AWS Landing Zone is
a solution that helps customers more quickly set up a secure, multi-account
AWS environment based on AWS best practices. This repository contains terraform
module landing_zone
that dynamically deploys components of AWS Landing Zone
solution based on input list of .tfvars
files.
Additionally, there are 2 more terraform modules: landing_zone_reader_config
and landing_zone_reader
. They allow AWS Landing Zone consumers to reuse
terraform outputs programmatically. This way administrators of AWS Landing Zone
control who can manage landing_zone
module and who can consume landing_zone
module's outputs in read-only mode.
NOTE: Current implementation is fully compatible with terraform v0.12 . Switch to branch
v0.11
if you still using terraform v0.11.x and below.
Quick Links: How Does This Module Work | What Components Are Available | Why to Use This Solution
Terraform module landing_zone is based on standard module structure guidelines and contains the following folders:
- root folder - module's standard terraform configuration
- components - yaml-based and terraform compatible configurations
- examples - different ways to combine components as part of this module
- modules - standalone, reusable and production-ready modules
- tests - set of automated tests to use in CI/CD pipelines
This terraform module requires the following prerequisites / dependencies:
To get started, simply include main.tf
into your terraform codebase:
module "landing_zone" {
source = "TerraHubCorp/landing-zone/aws"
version = "0.1.6"
root_path = path.module
landing_zone_providers = var.landing_zone_providers
landing_zone_components = var.landing_zone_components
landing_zone_backend = var.landing_zone_backend
}
NOTE: Make sure to include
variables.tf
and whatever makes sense fromoutputs.tf
To simplify and make it easier to understand, we included default values in terraform.tfvars
:
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
}
[...]
}
landing_zone_components = {
landing_zone_vpc = "s3://terraform-aws-landing-zone/mycompany/landing_zone_vpc/default.tfvars"
[...]
}
landing_zone_backend = {
backend = "local"
path = "/tmp/.terrahub/landing_zone"
}
NOTE: Placeholder
[...]
from above is used to suggest that similar syntax can be added. Remove it or update in order to have valid HCL / terraform configuration.
This means that before you use this terraform module, you will need to:
- Change
landing_zone_providers
to values that describe your AWS Organization accountdefault
reflects the default setup corresponding to AWS Organization account; add more providers by extendinglanding_zone_providers
map with extra AWS accounts and/or AWS regionsaccount_id
reflects the AWS account used to deploy AWS resources; prevents provisioning AWS resources into wrong AWS account in case of valid AWS credentialsregion
reflects the AWS region used to deploy AWS resources; create 2 different providers for the same AWS account, but different AWS regions
- Change
landing_zone_components
to values that fit into your AWS Landing Zone use case- each key from
landing_zone_components
map represents the name of the component from this list of available components - each value from
landing_zone_components
map represents the path to.tfvars
file on S3 and/or local disk- each
.tfvars
file must use HCL format; DO NOT USE other formats like JSON or YAML
- each
- each key from
- Change
landing_zone_backend
to values that reflect your terraform backend where.tfstate
files are stored (invariables.tf
default parameter value is defined aslocal
)
NOTE: Terraform module
landing_zone
can have tens, hundreds or thousands of deployable components, but not all of them should be and will be deployed. At runtime, components that are not part oflanding_zone_components
variable will be ignored.
Terraform module for AWS Landing Zone can create, retrieve, update and destroy resources in your AWS accounts. But in some cases, your teams will need ONLY retrieve capability with implicit deny of all the other capabilities like create, update or destroy resources. In order to achieve this feature, we have created 2 extra terraform modules: landing_zone_reader_config and landing_zone_reader.
Module landing_zone_reader_config
must be executed first by passing the same parameters as in module landing_zone
:
module "landing_zone_reader_config" {
source = "./modules/landing_zone_reader_config"
root_path = path.module
landing_zone_providers = var.landing_zone_providers
landing_zone_components = var.landing_zone_components
}
After landing_zone_reader_config
module configures everything, second step is to use the landing_zone_reader
module:
module "landing_zone_reader" {
source = "./modules/landing_zone_reader"
}
IMPORTANT: landing_zone_reader_config
module must write output results into .tfstate
files before landing_zone_reader
module can execute successfully terraform init
. Therefore these two modules cannot be used in parallel or combined with depends_on
argument. We recommend to use them sequentially.
- Terraform module for AWS Landing Zone (one component: AWS Organization)
- Terraform module for AWS Landing Zone (multiple components: S3, CodePipeline and CodeBuild)
- Terraform module for AWS Landing Zone reader config
- Terraform module for AWS Lambda function using AWS Landing Zone reader
AWS Landing Zone solution is defined by the following strategy:
- Multi-Account Structure
- AWS Organization Account
- Shared Services Account
- Log Archive Account
- Security Account
- Account Vending Machine
- User Access and Identity Management
- Monitoring and Notifications
NOTE: Current implementation of this terraform module covers only Multi-Account Structure components (work in progress).
Based on the multi-account architecture, here below are currently available components:
- landing_zone_pipeline_s3_bucket
- landing_zone_pipeline_artifact_s3_bucket
- landing_zone_code_pipeline
- landing_zone_code_pipeline_role
- landing_zone_code_pipeline_role_policy
- landing_zone_code_build
- landing_zone_code_build_role
- landing_zone_code_build_role_policy
- landing_zone_organization
- landing_zone_organization_policy
- landing_zone_organization_policy_attachment
- landing_zone_organization_accounts
- landing_zone_organization_unit
Based on the account vending machine architecture, here below are currently available components:
- Coming soon ...
Based on the user access architecture, here below are currently available components:
- landing_zone_iam_role
- landing_zone_iam_policy
- landing_zone_iam_role_policy_attachment
- landing_zone_sso
- landing_zone_directory_service_director
NOTE: This solution is relying on cross-account role called
OrganizationAccountAccessRole
. Follow this link to learn more and/or create missing IAM role(s)...
Based on the notifications architecture, here below are currently available components:
- Coming soon ...
Terraform module for AWS Landing Zone solution is up to 10 lines of code that receives a list of .tfvars
files as input variables which describe providers (to be read: AWS accounts and AWS regions) and configs (to be read: AWS resources)
This implementation engages microservices architecture, allowing any component to be replaced with another component (or multiple components)
Existing AWS resources created by your team can be reused programmatically as read only values by other teams' terraform configurations
Existing AWS resources in your current AWS account(s) can be imported and reused without downtime by this terraform module via terraform import
command
Some customers were avoiding in the past AWS Landing Zone because it doesn't support some kind of 3rd party SSO solution or 3rd party Logging solution. By using terraform, we can easily bring those solutions into AWS Landing Zone as a set of components and empower customers to continue using best practices of both worlds
- By removing the need for access to AWS root account(s)
- By using IAM cross-account roles and/or STS temporary credentials
- By enabling centralized CloudTrail logs and cross-region replication of CloudTrail logs
- By empowering complex organizations to separate roles and responsibilities (e.g. InfoSec team can place explicit deny on IAM, VPC, SG and STS for other teams and/or other environments like production or pre-production)