Skip to content

hashicorp/learn-terraform-aft-account-provisioning-customizations

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Learn Terraform - Use Control Tower Account Factory for Terraform

This is a companion repository for the Hashicorp Provision and Manage Accounts with Control Tower Account Factory for Terraform tutorial.

This repository contains boilerplate configuration for defining account provisioning customizations to use with the Account Factory for Terraform module. The README below and the template files in this repository were provided by AWS.

To create your own state machine and step functions, replicate this repository and extend the Terraform configuration.

AFT Account Provisioning Customizations Customizations

Problem Statement

AFT provides flexibility to customize the provisioning process for new accounts and integrate with systems prior to the account customization stage.

While the customization stage does include integrations for pre- and post- customization steps, the Account Provisioning standard allows for further integration by using an AWS Step Functions State Machine to integrate with additional environments.

Using this state machine integration, customers may define Account Provisioning Customizations steps as:

  • Lambda functions in the language of their choice
  • ECS or Fargate Tasks using docker containers
  • AWS Step Functions Activities using custom workers, hosted either in AWS or on-prem
  • Amazon SNS or SQS integrations to decoupled consumer-based applications

Example Payload

{
  "account_request": {
    "supported_regions": "",
    "account_tags": {
      "Key": "Value",
    },
    "custom_fields": "{}",
    "id": "Account Email",
    "control_tower_parameters": {
      "SSOUserEmail": "",
      "AccountEmail": "",
      "SSOUserFirstName": "",
      "SSOUserLastName": "",
      "ManagedOrganizationalUnit": "Sandbox",
      "AccountName": "sandbox03"
    },
    "customer_baselines": [],
    "operation": "create"
  },
  "control_tower_event": {},
  "validated": {
    "Success": true
  },
  "account_info": {
    "account": {
      "id": "",
      "type": "account",
      "email": "",
      "name": "sandbox03",
      "method": "CREATED",
      "joined_date": "2021-06-15 13:57:35.129000+00:00",
      "status": "ACTIVE",
      "parent_id": "",
      "parent_type": "ORGANIZATIONAL_UNIT",
      "org_name": "Sandbox",
      "vendor": "aws"
    }
  },
  "persist_metadata": {
    "StatusCode": 200
  },
  "role": {
    "Arn": "arn:aws:iam:::role/AWSAFTExecution"
  },
  "account_tags": {
    "StatusCode": 200
  }
}

Example Function

Validate Request:

Source location: modules/account-provisioning-customizations/lambda/account-provisioning-customizations-validate-request/lambda_function.py

Description:

Compares the incoming payload to the state machine against an expected jsonschema. Returns True if valid, raises an exception if not.

Demonstrates the import of aft_common and customers can explore the aft_utils module for existing AFT integrations, such as role assumption or SSM parameter retrieval.

import json
import os
import boto3
import jsonschema
import aft_common.aft_utils as utils
from boto3.dynamodb.conditions import Key


logger = utils.get_logger()


def validate_request(payload, logger):
    logger.info("Function Start - validate_request")
    schema_path = os.path.join(os.path.dirname(__file__), "schema/request_schema.json")
    with open(schema_path) as schema_file:
        schema_object = json.load(schema_file)
    logger.info("Schema Loaded:" + json.dumps(schema_object))
    validated = jsonschema.validate(payload, schema_object)
    if validated is None:
        logger.info("Request Validated")
        return True
    else:
        raise Exception("Failure validating request.\n{validated}")


def lambda_handler(event, context):
    logger.info("Account Provisioning Customizations Handler Start")

    payload = event['payload']
    action = event['action']

    if action == "validate":
        request_validated = validate_request(payload, logger)
        return request_validated
    else:
        raise BaseException(
            "Incorrect Command Passed to Lambda Function. Input: {action}. Expected: 'validate'"
        )