Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Download as PPTX, PDF2 likes7,180 views
The document describes the AWS Landing Zone, a solution for setting up a secure multi-account AWS environment quickly. It highlights feedback from enterprise customers on current implementation challenges, particularly with AWS Single Sign-On and CloudFormation compatibility. The document also presents a Terraform module for the AWS Landing Zone, detailing its components, providers, and usage within a Terraform backend.
![▪ Required: default provider
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (1/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-18-320.jpg)
![▪ Required: default provider
– AWS account’s ID
– Account’s default region
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (2/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-19-320.jpg)
![▪ Required: default provider
– AWS account’s ID
– Account’s default region
▪ Required: another provider
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (3/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-20-320.jpg)
![▪ Required: default provider
– AWS account’s ID
– Account’s default region
▪ Required: another provider
– AWS account’s ID
– Account’s default region
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (4/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-21-320.jpg)
![▪ Required: default provider
– AWS account’s ID
– Account’s default region
▪ Required: another provider
– AWS account’s ID
– Account’s default region
▪ Provider’s key name is used as
prefix in landing zone variables
CODE EDITOR
landing_zone_providers = {
default = {
account_id = "123456789012"
region = "us-east-1"
},
security_account = {
account_id = ”987654321098"
region = "us-west-2"
}
[...]
}
Landing Zone Module’s Providers (5/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-22-320.jpg)
![▪ Immutable LZ components –
shifted focus from TF to TFVAR
CODE EDITOR
landing_zone_components = {
landing_zone_vpc = ”default.tfvars"
landing_zone_subnet = ”default.tfvars”
[…]
}
Landing Zone Module’s Components (1/3)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-24-320.jpg)
![▪ Immutable LZ components –
shifted focus from TF to TFVAR
▪ Can be local or remote (on S3)
CODE EDITOR
landing_zone_components = {
landing_zone_vpc = "s3://terraform-aws-landing-
zone/components/landing_zone_vpc/default.tfvars"
landing_zone_subnet = "default.tfvars”
[…]
}
Landing Zone Module’s Components (2/3)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-25-320.jpg)
![▪ Immutable LZ components –
shifted focus from TF to TFVAR
▪ Can be local or remote (on S3)
▪ Can be 1 TFVAR or multiple
CODE EDITOR
landing_zone_components = {
landing_zone_vpc = "s3://terraform-aws-landing-
zone/components/landing_zone_vpc/default.tfvars"
landing_zone_subnet = "s3://terraform-aws-landing-
zone/components/landing_zone_subnet/*.tfvars”
[…]
}
Landing Zone Module’s Components (3/3)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-26-320.jpg)
![▪ List providers supported by
current component
CODE EDITOR
landing_zone_providers = ["default"]
default_provider = {
landing_zone_vpc_resource = {
config_0 = {
cidr_block = "172.16.0.0/16"
instance_tenancy = "default"
enable_dns_support = "true"
enable_classiclink = "false"
enable_dns_hostnames = "false"
enable_classiclink_dns_support = "false"
}
}
}
Landing Zone Module’s TFVARs (1/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-28-320.jpg)
![▪ List providers supported by
current component
▪ Define provider’s values as
`[provider_key_name]_provider`
CODE EDITOR
landing_zone_providers = ["default"]
default_provider = {
landing_zone_vpc_resource = {
config_0 = {
cidr_block = "172.16.0.0/16"
instance_tenancy = "default"
enable_dns_support = "true"
enable_classiclink = "false"
enable_dns_hostnames = "false"
enable_classiclink_dns_support = "false"
}
}
}
Landing Zone Module’s TFVARs (2/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-29-320.jpg)
![▪ List providers supported by
current component
▪ Define provider’s values as
`[provider_key_name]_provider`
▪ Define component’s values as
`[component_key_name]_resource`
CODE EDITOR
landing_zone_providers = ["default"]
default_provider = {
landing_zone_vpc_resource = {
config_0 = {
cidr_block = "172.16.0.0/16"
instance_tenancy = "default"
enable_dns_support = "true"
enable_classiclink = "false"
enable_dns_hostnames = "false"
enable_classiclink_dns_support = "false"
}
}
}
