Table of Contents
AWS Customers frequently need to review their foundation to improve infrastructure and security processes. The process is usually separated into two phases, the first of which is discovery and design, where an assessment of the current state of the infrastructure (as-is) is made, followed by an image of the desired state (as would become). During this phase, the topics of Account Structure, Networking, DNS, Security and Operations are analyzed. The output of this phase generates the architecture documents as well as patterns that will be used in the second phase, which is implementation.
During the Implementation phase every output that has been decided upon will be built. From the beginning, with the Account Structure, there is a key product to help which is AWS Control Tower, as it provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. Control Tower creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud.
AWS also provides the Customizations for AWS Control Tower (CFCT) to easily add customizations to your AWS Control Tower landing zone using AWS CloudFormation templates and service control policies (SCPs). However, lately, use of Terraform to create these automations has grown a lot, making a new product necessary: the Account Factory for Terraform (AFT). In addition to delivering the same functionalities as CFCT, it has the ability to launch accounts and implement GitOps. AFT does not affect workflow performance in AWS Control Tower. For example, if either you provision an account through Account Factory, or through AFT (or both at the same time), the same back-end workflow occurs (sequentially), without any timing differences. AFT enables automation, therefore the time required for provisioning is less noticeable.
Once the foundation is ready, customers need to create workloads within the accounts that will be launched. A common practice is the creation of EKS clusters, due to its relatively simple creation process. Yet there are many resources that need to be created within the cluster to allow Ingress Controller, DNS, Networks, CI/CD, Cluster Autoscaler, Metrics Server, Logging among others. This deployment process is called "Day 2 Operations" and EKS Blueprints makes it easy to provision a wide range of popular Kubernetes add-ons into an EKS cluster. Customers can use EKS Blueprints to configure and deploy purpose built EKS clusters, and start onboarding workloads in days, rather than months.
- Administrator access in the AWS Management account.
- Familiarity with Terraform.
- Familiarity with CI/CD concepts and tools.
- Familiarity with Git.
- Familiarity with Kubernetes.
- Familiarity with YAML files.
First, ensure that you have installed the following tools locally.
- Email addresses of shared accounts in the Security OU can be changed, but you must update your landing zone to see these changes in the AWS Control Tower console.
- A limit of 5 SCPs per OU applies to OUs in your AWS Control Tower landing zone.
- Existing OUs with over 300 accounts cannot be registered or re-registered in AWS Control Tower.
| Product | Version |
|---|---|
 |
 |
 |
 |
 |
 |
 |
 |
- ✅ A new EKS Cluster with a managed node group.
- ✅ Amazon EKS add-ons
vpc-cni,CoreDNS,kube-proxy, andaws-ebs-csi-driver. - ✅
Cluster AutoscalerandMetrics Serverfor scaling your workloads. - ✅
Fluent Bitfor routing logs. - ✅
AWS Load Balancer Controllerfor distributing traffic. - ✅
Argocdfor declarative GitOps CD for Kubernetes. - ✅
Prometheusfor observability.
- Add the Bitbucket + Terraform Enterprise example
- Add the CodeCommit + Terraform Open Source example
- Add the BitBucket + Terraform Open Source example
- Add the Github + Terraform Open Source example
- Add the Github Enterpsise + Terraform Cloud example
- Add Multiple Account Customizations
- Add Multiple Regions
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request