Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Best practices include collaborative approach to infrastructure provisioning, use of version control systems and prevent manual changes, as well as efficient management of boundaries between different teams, roles, applications and deployment tiers. In this session we will walk you through our journey of helping customers set up AWS Landing Zone -- a secure, multi-account AWS environment based on AWS best practices. We will focus on lessons learned and best practices that goes above and beyond official documentation.
2. 2018: AWS Landing Zone
Secure Multi-Accounts Strategy
AWS Landing Zone is a solution that helps customers more quickly set up
a secure, multi-account AWS environment based on AWS best practices.
https://aws.amazon.com/solutions/aws-landing-zone
4. 2019: AWS Control Tower
“AWS Landing Zone” as a Service
AWS Control Tower provides the easiest way to set up and govern a
new, secure, multi-account AWS environment based on best practices
established through AWS’ experience working with thousands of
enterprises as they move to the cloud.
https://aws.amazon.com/controltower
6. Existing Resources
Although CloudFormation
added recently the ability to
import existing resources,
current ALZ implementation
still doesn’t support an easy
and flexible process to reuse
existing AWS environments.
Customers Feedback (1/3)
Below are 3 key issues identified by enterprise customers
working hands-on with our professional services organization.
AWS Single Sign-On
Although AWS SSO is an
amazing service, most of our
customers would not replace
their existing SSO solutions.
Current ALZ implementation
doesn’t allow switching it with
something like Azure AD, Okta
or PingIdentity.
CloudFormation
Enterprise customers who are
already using Terraform as
their default infrastructure-as-
code solution often avoid
CloudFormation based
implementations, justifying as
out of scope.
7. Customers Feedback (2/3)
Below are 3 key issues identified by enterprise customers
working hands-on with our professional services organization.
Existing Resources
Although CloudFormation
added recently the ability to
import existing resources,
current ALZ implementation
still doesn’t support an easy
and flexible process to reuse
existing AWS environments.
AWS Single Sign-On
Although AWS SSO is an
amazing service, most of our
customers would not replace
their existing SSO solutions.
Current ALZ implementation
doesn’t allow switching it with
something like Azure AD, Okta
or PingIdentity.
CloudFormation
Enterprise customers who are
already using Terraform as
their default infrastructure-as-
code solution often avoid
CloudFormation based
implementations, justifying as
out of scope.
8. Existing Resources
Although CloudFormation
added recently the ability to
import existing resources,
current ALZ implementation
still doesn’t support an easy
and flexible process to reuse
existing AWS environments.
Customers Feedback (3/3)
Below are 3 key issues identified by enterprise customers
working hands-on with our professional services organization.
AWS Single Sign-On
Although AWS SSO is an
amazing service, most of our
customers would not replace
their existing SSO solutions.
Current ALZ implementation
doesn’t allow switching it with
something like Azure AD, Okta
or PingIdentity.
CloudFormation
Enterprise customers who are
already using Terraform as
their default infrastructure-as-
code solution often avoid
CloudFormation based
implementations, justifying as
out of scope.
9. About Presenter
Eugene
ISTRATI
@eistrati
▪ CTO, Tech Partner @ Mitoc Group
▪ Ex-AWS, ex-Hearst, ex-GrubHub
▪ Certified AWS Solutions Architect
▪ 20 Years in IT; 10 Years in Cloud
Computing; 5 Years in Enterprise IT
▪ Focusing on: Automation, DevOps,
Serverless
10. Terraform Module for
AWS Landing Zone
https://registry.terraform.io/modules/MitocGroup/landing-zone
19. ▪ Required: default provider
– AWS account’s ID
– Account’s default region
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (2/5)
20. ▪ Required: default provider
– AWS account’s ID
– Account’s default region
▪ Required: another provider
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (3/5)
21. ▪ Required: default provider
– AWS account’s ID
– Account’s default region
▪ Required: another provider
– AWS account’s ID
– Account’s default region
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (4/5)
22. ▪ Required: default provider
– AWS account’s ID
– Account’s default region
▪ Required: another provider
– AWS account’s ID
– Account’s default region
▪ Provider’s key name is used as
prefix in landing zone variables
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (5/5)
24. ▪ Immutable LZ components –
shifted focus from TF to TFVAR
CODE EDITOR
landing_zone_components = {
landing_zone_vpc = ”default.tfvars"
landing_zone_subnet = ”default.tfvars”
[…]
}
Landing Zone Module’s Components (1/3)
25. ▪ Immutable LZ components –
shifted focus from TF to TFVAR
▪ Can be local or remote (on S3)
CODE EDITOR
landing_zone_components = {
landing_zone_vpc = "s3://terraform-aws-landing-
zone/components/landing_zone_vpc/default.tfvars"
landing_zone_subnet = "default.tfvars”
[…]
}
Landing Zone Module’s Components (2/3)
26. ▪ Immutable LZ components –
shifted focus from TF to TFVAR
▪ Can be local or remote (on S3)
▪ Can be 1 TFVAR or multiple
CODE EDITOR
landing_zone_components = {
landing_zone_vpc = "s3://terraform-aws-landing-
zone/components/landing_zone_vpc/default.tfvars"
landing_zone_subnet = "s3://terraform-aws-landing-
zone/components/landing_zone_subnet/*.tfvars”
[…]
}
Landing Zone Module’s Components (3/3)