terraform module landing-zone

AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. This repository contains terraform module landing_zone that dynamically deploys components of AWS Landing Zone solution based on input list of .tfvars files.

RELATED: terraform module landing_zone_reader

NOTE: Current implementation is fully compatible with terraform v0.12+. Switch to branch terraform_v0.11 if you still using terraform v0.11.x and below.

Quick Links: How Does This Module Work | What Components Are Available | Why to Use This Solution

How Does This Module Work

Terraform module landing_zone is based on standard module structure guidelines and contains the following folders:

• root folder - module's standard terraform configuration
• components - yaml-based and terraform compatible configurations
• examples - different ways to combine components as part of this module
• modules - standalone, reusable and production-ready modules
• tests - set of automated tests to use in CI/CD pipelines

This terraform module requires the following prerequisites / dependencies:

• nodejs - referenced and validated here
• terrahub - referenced and validated here

To get started, simply include main.tf into your terraform codebase:

module "landing_zone" {
  source  = "MitocGroup/landing-zone/aws"
  version = "0.2.5"
  landing_zone_providers  = var.landing_zone_providers
  landing_zone_components = var.landing_zone_components
  terraform_backend       = var.terraform_backend
}

NOTE: Make sure to include variables.tf and optionally terraform.tfvars

To simplify and make it easier to understand, we included default values in terraform.tfvars:

landing_zone_providers = {
  default = {
    account_id = "123456789012"
    region     = "us-east-1"
  }
  [...]
}
landing_zone_components = {
  landing_zone_vpc = "s3://terraform-aws-landing-zone/components/landing_zone_vpc/*.tfvars"
  [...]
}
terraform_backend = {
  backend = "local"
  path    = "/tmp/.terrahub/landing_zone"
}

NOTE: Placeholder [...] from above is used to suggest that similar syntax can be added. Remove it or update in order to have valid HCL / terraform configuration.

This means that before you use this terraform module, you will need to:

1. Change landing_zone_providers to values that describe your AWS Organization account
   • default reflects the default setup corresponding to AWS Organization account; add more providers by extending landing_zone_providers map with extra AWS accounts and/or AWS regions
     • account_id reflects the AWS account used to deploy AWS resources; prevents provisioning AWS resources into wrong AWS account in case of valid AWS credentials
     • region reflects the AWS region used to deploy AWS resources; create 2 different providers for the same AWS account, but different AWS regions
2. Change landing_zone_components to values that fit into your AWS Landing Zone use case
   • each key from landing_zone_components map represents the name of the component from this list of available components
   • each value from landing_zone_components map represents the path to .tfvars file on S3 and/or local disk
     • each .tfvars file must use HCL format; DO NOT USE other formats like JSON or YAML
3. Change terraform_backend to values that reflect your terraform backend where .tfstate files are stored (in variables.tf default parameter value is defined as local)

NOTE: Terraform module landing_zone can have tens, hundreds or thousands of deployable components, but not all of them should be and will be deployed. At runtime, components that are not part of landing_zone_components variable will be ignored.

More Examples

• Terraform module for AWS Landing Zone (one component: AWS Organization)
• Terraform module for AWS Landing Zone (multiple components: S3, CodePipeline and CodeBuild)
• Terraform module for AWS Lambda function using AWS Landing Zone reader

What Components Are Available

AWS Landing Zone solution is defined by the following strategy:

1. Multi-Account Structure
   • AWS Organization Account
   • Shared Services Account
   • Log Archive Account
   • Security Account
2. Account Vending Machine
3. User Access and Identity Management
4. Monitoring and Notifications

NOTE: Current implementation of this terraform module covers only Multi-Account Structure components (work in progress).

Multi-Account Structure

Based on the multi-account architecture, here below are currently available components:

1. landing_zone_pipeline_s3_bucket
2. landing_zone_pipeline_artifact_s3_bucket
3. landing_zone_code_pipeline
4. landing_zone_code_pipeline_role
5. landing_zone_code_pipeline_role_policy
6. landing_zone_code_build
7. landing_zone_code_build_role
8. landing_zone_code_build_role_policy
9. landing_zone_organization
10. landing_zone_organization_policy
11. landing_zone_organization_policy_attachment
12. landing_zone_organization_accounts
13. landing_zone_organization_unit

Account Vending Machine

Based on the account vending machine architecture, here below are currently available components:

1. Coming soon ...

User Access and Identity Management

Based on the user access architecture, here below are currently available components:

1. landing_zone_iam_role
2. landing_zone_iam_policy
3. landing_zone_iam_role_policy_attachment
4. landing_zone_sso
5. landing_zone_directory_service_director

NOTE: This solution is relying on cross-account role called OrganizationAccountAccessRole. Follow this link to learn more and/or create missing IAM role(s)...

Monitoring and Notifications

Based on the notifications architecture, here below are currently available components:

1. Coming soon ...

Why to Use This Solution

No need for code changes

Terraform module for AWS Landing Zone solution is up to 10 lines of code that receives a list of .tfvars files as input variables which describe providers (to be read: AWS accounts and AWS regions) and configs (to be read: AWS resources)

No need for code rewrites

This implementation engages microservices architecture, allowing any component to be replaced with another component (or multiple components)

No need for hard-coded values

Existing AWS resources created by your team can be reused programmatically as read only values by other teams' terraform configurations

No need to rebuild from scratch

Existing AWS resources in your current AWS account(s) can be imported and reused without downtime by this terraform module via terraform import command

No need to exclude pieces of account(s) baseline

Some customers were avoiding in the past AWS Landing Zone because it doesn't support some kind of 3rd party SSO solution or 3rd party Logging solution. By using terraform, we can easily bring those solutions into AWS Landing Zone as a set of components and empower customers to continue using best practices of both worlds

Additionally, this module helps enforce best practices

• By removing the need for access to AWS root account(s)
• By using IAM cross-account roles and/or STS temporary credentials
• By enabling centralized CloudTrail logs and cross-region replication of CloudTrail logs
• By empowering complex organizations to separate roles and responsibilities (e.g. InfoSec team can place explicit deny on IAM, VPC, SG and STS for other teams and/or other environments like production or pre-production)