Manage AWS accounts using Control Tower Account Factory with Terraform


Hi folks, for managing AWS Control Tower with Terraform, I'm following this documentation However, I'm unsure which account's user credentials are needed to run this code: management account or the account created specifically for managing Control Tower with Terraform (AFT management account)? Also, will the resources created be located in the AFT management account?"

1 Answer

Hi Tatev,

Please go through the below steps i hope it will helps you to resolve your issue.

Setup Terraform Using Management Account Credentials:

  • Ensure you have the AWS CLI configured with the credentials of the AWS Control Tower management account.
  • Initialize your Terraform project and apply the configuration using these credentials.

Example configuration for the AWS CLI:

aws configure

Provide the Access Key ID, Secret Access Key, and default region for the management account.

Configure AFT Management Account:

  • As part of the Terraform configuration, you will set up the AFT management account.
  • This account will be used to manage the lifecycle of accounts and resources created within the Control Tower environment.

Terraform Execution:

  • Run Terraform commands (e.g., terraform init, terraform plan, terraform apply) using the management account credentials initially.
  • This ensures that the necessary IAM roles, policies, and Control Tower configurations are properly established.

Resource Locations:

  • Resources will be created in the specific AWS accounts as defined by your Terraform scripts.
  • If the Terraform code specifies that certain resources should be in the AFT management account, those resources will be created there.
  • Other resources will be created in their respective organizational units and accounts as configured.
answered 5 days ago