Landing Zone Module’s TFVARs (3/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-30-320.jpg)
![▪ List providers supported by
current component
▪ Define provider’s values as
`[provider_key_name]_provider`
▪ Define component’s values as
`[component_key_name]_resource`
▪ Define each resource as iteratable
config: `config_0`, `config_1`, etc
CODE EDITOR
landing_zone_providers = ["default"]
default_provider = {
landing_zone_vpc_resource = {
config_0 = {
cidr_block = "172.16.0.0/16"
instance_tenancy = "default"
enable_dns_support = "true"
enable_classiclink = "false"
enable_dns_hostnames = "false"
enable_classiclink_dns_support = "false"
}
}
}
Landing Zone Module’s TFVARs (4/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-31-320.jpg)
![▪ List providers supported by
current component
▪ Define provider’s values as
`[provider_key_name]_provider`
▪ Define component’s values as
`[component_key_name]_resource`
▪ Define each resource as iteratable
config: `config_0`, `config_1`, etc
▪ Define resource specific
key value pairs
CODE EDITOR
landing_zone_providers = ["default"]
default_provider = {
landing_zone_vpc_resource = {
config_0 = {
cidr_block = "172.16.0.0/16"
instance_tenancy = "default"
enable_dns_support = "true"
enable_classiclink = "false"
enable_dns_hostnames = "false"
enable_classiclink_dns_support = "false"
}
}
}
Landing Zone Module’s TFVARs (5/5)](https://image.slidesharecdn.com/2020-02-20-hashitalks-200220182610/85/Hands-On-Terraform-Module-for-AWS-Landing-Zone-at-HashiTalks2020-32-320.jpg)
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
- 1. Hands-On Terraform Module for AWS Landing Zone registry.terraform.io/modules/MitocGroup/landing-zone
- 2. 2018: AWS Landing Zone Secure Multi-Accounts Strategy AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. https://aws.amazon.com/solutions/aws-landing-zone
- 3. AWS Landing Zone AWS Control Tower
- 4. 2019: AWS Control Tower “AWS Landing Zone” as a Service AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud. https://aws.amazon.com/controltower
- 5. AWS Landing Zone AWS Control Tower
- 6. Existing Resources Although CloudFormation added recently the ability to import existing resources, current ALZ implementation still doesn’t support an easy and flexible process to reuse existing AWS environments. Customers Feedback (1/3) Below are 3 key issues identified by enterprise customers working hands-on with our professional services organization. AWS Single Sign-On Although AWS SSO is an amazing service, most of our customers would not replace their existing SSO solutions. Current ALZ implementation doesn’t allow switching it with something like Azure AD, Okta or PingIdentity. CloudFormation Enterprise customers who are already using Terraform as their default infrastructure-as- code solution often avoid CloudFormation based implementations, justifying as out of scope.
- 7. Customers Feedback (2/3) Below are 3 key issues identified by enterprise customers working hands-on with our professional services organization. Existing Resources Although CloudFormation added recently the ability to import existing resources, current ALZ implementation still doesn’t support an easy and flexible process to reuse existing AWS environments. AWS Single Sign-On Although AWS SSO is an amazing service, most of our customers would not replace their existing SSO solutions. Current ALZ implementation doesn’t allow switching it with something like Azure AD, Okta or PingIdentity. CloudFormation Enterprise customers who are already using Terraform as their default infrastructure-as- code solution often avoid CloudFormation based implementations, justifying as out of scope.
- 8. Existing Resources Although CloudFormation added recently the ability to import existing resources, current ALZ implementation still doesn’t support an easy and flexible process to reuse existing AWS environments. Customers Feedback (3/3) Below are 3 key issues identified by enterprise customers working hands-on with our professional services organization. AWS Single Sign-On Although AWS SSO is an amazing service, most of our customers would not replace their existing SSO solutions. Current ALZ implementation doesn’t allow switching it with something like Azure AD, Okta or PingIdentity. CloudFormation Enterprise customers who are already using Terraform as their default infrastructure-as- code solution often avoid CloudFormation based implementations, justifying as out of scope.
