Skip to content

terraform-aws-arc-control-tower-aft

Module: sourcefuse/arc-control-tower-aft/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-control-tower-aft/aws

Category: Governance / Landing Zone

Source: https://github.com/sourcefuse/terraform-aws-arc-control-tower-aft

Latest Release Last Updated Terraform GitHub Actions

Overview

Module Banner

Deploys AWS Control Tower Account Factory for Terraform (AFT) to automate account provisioning and customization across a multi-account AWS organization.

What It Does

  • AFT pipeline for automated account vending
  • Account customization via Git repositories
  • Global and per-account customization hooks
  • CloudTrail data events and default VPC deletion
  • Configurable Terraform distribution (OSS, TFC, TFE)
  • Multi-region Terraform state backend

For more information about this repository and its usage, please see Terraform AWS CONTROL TOWER Usage Guide.

Quickstart

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
################################################################################
## control tower
################################################################################
module "aft" {
  source  = "sourcefuse/arc-control-tower-aft/aws"
  version = "0.3.6"

  account_ids                        = var.account_ids
  aft_vpc_cidr                       = var.aft_vpc_cidr
  control_tower_home_region          = var.control_tower_home_region
  terraform_backend_secondary_region = var.terraform_backend_secondary_region

  account_customizations_repo              = var.account_customizations_repo
  account_provisioning_customizations_repo = var.account_provisioning_customizations_repo
  account_request_repo                     = var.account_request_repo
  global_customizations_repo               = var.global_customizations_repo
}

Required Inputs

Name Type Description
account_ids object Account IDs for AFT, audit, management, and log archive
aft_vpc_cidr string CIDR block for the AFT VPC
control_tower_home_region string Region where Control Tower is deployed
terraform_backend_secondary_region string Secondary region for state replication
## Key Outputs
Name Description
account_ids Map of account IDs
aft_vpc_cidr AFT VPC CIDR
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name Version
terraform >= 1.3
aws ~> 4.0

Providers

No providers.

Modules

Name Source Version
aft git::https://github.com/aws-ia/terraform-aws-control_tower_account_factory 1.8.0

Resources

No resources.

Inputs

Name Description Type Default Required
account_customizations_repo Information on the git repo for managing the account customizations. For non-CodeCommit repos, name should be in the format of org/repo. 
object({
    name   = string
    branch = string
  })
 
{
  "branch": "main",
  "name": "sourcefuse/terraform-aws-refarch-aft-account-customizations"
}
 no
account_ids IDs to the accounts used for deploying the respective resources into 
object({
    aft_management           = string
    audit                    = string
    control_tower_management = string
    log_archive              = string
  })
 n/a yes
account_provisioning_customizations_repo Information on the git repo for provisioning the account customizations. For non-CodeCommit repos, name should be in the format of org/repo. 
object({
    name   = string
    branch = string
  })
 
{
  "branch": "main",
  "name": "sourcefuse/terraform-aws-refarch-aft-account-provisioning-customizations"
}
 no
account_request_repo Information on the git repo for account requests. For non-CodeCommit repos, name should be in the format of org/repo. 
object({
    name   = string
    branch = string
  })
 
{
  "branch": "main",
  "name": "sourcefuse/terraform-aws-refarch-aft-account-request"
}
 no
aft_feature_cloudtrail_data_events Feature flag toggling CloudTrail data events on/off bool true no
aft_feature_delete_default_vpcs_enabled Feature flag toggling deletion of default VPCs on/off bool true no
aft_feature_enterprise_support Feature flag toggling Enterprise Support enrollment on/off bool false no
aft_max_subnets Maximum number of subnets to create based off the provided VPC CIDR string "4" no
aft_metrics_reporting Flag toggling reporting of operational metrics bool true no
aft_vpc_cidr CIDR Block to allocate to the AFT VPC string n/a yes
aft_vpc_endpoints Flag turning VPC endpoints on/off for AFT VPC bool true no
cloudwatch_log_group_retention Amount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expire string "0" no
control_tower_home_region The region from which this module will be executed. This MUST be the same region as Control Tower is deployed. string n/a yes
github_enterprise_url GitHub enterprise URL, if GitHub Enterprise is being used string "null" no
global_codebuild_timeout Codebuild build timeout number 60 no
global_customizations_repo Information on the git repo for global customizations. For non-CodeCommit repos, name should be in the format of org/repo. 
object({
    name   = string
    branch = string
  })
 
{
  "branch": "main",
  "name": "sourcefuse/terraform-aws-refarch-aft-global-customizations"
}
 no
maximum_concurrent_customizations Maximum number of customizations/pipelines to run at once number 5 no
terraform_api_endpoint API Endpoint for Terraform. Must be in the format of https://xxx.xxx. string "https://app.terraform.io/api/v2/" no
terraform_backend_secondary_region AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. string n/a yes
terraform_distribution Terraform distribution being used for AFT - valid values are oss, tfc, or tfe string "oss" no
terraform_org_name Organization name for Terraform Cloud or Enterprise string "null" no
terraform_token Terraform token for Cloud or Enterprise string "null" no
terraform_version Terraform version being used for AFT string "1.3.6" no
vcs_provider Customer VCS Provider - valid inputs are codecommit, bitbucket, github, or githubenterprise string "github" no

Outputs

Name Description
account_customizations_repo_branch VCS Account customizations repo branch
account_customizations_repo_name VCS Account customizations repo name
account_ids Map of account IDs for each account created.
account_provisioning_customizations_repo_branch VCS Account provisioning customizations repo branch
account_provisioning_customizations_repo_name VCS Account provisioning customizations repo name
account_request_repo_branch VCS Account request repo branch.
account_request_repo_name VCS Account request repo name.
aft_feature_cloudtrail_data_events AFT feature "CloudTrail data events".
aft_feature_delete_default_vpcs_enabled AFT feature "delete default vpcs enabled".
aft_vpc_cidr AFT VPC assigned cidr.
aft_vpc_private_subnet_cidrs AFT VPC private subnet 01 cidr.
aft_vpc_public_subnet_cidrs AFT VPC private subnet 01 cidr.
global_customizations_repo_branch Global customizations repo branch.
global_customizations_repo_name Global customizations repo name.
terraform_version Terraform version used for this configuration.
tf_backend_secondary_region Terraform backend secondary region.
vcs_provider VCS Provider where the repos are configure for the different accounts.

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by: - SourceFuse ARC Team