https://github.com/hashicorp-education/learn-terraform-aft-account-provisioning-customizations

https://github.com/hashicorp-education/learn-terraform-aft-account-provisioning-customizations

hashicorp terraform tutorial

Last synced: 4 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/hashicorp-education/learn-terraform-aft-account-provisioning-customizations
• Owner: hashicorp-education
• License: mpl-2.0
• Created: 2021-11-23T16:49:36.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2023-02-20T16:48:02.000Z (almost 2 years ago)
• Last Synced: 2025-01-17T20:12:15.009Z (11 days ago)
• Topics: hashicorp, terraform, tutorial
• Language: HCL
• Homepage: https://learn.hashicorp.com/tutorials/terraform/aws-control-tower-aft
• Size: 14.6 KB
• Stars: 12
• Watchers: 13
• Forks: 839
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Learn Terraform - Use Control Tower Account Factory for Terraform

This is a companion repository for the Hashicorp [Provision and Manage Accounts with

Control Tower Account Factory for Terraform

tutorial](https://developer.hashicorp.com/terraform/tutorials/aws/aws-control-tower-aft).

This repository contains boilerplate configuration for defining account

provisioning customizations to use with the Account Factory for Terraform

module. The README below and the template files in this repository were

provided by AWS.

To create your own state machine and step functions, replicate this repository

and extend the Terraform configuration.

## AFT Account Provisioning Customizations Customizations

### Problem Statement

AFT provides flexibility to customize the provisioning process for new accounts and integrate with systems prior to the account customization stage.

While the customization stage does include integrations for pre- and post-

customization steps, the Account Provisioning standard allows for further

integration by using an AWS Step Functions State Machine to integrate with

additional environments.

Using this state machine integration, customers may define Account Provisioning

Customizations steps as:

* Lambda functions in the language of their choice

* ECS or Fargate Tasks using docker containers

* AWS Step Functions Activities using custom workers, hosted either in AWS or on-prem

* Amazon SNS or SQS integrations to decoupled consumer-based applications

### Example Payload

```

{

  "account_request": {

    "supported_regions": "",

    "account_tags": {

      "Key": "Value",

    },

    "custom_fields": "{}",

    "id": "Account Email",

    "control_tower_parameters": {

      "SSOUserEmail": "",

      "AccountEmail": "",

      "SSOUserFirstName": "",

      "SSOUserLastName": "",

      "ManagedOrganizationalUnit": "Sandbox",

      "AccountName": "sandbox03"

    },

    "customer_baselines": [],

    "operation": "create"

  },

  "control_tower_event": {},

  "validated": {

    "Success": true

  },

  "account_info": {

    "account": {

      "id": "",

      "type": "account",

      "email": "",

      "name": "sandbox03",

      "method": "CREATED",

      "joined_date": "2021-06-15 13:57:35.129000+00:00",

      "status": "ACTIVE",

      "parent_id": "",

      "parent_type": "ORGANIZATIONAL_UNIT",

      "org_name": "Sandbox",

      "vendor": "aws"

    }

  },

  "persist_metadata": {

    "StatusCode": 200

  },

  "role": {

    "Arn": "arn:aws:iam:::role/AWSAFTExecution"

  },

  "account_tags": {

    "StatusCode": 200

  }

}

```

### Example Function

##### Validate Request:

Source location: `modules/account-provisioning-customizations/lambda/account-provisioning-customizations-validate-request/lambda_function.py`

###### Description:

Compares the incoming payload to the state machine against an expected

jsonschema. Returns `True` if valid, raises an exception if not.

Demonstrates the import of `aft_common` and customers can explore the `aft_utils` module for existing AFT integrations, such as role assumption or SSM parameter retrieval.

```python

import json

import os

import boto3

import jsonschema

import aft_common.aft_utils as utils

from boto3.dynamodb.conditions import Key

logger = utils.get_logger()

def validate_request(payload, logger):

    logger.info("Function Start - validate_request")

    schema_path = os.path.join(os.path.dirname(__file__), "schema/request_schema.json")

    with open(schema_path) as schema_file:

        schema_object = json.load(schema_file)

    logger.info("Schema Loaded:" + json.dumps(schema_object))

    validated = jsonschema.validate(payload, schema_object)

    if validated is None:

        logger.info("Request Validated")

        return True

    else:

        raise Exception("Failure validating request.\n{validated}")

def lambda_handler(event, context):

    logger.info("Account Provisioning Customizations Handler Start")

    payload = event['payload']

    action = event['action']

    if action == "validate":

        request_validated = validate_request(payload, logger)

        return request_validated

    else:

        raise BaseException(

            "Incorrect Command Passed to Lambda Function. Input: {action}. Expected: 'validate'"

        )

```