- 9. About Presenter Eugene ISTRATI @eistrati ▪ CTO, Tech Partner @ Mitoc Group ▪ Ex-AWS, ex-Hearst, ex-GrubHub ▪ Certified AWS Solutions Architect ▪ 20 Years in IT; 10 Years in Cloud Computing; 5 Years in Enterprise IT ▪ Focusing on: Automation, DevOps, Serverless
- 10. Terraform Module for AWS Landing Zone https://registry.terraform.io/modules/MitocGroup/landing-zone
- 11. 1. ALZ Module’s Providers 2. ALZ Module’s Components 3. ALZ Module’s TFVARs 4. ALZ Module’s Terraform Backend 5. Light Demo: ALZ Module in Action
- 14. ▪ Publicly available on TF Registry: https://registry.terraform.io CODE EDITOR module "landing_zone" { source = "MitocGroup/landing-zone/aws" version = "0.2.4" landing_zone_providers = var.landing_zone_providers landing_zone_components = var.landing_zone_components terraform_backend = var.terraform_backend } Landing Zone Module’s Anatomy (1/3)
- 15. ▪ Publicly available on TF Registry: https://registry.terraform.io ▪ Expected input: list of providers and components CODE EDITOR module "landing_zone" { source = "MitocGroup/landing-zone/aws" version = "0.2.4" landing_zone_providers = var.landing_zone_providers landing_zone_components = var.landing_zone_components terraform_backend = var.terraform_backend } Landing Zone Module’s Anatomy (2/3)
- 16. ▪ Publicly available on TF Registry: https://registry.terraform.io ▪ Expected input: list of providers and components ▪ Optional input: terraform backend CODE EDITOR module "landing_zone" { source = "MitocGroup/landing-zone/aws" version = "0.2.4" landing_zone_providers = var.landing_zone_providers landing_zone_components = var.landing_zone_components terraform_backend = var.terraform_backend } Landing Zone Module’s Anatomy (3/3)
- 17. ALZ Module’s Providers 1 Module’s Provider === 1 AWS Account + Region
- 18. ▪ Required: default provider CODE EDITOR landing_zone_providers = { default = { account_id = "123456789012" region = "us-east-1" }, security_account = { account_id = ”987654321098" region = "us-west-2" } [...] } Landing Zone Module’s Providers (1/5)
- 19. ▪ Required: default provider – AWS account’s ID – Account’s default region CODE EDITOR landing_zone_providers = { default = { account_id = "123456789012" region = "us-east-1" }, security_account = { account_id = ”987654321098" region = "us-west-2" } [...] } Landing Zone Module’s Providers (2/5)
- 20. ▪ Required: default provider – AWS account’s ID – Account’s default region ▪ Required: another provider CODE EDITOR landing_zone_providers = { default = { account_id = "123456789012" region = "us-east-1" }, security_account = { account_id = ”987654321098" region = "us-west-2" } [...] } Landing Zone Module’s Providers (3/5)
- 21. ▪ Required: default provider – AWS account’s ID – Account’s default region ▪ Required: another provider – AWS account’s ID – Account’s default region CODE EDITOR landing_zone_providers = { default = { account_id = "123456789012" region = "us-east-1" }, security_account = { account_id = ”987654321098" region = "us-west-2" } [...] } Landing Zone Module’s Providers (4/5)
- 22. ▪ Required: default provider – AWS account’s ID – Account’s default region ▪ Required: another provider – AWS account’s ID – Account’s default region ▪ Provider’s key name is used as prefix in landing zone variables CODE EDITOR landing_zone_providers = { default = { account_id = "123456789012" region = "us-east-1" }, security_account = { account_id = ”987654321098" region = "us-west-2" } [...] } Landing Zone Module’s Providers (5/5)
- 23. ALZ Module’s Components Microservices Architecture + Immutable TF Configurations
- 24. ▪ Immutable LZ components – shifted focus from TF to TFVAR CODE EDITOR landing_zone_components = { landing_zone_vpc = ”default.tfvars" landing_zone_subnet = ”default.tfvars” […] } Landing Zone Module’s Components (1/3)
