Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/hashicorp/learn-terraform-aft-account-provisioning-customizations
https://github.com/hashicorp/learn-terraform-aft-account-provisioning-customizations
hashicorp terraform tutorial
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/hashicorp/learn-terraform-aft-account-provisioning-customizations
- Owner: hashicorp
- License: mpl-2.0
- Created: 2021-11-23T16:49:36.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2023-02-20T16:48:02.000Z (almost 2 years ago)
- Last Synced: 2024-09-28T13:02:07.462Z (4 months ago)
- Topics: hashicorp, terraform, tutorial
- Language: HCL
- Homepage: https://learn.hashicorp.com/tutorials/terraform/aws-control-tower-aft
- Size: 14.6 KB
- Stars: 12
- Watchers: 13
- Forks: 779
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Learn Terraform - Use Control Tower Account Factory for Terraform
This is a companion repository for the Hashicorp [Provision and Manage Accounts with
Control Tower Account Factory for Terraform
tutorial](https://developer.hashicorp.com/terraform/tutorials/aws/aws-control-tower-aft).This repository contains boilerplate configuration for defining account
provisioning customizations to use with the Account Factory for Terraform
module. The README below and the template files in this repository were
provided by AWS.To create your own state machine and step functions, replicate this repository
and extend the Terraform configuration.## AFT Account Provisioning Customizations Customizations
### Problem Statement
AFT provides flexibility to customize the provisioning process for new accounts and integrate with systems prior to the account customization stage.
While the customization stage does include integrations for pre- and post-
customization steps, the Account Provisioning standard allows for further
integration by using an AWS Step Functions State Machine to integrate with
additional environments.Using this state machine integration, customers may define Account Provisioning
Customizations steps as:* Lambda functions in the language of their choice
* ECS or Fargate Tasks using docker containers
* AWS Step Functions Activities using custom workers, hosted either in AWS or on-prem
* Amazon SNS or SQS integrations to decoupled consumer-based applications### Example Payload
```
{
"account_request": {
"supported_regions": "",
"account_tags": {
"Key": "Value",
},
"custom_fields": "{}",
"id": "Account Email",
"control_tower_parameters": {
"SSOUserEmail": "",
"AccountEmail": "",
"SSOUserFirstName": "",
"SSOUserLastName": "",
"ManagedOrganizationalUnit": "Sandbox",
"AccountName": "sandbox03"
},
"customer_baselines": [],
"operation": "create"
},
"control_tower_event": {},
"validated": {
"Success": true
},
"account_info": {
"account": {
"id": "",
"type": "account",
"email": "",
"name": "sandbox03",
"method": "CREATED",
"joined_date": "2021-06-15 13:57:35.129000+00:00",
"status": "ACTIVE",
"parent_id": "",
"parent_type": "ORGANIZATIONAL_UNIT",
"org_name": "Sandbox",
"vendor": "aws"
}
},
"persist_metadata": {
"StatusCode": 200
},
"role": {
"Arn": "arn:aws:iam:::role/AWSAFTExecution"
},
"account_tags": {
"StatusCode": 200
}
}
```### Example Function
##### Validate Request:
Source location: `modules/account-provisioning-customizations/lambda/account-provisioning-customizations-validate-request/lambda_function.py`
###### Description:
Compares the incoming payload to the state machine against an expected
jsonschema. Returns `True` if valid, raises an exception if not.Demonstrates the import of `aft_common` and customers can explore the `aft_utils` module for existing AFT integrations, such as role assumption or SSM parameter retrieval.
```python
import json
import os
import boto3
import jsonschema
import aft_common.aft_utils as utils
from boto3.dynamodb.conditions import Keylogger = utils.get_logger()
def validate_request(payload, logger):
logger.info("Function Start - validate_request")
schema_path = os.path.join(os.path.dirname(__file__), "schema/request_schema.json")
with open(schema_path) as schema_file:
schema_object = json.load(schema_file)
logger.info("Schema Loaded:" + json.dumps(schema_object))
validated = jsonschema.validate(payload, schema_object)
if validated is None:
logger.info("Request Validated")
return True
else:
raise Exception("Failure validating request.\n{validated}")def lambda_handler(event, context):
logger.info("Account Provisioning Customizations Handler Start")payload = event['payload']
action = event['action']if action == "validate":
request_validated = validate_request(payload, logger)
return request_validated
else:
raise BaseException(
"Incorrect Command Passed to Lambda Function. Input: {action}. Expected: 'validate'"
)```