Lab: Deploying AWS Control Tower via Terraform

Overview

The Terraform code for this module has been left in a simplified state (i.e., not using modules, loops, or other advanced Terraform features) to be more easily accessible. You can customize it further to meet your specific requirements.

The Terraform resources for setting up an AWS Control Tower landing zone are fairly new and not as feature-rich as what's available in the AWS Management Console. There will be some steps you'll need to perform in the console after deploying your Landing Zone e.g., registering any pre-existing Organizational Units and defining guardrails like region restrictions.

Deploying the Landing Zone does take close to an hour, so be prepared to wait for the resources to be created. Additionally, making changes to the Landing Zone configuration after deployment or enabling more features will take time to update.

The progress can be monitored in the AWS Management Console under the AWS Control Tower service.

Deployment

# clone the AWS Security Cookbook repository
git clone https://github.com/Ty182/AWS-Security-Cookbook-by-Tyler

# navigate to AWS Control Tower directory
cd AWS_Cookbook_by_Tyler/recipes/aws_controltower/code

# initialize the directory and download the required terraform providers
terraform init

# check formatting and validate the syntax is correct
terraform fmt && terraform validate

# check the resources that will be created
terraform plan 

# deploy the resources
terraform apply

• The deployment will take ~1 hour to complete. Grab some coffee!

• Once complete, head to the AWS Control Tower Dashboard and check it out!

Cleanup