# Lab: Deploying AWS Control Tower via Terraform

{% hint style="success" %}

## Already Know Terraform?

If you're already familiar with Terraform, feel free to hop over to the [AWS Security Cookbook by Tyler GitHub repository](https://github.com/Ty182/AWS-Security-Cookbook-by-Tyler/tree/main) to grab and deploy the code. Otherwise, stick around and we'll walk through it together! 
{% endhint %}

## Overview

The Terraform code for this module has been left in a simplified state (i.e., not using modules, loops, or other advanced Terraform features) to be more easily accessible. You can customize it further to meet your specific requirements.

The Terraform resources for setting up an AWS Control Tower landing zone are fairly new and not as feature-rich as what's available in the AWS Management Console. There will be some steps you'll need to perform in the console after deploying your Landing Zone e.g., registering any pre-existing Organizational Units and defining guardrails like region restrictions.

Deploying the Landing Zone does take close to an hour, so be prepared to wait for the resources to be created. Additionally, making changes to the Landing Zone configuration after deployment or enabling more features will take time to update.

The progress can be monitored in the AWS Management Console under the AWS Control Tower service.

## Deployment

{% hint style="danger" %}

## Cost Alert

Enabling AWS Control Tower will incur costs so please review the pricing page for more information 

* <https://aws.amazon.com/controltower/pricing/&#x20>;
  {% endhint %}

{% code overflow="wrap" %}

```bash
# clone the AWS Security Cookbook repository
git clone https://github.com/Ty182/AWS-Security-Cookbook-by-Tyler

# navigate to AWS Control Tower directory
cd AWS_Cookbook_by_Tyler/recipes/aws_controltower/code

# initialize the directory and download the required terraform providers
terraform init

# check formatting and validate the syntax is correct
terraform fmt && terraform validate

# check the resources that will be created
terraform plan 

# deploy the resources
terraform apply
```

{% endcode %}

* The deployment will take \~1 hour to complete. Grab some coffee!&#x20;

<figure><img src="https://2721275171-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8yu8YbDfwd1VqEdUxGyA%2Fuploads%2F5J2Em6rJLJtj3lgjy9M9%2Fimage.png?alt=media&#x26;token=b1c651a0-78d2-4d8e-9938-2d4dab5826fe" alt=""><figcaption><p>Waiting for Control Tower to deploy</p></figcaption></figure>

* Once complete, head to the AWS Control Tower Dashboard and check it out!

<figure><img src="https://2721275171-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8yu8YbDfwd1VqEdUxGyA%2Fuploads%2Fp2h8qdP5ORtZ0SANX78o%2FCleanShot%202025-02-22%20at%2023.21.15%402x.png?alt=media&#x26;token=ab3dc5d3-aecb-4903-bd48-3da8d98cb2a0" alt=""><figcaption><p>AWS Control Tower Dashboard</p></figcaption></figure>

## Cleanup

{% hint style="danger" %}

## Clean up the resources

Avoid unnecessary costs by deleting the created resources

`terraform destroy`
{% endhint %}