terraform-aws-arc-control-tower-aft¶
Module:
sourcefuse/arc-control-tower-aft/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-control-tower-aft/aws
Category: Governance / Landing Zone
Source: https://github.com/sourcefuse/terraform-aws-arc-control-tower-aft
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Overview¶

Deploys AWS Control Tower Account Factory for Terraform (AFT) to automate account provisioning and customization across a multi-account AWS organization.
What It Does¶
- AFT pipeline for automated account vending
- Account customization via Git repositories
- Global and per-account customization hooks
- CloudTrail data events and default VPC deletion
- Configurable Terraform distribution (OSS, TFC, TFE)
- Multi-region Terraform state backend
For more information about this repository and its usage, please see Terraform AWS CONTROL TOWER Usage Guide.
Quickstart¶
Required Inputs¶
| Name | Type | Description |
|---|---|---|
account_ids |
object |
Account IDs for AFT, audit, management, and log archive |
aft_vpc_cidr |
string |
CIDR block for the AFT VPC |
control_tower_home_region |
string |
Region where Control Tower is deployed |
terraform_backend_secondary_region |
string |
Secondary region for state replication |
| ## Key Outputs |
| Name | Description |
|---|---|
account_ids |
Map of account IDs |
aft_vpc_cidr |
AFT VPC CIDR |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| aws | ~> 4.0 |
Providers¶
No providers.
Modules¶
| Name | Source | Version |
|---|---|---|
| aft | git::https://github.com/aws-ia/terraform-aws-control_tower_account_factory | 1.8.0 |
Resources¶
No resources.
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_customizations_repo | Information on the git repo for managing the account customizations. For non-CodeCommit repos, name should be in the format of org/repo. | object({ |
{ |
no |
| account_ids | IDs to the accounts used for deploying the respective resources into | object({ |
n/a | yes |
| account_provisioning_customizations_repo | Information on the git repo for provisioning the account customizations. For non-CodeCommit repos, name should be in the format of org/repo. | object({ |
{ |
no |
| account_request_repo | Information on the git repo for account requests. For non-CodeCommit repos, name should be in the format of org/repo. | object({ |
{ |
no |
| aft_feature_cloudtrail_data_events | Feature flag toggling CloudTrail data events on/off | bool |
true |
no |
| aft_feature_delete_default_vpcs_enabled | Feature flag toggling deletion of default VPCs on/off | bool |
true |
no |
| aft_feature_enterprise_support | Feature flag toggling Enterprise Support enrollment on/off | bool |
false |
no |
| aft_max_subnets | Maximum number of subnets to create based off the provided VPC CIDR | string |
"4" |
no |
| aft_metrics_reporting | Flag toggling reporting of operational metrics | bool |
true |
no |
| aft_vpc_cidr | CIDR Block to allocate to the AFT VPC | string |
n/a | yes |
| aft_vpc_endpoints | Flag turning VPC endpoints on/off for AFT VPC | bool |
true |
no |
| cloudwatch_log_group_retention | Amount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expire | string |
"0" |
no |
| control_tower_home_region | The region from which this module will be executed. This MUST be the same region as Control Tower is deployed. | string |
n/a | yes |
| github_enterprise_url | GitHub enterprise URL, if GitHub Enterprise is being used | string |
"null" |
no |
| global_codebuild_timeout | Codebuild build timeout | number |
60 |
no |
| global_customizations_repo | Information on the git repo for global customizations. For non-CodeCommit repos, name should be in the format of org/repo. | object({ |
{ |
no |
| maximum_concurrent_customizations | Maximum number of customizations/pipelines to run at once | number |
5 |
no |
| terraform_api_endpoint | API Endpoint for Terraform. Must be in the format of https://xxx.xxx. | string |
"https://app.terraform.io/api/v2/" |
no |
| terraform_backend_secondary_region | AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. | string |
n/a | yes |
| terraform_distribution | Terraform distribution being used for AFT - valid values are oss, tfc, or tfe | string |
"oss" |
no |
| terraform_org_name | Organization name for Terraform Cloud or Enterprise | string |
"null" |
no |
| terraform_token | Terraform token for Cloud or Enterprise | string |
"null" |
no |
| terraform_version | Terraform version being used for AFT | string |
"1.3.6" |
no |
| vcs_provider | Customer VCS Provider - valid inputs are codecommit, bitbucket, github, or githubenterprise | string |
"github" |
no |
Outputs¶
| Name | Description |
|---|---|
| account_customizations_repo_branch | VCS Account customizations repo branch |
| account_customizations_repo_name | VCS Account customizations repo name |
| account_ids | Map of account IDs for each account created. |
| account_provisioning_customizations_repo_branch | VCS Account provisioning customizations repo branch |
| account_provisioning_customizations_repo_name | VCS Account provisioning customizations repo name |
| account_request_repo_branch | VCS Account request repo branch. |
| account_request_repo_name | VCS Account request repo name. |
| aft_feature_cloudtrail_data_events | AFT feature "CloudTrail data events". |
| aft_feature_delete_default_vpcs_enabled | AFT feature "delete default vpcs enabled". |
| aft_vpc_cidr | AFT VPC assigned cidr. |
| aft_vpc_private_subnet_cidrs | AFT VPC private subnet 01 cidr. |
| aft_vpc_public_subnet_cidrs | AFT VPC private subnet 01 cidr. |
| global_customizations_repo_branch | Global customizations repo branch. |
| global_customizations_repo_name | Global customizations repo name. |
| terraform_version | Terraform version used for this configuration. |
| tf_backend_secondary_region | Terraform backend secondary region. |
| vcs_provider | VCS Provider where the repos are configure for the different accounts. |
Versioning¶
This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.
When you intend to commit to main, you will need to increment this version. Once the project is merged,
the pipeline will kick off and tag the latest git commit.
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
AI Assistant Integration (ARC IaC MCP)¶
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
Setup (one minute)¶
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
Example prompts to try¶
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by: - SourceFuse ARC Team