AWS Control Tower Account Factory for HashiCorp Terraform (AFT), the evolution of Terraform Landing Zones, offers an easy way to set up and govern a secure, multi-account AWS environment.
HashiCorp Terraform lets practitioners provision Amazon Web Services (AWS) infrastructure in minutes. But many enterprises also want to maintain multiple AWS accounts in order to create a strong isolation barrier between workloads, each with their own security, access controls, and auditability. The AWS Control Tower team and HashiCorp have been working on a new way to accommodate these needs and today, we are pleased to support AWS as it announces the launch of AWS Control Tower Account Factory for HashiCorp Terraform (AFT).
AWS Control Tower provides an easy way to set up and govern secure, multi-account AWS environments, often referred to as landing zones. AWS Control Tower AFT is a Terraform pipeline to provision and customize your AWS Control Tower-governed accounts. AFT adds the Terraform provision and management option to AWS Control Tower’s multi-account provisioning, meaning that infrastructure engineers can accelerate velocity by using the familiar tool they already know.
This solution is the evolution of AWS Terraform Landing Zones (TLZs) and couples the governance of an AWS-managed service with a Terraform-based account provisioning pipeline.
AWS Control Tower AFT allows for centralized AWS account vending with security, compliance controls, and consistent operating procedures baked in from the point of account creation. Account Factory for Terraform includes best practices such as centralized audit and logging, programmatic security configuration, and account isolation with controls for shared services.
AWS and HashiCorp customers can customize AWS Control Tower AFT to meet their organization’s standard procedures and guidelines. AFT customization can include additional guardrails, network configurations, roles and permissions, and more. You can conﬁgure the pipeline to use your own custom Terraform modules, or choose from pre-published Terraform modules for common products and conﬁgurations. Using public or private Terraform modules, customers can target the customization to specific accounts or globally across their organizations.
AFT includes feature options owned and supported by AWS and built to AWS’ prescriptive guidance, such as AWS CloudTrail data events for Amazon S3, automated enterprise support enrollment, and deletion of default VPCs in all regions.
AWS Control Tower AFT works with Terraform open source, Terraform Cloud, and Terraform Enterprise. Organizations can use vended accounts from AWS Control Tower combined with governance, policy as code, and self-service infrastructure capabilities within Terraform Cloud or Terraform Enterprise.
The compliance and management functionality found in Terraform Cloud and Terraform Enterprise is complementary to AWS Control Tower’s governance applied via service control policies and AWS Config. HashiCorp Terraform Cloud and Enterprise empower self-service infrastructure by managing state, variables, workspaces, and approved Terraform modules. HashiCorp Sentinel’s embeddable policy as code framework provides the additional capability to create and enforce policy during each Terraform workflow.
Control Tower Account Factory for Terraform makes it easier for customers to efficiently provision vetted, secured, and standardized infrastructure and achieve consistent governance and compliance requirements across all AWS accounts.
You can get started with AWS Control Tower AFT today by following the HashiCorp Learn tutorial: Provision AWS Accounts Using Account Factory for Terraform. In addition, the AWS Control Tower User Guide now includes AFT. For more information, read the AWS blog.
If your enterprise is new to Terraform and would like to take advantage of AWS Control Tower AFT as well as the variety of enterprise features in HashiCorp Terraform Cloud and Terraform Enterprise, please contact our sales team.
We would love to hear your feedback about AWS Control Tower Account Factory for HashiCorp Terraform; please share your comments on the HashiCorp Discuss Forum. For issues and feature requests, please visit the AFT GitHub repository.
HashiCorp has renewed its SOC II Type II report for HCP Vault and HCP Consul, and obtained ISO 27017 and ISO 27018 certificates for its cloud products.
HashiCorp Cloud Platform added new locations in the Asia-Pacific region, multi-factor authentication, and support for additional configurations of HashiCorp Consul and HashiCorp Vault.
See the results of HashiCorp’s virtual partner hackathon held in the Asia-Pacific region.