- 25. ▪ Immutable LZ components – shifted focus from TF to TFVAR ▪ Can be local or remote (on S3) CODE EDITOR landing_zone_components = { landing_zone_vpc = "s3://terraform-aws-landing- zone/components/landing_zone_vpc/default.tfvars" landing_zone_subnet = "default.tfvars” […] } Landing Zone Module’s Components (2/3)
- 26. ▪ Immutable LZ components – shifted focus from TF to TFVAR ▪ Can be local or remote (on S3) ▪ Can be 1 TFVAR or multiple CODE EDITOR landing_zone_components = { landing_zone_vpc = "s3://terraform-aws-landing- zone/components/landing_zone_vpc/default.tfvars" landing_zone_subnet = "s3://terraform-aws-landing- zone/components/landing_zone_subnet/*.tfvars” […] } Landing Zone Module’s Components (3/3)
- 28. ▪ List providers supported by current component CODE EDITOR landing_zone_providers = ["default"] default_provider = { landing_zone_vpc_resource = { config_0 = { cidr_block = "172.16.0.0/16" instance_tenancy = "default" enable_dns_support = "true" enable_classiclink = "false" enable_dns_hostnames = "false" enable_classiclink_dns_support = "false" } } } Landing Zone Module’s TFVARs (1/5)
- 29. ▪ List providers supported by current component ▪ Define provider’s values as `[provider_key_name]_provider` CODE EDITOR landing_zone_providers = ["default"] default_provider = { landing_zone_vpc_resource = { config_0 = { cidr_block = "172.16.0.0/16" instance_tenancy = "default" enable_dns_support = "true" enable_classiclink = "false" enable_dns_hostnames = "false" enable_classiclink_dns_support = "false" } } } Landing Zone Module’s TFVARs (2/5)
- 30. ▪ List providers supported by current component ▪ Define provider’s values as `[provider_key_name]_provider` ▪ Define component’s values as `[component_key_name]_resource` CODE EDITOR landing_zone_providers = ["default"] default_provider = { landing_zone_vpc_resource = { config_0 = { cidr_block = "172.16.0.0/16" instance_tenancy = "default" enable_dns_support = "true" enable_classiclink = "false" enable_dns_hostnames = "false" enable_classiclink_dns_support = "false" } } } Landing Zone Module’s TFVARs (3/5)
- 31. ▪ List providers supported by current component ▪ Define provider’s values as `[provider_key_name]_provider` ▪ Define component’s values as `[component_key_name]_resource` ▪ Define each resource as iteratable config: `config_0`, `config_1`, etc CODE EDITOR landing_zone_providers = ["default"] default_provider = { landing_zone_vpc_resource = { config_0 = { cidr_block = "172.16.0.0/16" instance_tenancy = "default" enable_dns_support = "true" enable_classiclink = "false" enable_dns_hostnames = "false" enable_classiclink_dns_support = "false" } } } Landing Zone Module’s TFVARs (4/5)
- 32. ▪ List providers supported by current component ▪ Define provider’s values as `[provider_key_name]_provider` ▪ Define component’s values as `[component_key_name]_resource` ▪ Define each resource as iteratable config: `config_0`, `config_1`, etc ▪ Define resource specific key value pairs CODE EDITOR landing_zone_providers = ["default"] default_provider = { landing_zone_vpc_resource = { config_0 = { cidr_block = "172.16.0.0/16" instance_tenancy = "default" enable_dns_support = "true" enable_classiclink = "false" enable_dns_hostnames = "false" enable_classiclink_dns_support = "false" } } } Landing Zone Module’s TFVARs (5/5)
- 34. CODE EDITOR terraform_backend = { backend = "local" path = "/tmp/.terrahub/landing_zone" } Landing Zone Module’s Backend (1/2) CODE EDITOR terraform_backend = { backend = "s3" region = "us-east-1" bucket = "terraform-aws-landing-zone" key = "components" }
- 35. CODE EDITOR terraform_backend = { backend = "local" path = "/tmp/.terrahub/landing_zone" } Landing Zone Module’s Backend (2/2) CODE EDITOR terraform_backend = { backend = "s3" region = "us-east-1" bucket = "terraform-aws-landing-zone" key = "components" }
- 36. Light Demo: ALZ Module in Action
- 37. Calling Out Contributors: Thank You! https://registry.terraform.io/modules/MitocGroup/landing-zone eistrati euliancom vcalmic You &