Using Terraform with AWS Control Tower via AFT

Get a practical introductory guide to the AWS Control Tower Account Factory for Terraform (AFT) and how it can bring GitOps automation to a multi-account AWS architecture.

Background on AWS Control Tower

Initially the multi-account vending system for AWS was called Landing Zones. Eventually Landing Zones got rebranded and restructured as AWS Control Tower. It's an opinionated way for provisioning your AWS accounts with management tools like dashboards.

There are no public API endpoints for AWS Control Tower, so the only ways to automate provisioning are:

  • Manual provisioning - ClickOps

  • Customizations for AWS Control Tower (CfCT) - which uses CloudFormation

  • Target underlying AWS services that do have a Terraform provider or use a provider like idealo/controltower that does that for you

  • AWS Control Tower Account Factory for Terraform (AFT)

Using AFT

This code and architecture example walkthrough from The Scale Factory's Marko Bevc is a great consultancy-perspective introduction to AFT and the advantages it has:

  • Using HCLv2

  • GitOps driven workflow

  • Fully into both AWS and Terraform ecosystems with support

  • Security built-in and aligned with Well-Architected Framework practices

More resources like this one