-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for adding accounts via control tower #21674
Comments
Control tower doesn't have APIs, at least yet (Ref: https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) so a straight forward implementation won't be possible. The referenced provider is actually using the AWS service catalog product created by the control tower to create the account. My quick thoughts: WARNING: not tested, just to convey the idea
It might be helpful to enhance aws_servicecatalog_product data source to have filters that would help search the product by name and identify the active version so that we don't have to hard code the name of service catalog product name used by account factory. |
Not strictly related to original suggestion, but we got first API for Control Tower and can enable Guardrails: https://docs.aws.amazon.com/controltower/latest/userguide/guardrail-api-examples-short.html |
While not as nice as managing it using my own Terraform setup, Account Factory for Terraform is a decent alternative that allows you to create and enroll existing accounts through Terraform. |
Note: using Idealo's provider might give you a better experience: https://registry.terraform.io/providers/idealo/controltower/latest/docs/resources/aws_account But as soon as concurrency will be supported I think it will massively simplify all current approaches ;) |
Control Tower Landing Zone APIs are now picked up - hopefully the accounts itself will be released soon, I'll pick that up 👍🏼 |
Cool, yeah seems only LZ at the moment: https://docs.aws.amazon.com/controltower/latest/APIReference/API_UpdateLandingZone.html |
You can launch new accounts with aws_servicecatalog_product (at least if your using Control Tower Account Factory). It creates 'AWS Control Tower Account Factory' under Products in Provisioning. Your enrolled accounts should show up as 'Provisioned Products'. For example, if you've enrolled something from Control Tower, it can show up there as |
@jylitalo Are you saying you can provision an new AWS account that will be enrolled with Control Tower (if you already have Control Tower setup) with the |
Yes, you need to select/pick |
@mbevc1 Is there a documented schema somewhere for the expected parameters? Where are you getting the parameters like email, account name, etc.? |
Names should match to what you see in Catalog when you check one of the provisioned products. I cannot find an example ATM, but will paste here if I can dig it out :) |
You see them, if you go in ServiceCatalog into Administration -> Product list -> AWS Control Tower Account Factory -> click one of the "Product Versions" and check what it says in Template tab.
|
One interesting thing that I noticed a while ago was that |
One topic related to AWS accounts creation with Control Tower is Control Tower's Blueprints. It seems to be overly complicated process in a sense that if I have ControlTower account, Blueprint account and Target account and want to apply Control Tower Blueprint, what happens is that
There might be some more steps that happens behind the scenes, since AWS Control Tower is the thing that orchestrates this whole show, but once it has been done, it shows up as Provisioned Product in Target accounts ServiceCatalog. I really wish that AWS would give us decent API, because right now Control Tower feels like second-class service in big picture, which might be perfectly fine for ClickOps, but it is really frustrating if organisation wants to move from ClickOps into infrastructure as a code (IaC). |
Just to add to the latest comment, I agree API implementation is quite not feature complete for CT, but there are also few other options to manage CT via IaC:
Currently I think LZA would give you best experience and not stopping you using TF later on. |
Community Note
Description
When utilizing control tower, new accounts need to be created via control tower or promoted from an unregistered OU to a registered OU (As described here).
This is not currently possible via this TF AWS provider.
Here is a provider that does allow creation of new accounts via control tower:
https://registry.terraform.io/providers/idealo/controltower/latest/docs/resources/aws_account
New or Affected Resource(s)
Potential Terraform Configuration
References
Didn't find any...
The text was updated successfully, but these errors were encountered: