Can I use Control Tower to automatically deploy infrastructure *other* than VPC

0

I understand that Control Tower Account Factory can automatically stamp out VPCs with all the fixin's for each provisioned account

I ALSO understand I can use Service Catalog with Control Tower to give users of these provisioned accounts the ability to deploy additional infrastructure such as application stacks

BUT, can I somehow configure Control Tower to deploy said additional infrastructure (such as application stacks) for me at the time I provision the account?

profile pictureAWS
질문됨 4년 전793회 조회
1개 답변
2
수락된 답변

Here are the common approaches I've taken with customers, each has their pros and cons and it's really more about what the customer's preferred method is:

  1. Use Service-Managed StackSets that are tied to OU: this allows for a more managed approach where CloudFormation will trap events from Organizations and deploy and/or remove stack from accounts. That means, that once you create an account via Control Tower, these Stacks will be automatically provisioned.
  • This is done using Service-Managed Permissions, you can control the behavior but when an account is added to an OU (created or moved) CloudFormation will automatically create a Stack Instance. You can control if you want these to be retained if an account is removed.
  1. Use Lifecycle Events to trigger off <something>, these are most commonly Lambdas that implement the logic (e.g. deploy CloudFormation template or add Stack Instances), but also sending an SNS notifications that'll be trapped by your preferred provisioner (say Terraform). This gives greater flexibility but requires more management/responsibility from the customer.
  2. (Somewhat related to #2) Defined Service Catalog Portfolios per OU or type and have both shared Products available to accounts but also some provisioned into accounts. This allows for a combination of control and management.
  • I have done this using the Lifecycle Events and a (fairly) short Lambda that checks for a Portfolio matching the OU name, if found - it leverages the AWSControlTowerExecution Role to assume and provision into the target accounts. You may want to consider a different matching and/or clean up too.

Customizations for Control Tower is an implementation of #2 and (IMHO) fits well for customers that have used the AWS Landing Zone solution previously or are familiar with it.

P.S. Control Tower "on it's own" doesn't go into the deployment side.

AWS
전문가
Raphael
답변함 4년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