Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS Control Tower Account Factory for Terraform (AFT)
I am using AWS Control Tower in my Management account to create new AWS member accounts. Is it possible to use AWS Control Tower Account Factory for Terraform (AFT) customization to assign AWS IAM Identity Center users and groups to this newly-created AWS member account?
- Tags
- AWS OrganizationsAWS Account ManagementSecurity, Identity, & ComplianceAWS Control TowerTerraform
- Language
- English
- Newest
- Most votes
- Most comments
Yes, it is possible to use AWS Control Tower Account Factory for Terraform (AFT) customization to assign AWS IAM Identity Center users and groups to newly-created AWS member accounts. While AFT itself focuses on account provisioning and resource customization, you can integrate IAM Identity Center assignments into your AFT workflow. There are several implementation approaches, such as using AFT customization pipelines, leveraging IAM Identity Center APIs with AFT customization scripts, or using Terraform for Permission Set Management. The most concise approach according to your situation might be using AFT customization pipelines: AFT supports account-specific customization through its customization repositories, where you can add Terraform code to manage IAM Identity Center permission set assignments.
You can create Terraform resources that: Define permission sets Assign users and groups to the newly created accounts Map specific permission sets to accounts
There are two blogs might help you with detail implementation steps: Blog1: https://aws.amazon.com/blogs/mt/deploy-and-customize-aws-accounts-using-account-factory-for-terraform-in-aws-control-tower/ Blog2: https://aws.amazon.com/blogs/mt/manage-your-aws-multi-account-environment-with-account-factory-for-terraform-aft/
