Can I use Control Tower to automatically deploy infrastructure *other* than VPC


I understand that Control Tower Account Factory can automatically stamp out VPCs with all the fixin's for each provisioned account

I ALSO understand I can use Service Catalog with Control Tower to give users of these provisioned accounts the ability to deploy additional infrastructure such as application stacks

BUT, can I somehow configure Control Tower to deploy said additional infrastructure (such as application stacks) for me at the time I provision the account?

profile picture
asked 2 years ago168 views
1 Answer
Accepted Answer

Here are the common approaches I've taken with customers, each has their pros and cons and it's really more about what the customer's preferred method is:

  1. Use Service-Managed StackSets that are tied to OU: this allows for a more managed approach where CloudFormation will trap events from Organizations and deploy and/or remove stack from accounts. That means, that once you create an account via Control Tower, these Stacks will be automatically provisioned.
  • This is done using Service-Managed Permissions, you can control the behavior but when an account is added to an OU (created or moved) CloudFormation will automatically create a Stack Instance. You can control if you want these to be retained if an account is removed.
  1. Use Lifecycle Events to trigger off <something>, these are most commonly Lambdas that implement the logic (e.g. deploy CloudFormation template or add Stack Instances), but also sending an SNS notifications that'll be trapped by your preferred provisioner (say Terraform). This gives greater flexibility but requires more management/responsibility from the customer.
  2. (Somewhat related to #2) Defined Service Catalog Portfolios per OU or type and have both shared Products available to accounts but also some provisioned into accounts. This allows for a combination of control and management.
  • I have done this using the Lifecycle Events and a (fairly) short Lambda that checks for a Portfolio matching the OU name, if found - it leverages the AWSControlTowerExecution Role to assume and provision into the target accounts. You may want to consider a different matching and/or clean up too.

Customizations for Control Tower is an implementation of #2 and (IMHO) fits well for customers that have used the AWS Landing Zone solution previously or are familiar with it.

P.S. Control Tower "on it's own" doesn't go into the deployment side.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions