Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Manage AWS accounts using Control Tower Account Factory with Terraform

0

Hi folks, for managing AWS Control Tower with Terraform, I'm following this documentation https://developer.hashicorp.com/terraform/tutorials/aws/aws-control-tower-aft However, I'm unsure which account's user credentials are needed to run this code: management account or the account created specifically for managing Control Tower with Terraform (AFT management account)? Also, will the resources created be located in the AFT management account?"

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Account ManagementSecurity, Identity, & ComplianceAWS Control TowerTerraform
Language
English
asked 2 years ago570 views
1 Answer
2
Accepted Answer

Hi Tatev,

Please go through the below steps i hope it will helps you to resolve your issue.

Setup Terraform Using Management Account Credentials:

  • Ensure you have the AWS CLI configured with the credentials of the AWS Control Tower management account.
  • Initialize your Terraform project and apply the configuration using these credentials.

Example configuration for the AWS CLI:

aws configure

Provide the Access Key ID, Secret Access Key, and default region for the management account.

Configure AFT Management Account:

  • As part of the Terraform configuration, you will set up the AFT management account.
  • This account will be used to manage the lifecycle of accounts and resources created within the Control Tower environment.

Terraform Execution:

  • Run Terraform commands (e.g., terraform init, terraform plan, terraform apply) using the management account credentials initially.
  • This ensures that the necessary IAM roles, policies, and Control Tower configurations are properly established.

Resource Locations:

  • Resources will be created in the specific AWS accounts as defined by your Terraform scripts.
  • If the Terraform code specifies that certain resources should be in the AFT management account, those resources will be created there.
  • Other resources will be created in their respective organizational units and accounts as configured.
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
  • Tatev
    2 years ago

    Thank you for your answer. I didn't change anything in the 4 repositories I need to fork, and I followed the documentation for deploying the module from github.com/aws-ia/terraform-aws-control_tower_account_factory. I see that it will create 300+ resources. The problem is that I have workloads in my management account. Can these resources affect or delete any resources in my workflow?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content