terraform-aws-control_tower_account_factory
terraform-aws-control_tower_account_factory copied to clipboard
aws-ia
Share data between accounts
I'm looking for a way to share data between accounts.
I was thinking of using the post-api-helpers.sh to get some information from the Terraform state and then copy it to the AFT-Management's SSM as parameters; Any recommendations?
Hi @dignajar,
Using the AFT management as a "hub" to store data in SSM Parameters that is then accessed by vended accounts a common way to achieve this.
If the values are known ahead of time, you could also use the custom_fields parameter in the account request to have AFT create these parameters for you.
If the values are known ahead of time, you could also use the custom_fields parameter in the account request to have AFT create these parameters for you.
I'm running into a similar issue as the OP. However, unless I'm missing something in the code, custom_fields only populates the dynamodb table, not the SSM parameters. Dynamodb table entries are while writable, not readable by Terraform AFAICT. This means to use/share data across different parts of AFT, SSM is probably the best place.
It's weird that you can't read from a DDB table in TF, but neither the provider docs nor the underlying provider code suggest that this is a supported feature.
I ended up writing a pre-api-helpers.sh script in aft-global-customizations to copy specific entries from DDB to SSM so they would be available to the global customizations TF code, but frankly that's a pretty lousy solution.
The better approach is to write to ssm at the same time the ddb entries are made - in aft-account-request/modules/aft-account-request with a new ssm.tf file that parallels the ddb one. I think account-request is the earliest stage of the factory, so that should make the data available to everything else later.
@rjhornsby to expand on the custom_fields functionality, these will be present in your member accounts with a prefix /aft/account-request/custom-fields/, not the AFT management account itself.
Since the custom_fields SSM Parameters are present in the member account the customization is running against, one strategy could use the values specified in custom_fields as data sources within the customizations being applied, either per-account or global.
@balltrev thanks for the insight. Having the parameters already in the member account would be great. I have a couple of custom fields set, and I can see them in the AFT account dynamodb table. However, when I look at the member accounts SSM parameter store, I'm not seeing any parameters.
It's possible that I'm using an old version of the AFT code, or that I am using the wrong AFT code. I used the hashicorp learn-terraform-aft-* as the starting point to build out our AFT code. This is where the ddb is populated with the account metadata.
Do you happen to know where in the code the member accounts are supposed to have SSM parameters created? It might help me track down what I'm missing or am out of date on.
To be fair, I should also note here that I was wrong about reading DDB in Terraform. I have no idea how I missed it, but you can read with the dynamodb_table_item data source.
Even so, reading from the member account SSM is still a much better solution.