Skip to content

cisagov/provision-aws-account

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

870 Commits
.github
.github
 
 
.ansible-lint
.ansible-lint
 
 
.bandit.yml
.bandit.yml
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
.mdl_config.yaml
.mdl_config.yaml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.prettierignore
.prettierignore
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
.yamllint
.yamllint
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
backend.tf
backend.tf
 
 
controltower.tf
controltower.tf
 
 
outputs.tf
outputs.tf
 
 
providers.tf
providers.tf
 
 
requirements-dev.txt
requirements-dev.txt
 
 
requirements-test.txt
requirements-test.txt
 
 
requirements.txt
requirements.txt
 
 
setup-env
setup-env
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

provision-aws-account

GitHub Build Status

This repository contains Terraform code for provisioning new AWS accounts via Control Tower.

Pre-requisites

  • Administrative access to an AWS account that can run Control Tower.

  • Terraform installed on your system.

  • An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).

  • An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).

  • A Terraform variables file customized for your new AWS account(s), for example:

    accounts = [
  {
    account_email = "[email protected]"
    account_name = "Example Account 1"
    account_org_unit = "Sandbox"
    provisioned_product_name = "example-account-1"
    sso_email = "[email protected]"
    sso_first_name = "John"
    sso_last_name = "Doe"
  },
  {
    account_email = "[email protected]"
    account_name = "Example Account 2"
    account_org_unit = "Sandbox"
    provisioned_product_name = "example-account-2"
    sso_email = "[email protected]"
    sso_first_name = "John"
    sso_last_name = "Doe"
  }
]

Usage

  1. Create an AWS profile called provision-aws-account (if you haven't already done so) in your AWS configuration using the "AWSAdministratorAccess" credentials (access key ID, secret access key, and session token) as obtained from the AWS account where you want Control Tower to run:

    [provision-aws-account]
aws_access_key_id = <MY_ACCESS_KEY_ID>
aws_secret_access_key = <MY_SECRET_ACCESS_KEY>
aws_session_token = <MY_SESSION_TOKEN>

  2. Create a Terraform workspace (if you haven't already done so) by running terraform workspace new <workspace_name>.

  3. Create a <workspace_name>.tfvars file with all of the required variables (see Inputs below for details).

  4. Run the command terraform init.

  5. Provision the new AWS account(s) by running the command:

    terraform apply -var-file=<workspace_name>.tfvars

Requirements

Name Version
terraform ~> 1.1
controltower ~> 2.0

Providers

Name Version
controltower ~> 2.0

Modules

No modules.

Resources

Name Type
controltower_aws_account.accounts resource

Inputs

Name Description Type Default Required
accounts A list of objects specifying the details of the AWS account(s) to provision (e.g. [ {account_email = "[email protected]", account_name = "Example Account 1", account_org_unit = "Sandbox", provisioned_product_name = "example-account-1", sso_email = "[email protected]", sso_first_name = "John", sso_last_name = "Doe"}, {account_email = "[email protected]", account_name = "Example Account 2", account_org_unit = "Sandbox", provisioned_product_name = "example-account-2", sso_email = "[email protected]", sso_first_name = "John", sso_last_name = "Doe"} ]). Field descriptions: account_email - the root email address to associate with the AWS account, account_name - the name of the AWS account to provision, account_org_unit - the name of the AWS Organizational Unit under which the account resides, provisioned_product_name - the name of the service catalog product that is provisioned, sso_email - the email address of the SSO user (this email address must already exist in AWS SSO), sso_first_name - the first name of the SSO user, sso_last_name - the last name of the SSO user list(object({ account_email = string, account_name = string, account_org_unit = string, provisioned_product_name = string, sso_email = string, sso_first_name = string, sso_last_name = string })) n/a yes
aws_region The AWS region to deploy into (e.g. us-east-1). string "us-east-1" no
tags Tags to apply to all AWS resources created. map(string) {} no

Outputs

Name Description
accounts The AWS accounts created by Control Tower.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Terraform code to provision an AWS account via Control Tower.

Resources

Readme

License

CC0-1.0 license

Security policy

Security policy
Activity
Custom properties

Stars

3 stars

Watchers

6 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 11

Languages