Can I use Control Tower to automatically deploy infrastructure *other* than VPC

0

I understand that Control Tower Account Factory can automatically stamp out VPCs with all the fixin's for each provisioned account

I ALSO understand I can use Service Catalog with Control Tower to give users of these provisioned accounts the ability to deploy additional infrastructure such as application stacks

BUT, can I somehow configure Control Tower to deploy said additional infrastructure (such as application stacks) for me at the time I provision the account?

profile pictureAWS
質問済み 4年前793ビュー
1回答
2
承認された回答

Here are the common approaches I've taken with customers, each has their pros and cons and it's really more about what the customer's preferred method is:

  1. Use Service-Managed StackSets that are tied to OU: this allows for a more managed approach where CloudFormation will trap events from Organizations and deploy and/or remove stack from accounts. That means, that once you create an account via Control Tower, these Stacks will be automatically provisioned.
  • This is done using Service-Managed Permissions, you can control the behavior but when an account is added to an OU (created or moved) CloudFormation will automatically create a Stack Instance. You can control if you want these to be retained if an account is removed.
  1. Use Lifecycle Events to trigger off <something>, these are most commonly Lambdas that implement the logic (e.g. deploy CloudFormation template or add Stack Instances), but also sending an SNS notifications that'll be trapped by your preferred provisioner (say Terraform). This gives greater flexibility but requires more management/responsibility from the customer.
  2. (Somewhat related to #2) Defined Service Catalog Portfolios per OU or type and have both shared Products available to accounts but also some provisioned into accounts. This allows for a combination of control and management.
  • I have done this using the Lifecycle Events and a (fairly) short Lambda that checks for a Portfolio matching the OU name, if found - it leverages the AWSControlTowerExecution Role to assume and provision into the target accounts. You may want to consider a different matching and/or clean up too.

Customizations for Control Tower is an implementation of #2 and (IMHO) fits well for customers that have used the AWS Landing Zone solution previously or are familiar with it.

P.S. Control Tower "on it's own" doesn't go into the deployment side.

AWS
エキスパート
Raphael
回答済み 4年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