landing zone settings here // Documentation: https://www.pulumi.com/registry/packages/aws-native/api-docs/controltower/landingzone/ // Ensure you have the valid JSON manifest file describing the landing zone setup manifest: "<Your Landing Zone Manifest JSON Contents>", tags: [ // Optional tags for the landing zone resource { key: "Environment", value: "Production", }, ], }); // Enabling a Control within the Landing Zone const enabledControl = new aws_native.controltower.EnabledControl("myEnabledControl", { // Set the targetIdentifier to the ARN of an AWS Organizational Unit (OU) or an account targetIdentifier: "<Your Account or Organizational Unit ARN>", // Set the controlIdentifier to the requisite control ID from AWS Control Tower controlIdentifier: "Guardrails/AWS-Control-Tower-Detective-Guardrails", // Example control identifier parameters: [{ // Parameters for the control if necessary key: "ParameterKey", value: "ParameterValue", }], }); // Exporting the ARN of the landing zone for later reference export const landingZoneArn = landingZone.arn; // Exporting the status of the enabled control export const enabledControlStatus = enabledControl.controlStatus;

    This program starts by importing the necessary Pulumi packages for AWS and AWS Native. Then it creates a new LandingZone resource that represents our desired configuration for the AWS Control Tower landing zone.

    The manifest property should contain the JSON contents that describe your landing zone setup. This manifest file typically includes the configuration for accounts, organizational units, and other settings following AWS Control Tower documentation.

    Next, we create an EnabledControl which enables a specific governance control within the landing zone. The targetIdentifier property should be the ARN of the AWS account or Organizational Unit where you want the control to apply. The controlIdentifier is the specific ID of the control you wish to enable, which you can find in the AWS Control Tower documentation.

    Finally, we export a couple of properties from our resources for easy access: the ARN of the landing zone and the status of the enabled control. This makes it easier to reference the created resources in future operations or other parts of your Pulumi program.

    Don't forget to replace placeholder strings like <Your Landing Zone Manifest JSON Contents> and <Your Account or Organizational Unit ARN> with your actual manifest JSON and ARN respectively. The actual content of the manifest will strongly depend on your specific use case and the structure of your AWS organization.

    Save this code in a TypeScript .ts file, and then use the pulumi up command in your terminal to create or update the infrastructure as per the Pulumi program. Remember to review the previewed changes before confirming the update to avoid misconfiguration.