aws-deployment-framework
aws-deployment-framework copied to clipboard
awslabs
Integration with Control Tower / ALZ
Integration with CT/ALZ will provide a lesser administrative effort and a more secure management.
Hi @Vittoriusly
Could you please elaborate on this a little bit more?
Is there something in the current implementation that you feel is a large administrative overhead? If you were to merge these concepts together, what would be the advantage to the user in your opinion?
Cheers!
Hi @bundyfx In some way, CT/ALZ is the OP part and ADF is the DEV part. CT/ALZ is focused mostly on managing accounts: GuardDuty, Config, Roles. While ADF is more on dev pipelines. In the current scenario ADF CANNOT BE USE WITH Control Tower: with control tower I use Service Catalog to create accounts, with ADF I use codepipeline (like with ALZ). I would like to have the benefit of ADF without loosing the manageability of CT.
Account bootstrapping with CT and then provisioning the foundation of each account as well as the applications with ADF is the desired setup.
You can do this already but with some restrictions. You create accounts with CT but you need to adhere to CTs org structure restrictions. You also need to change the property which holds the default role for ADF which by default is OrganizationAccountAccessRole to what ever the name of the role CT creates.
Besides specifying the AWSControlTowerExecutionRole, is there anything else that needs to be done to use the ADF with Control Tower?
No (at least not for 2.x, have no installation upgrade to 3 yet). You can install ADF straight after CT finishes up.
@triha74 can clarify further on how these two can integrate and will update the docs to include a section on this.
I have a PoC right now in my account with CT/ADF integration and it's working just fine (after some issues during the setup phase, though).
Maybe I (or some customers) would like to disable the Account Creation feature of ADF in the future, given that you MUST do it through CT in order to take advantage of it's Guardrails
Thanks @EdoBarroso - The Account creation process in ADF will not execute if there are no .yml files within the adf-accounts directory. This is essentially the on/off functionality. It would be fantastic if you could package up your findings of getting CT and ADF to work together and create a PR to the documentation. @triha74 + @kalleeh may also have some input on how to best integrate the two and associated docs/steps.
Might also be interesting to contrast ADF (at least it's relevant functional subset) with the new OU / account deployments of CF StackSets and CT's own customization solution.
Edit: I did play a little bit with Customizations for Control Tower today and the overlap is considerable (with ADF being more feature rich). Can someone with insights into these matters clarify what the roadmap here is?
hi guys,
What do you guys think of AWS Organization Formation? it has a slightly different approach than CT, ADF or CF StackSets. It is IaC solution for AWS Organizations first, but also allows you to use AWS Organization elements to annotate CloudFormation templates with in order to express cross account patterns.
Would be really curious as to what you think and maybe whether there are ways we could work together on both projects.
thanks!
Our docs describe the compatibility of ADF with Control Tower here: https://github.com/awslabs/aws-deployment-framework/blob/867551c8081122a2c0211194f489eb416d8ba706/docs/installation-guide.md#compatibility-with-aws-control-tower
I'm closing this issue as it has been inactive for a long time and this domain has changed a lot. This probably means that further assistance or feature enhancements are not required.
Please feel free to reopen if you still think this is relevant. Explaining your use case and idea would be very helpful. Thank you!
