AFT Modules Deployment Plan โ€” Simplified Breakdown

Chinnayya ChinthaChinnayya Chintha
3 min read

NOTE: https://github.com/aws-ia/terraform-aws-control_tower_account_factory.git

The Account Factory for Terraform (AFT) is organized into multiple Terraform modules that together automate and manage AWS Control Tower account provisioning. These modules have dependencies on each other, so you must deploy them in a certain order.

1. Packaging Module

  • What it does:
    Packages Lambda functions and other artifacts into archives (zipped files), preparing them for deployment.

  • Why first?
    Other modules need the file paths and hash values from these archives to deploy Lambdas correctly.

  • Key detail:
    It generates and uploads artifacts (Lambda code, etc.) used downstream.

2. Account Request Framework

  • What it does:
    Manages requests for new AWS accounts, including:

    • DynamoDB tables (state storage)

    • SQS queues and SNS topics (messaging)

    • VPC setup for network isolation

  • Dependencies:
    Needs artifact info from Packaging.

  • Why now?
    Sets the core infrastructure for handling account requests.

3. Lambda Layer Module

  • What it does:
    Creates shared Lambda layers (libraries) used by provisioning and customization Lambdas.

  • Dependencies:
    Uses KMS keys (encryption), VPC info, and archives from previous modules.

  • Why now?
    Lambdas in later modules depend on this shared layer for code reuse and size reduction.

4. Account Provisioning Framework

  • What it does:
    Contains Step Functions and Lambdas that automate provisioning new AWS accounts from requests.

  • Dependencies:
    Requires SNS topics, KMS keys, Lambda layers, and archives from earlier modules.

  • Why now?
    This module is the engine that actually creates accounts.

5. Backend Infrastructure

  • What it does:
    Sets up S3 buckets and DynamoDB tables to store Terraform state and other persistent data.

  • Dependencies:
    Independent, but needed by many modules to save state/configuration.

  • Why now?
    Needs to be available early for modules that store their state remotely.

6. Code Repositories

  • What it does:
    Creates/configures code repos (e.g., AWS CodeCommit) for storing provisioning/customization code.

  • Dependencies:
    Needs VPC info and backend storage from previous modules.

  • Why now?
    Provides the place where account customization code lives.

7. Customizations

  • What it does:
    Manages pipelines and orchestration for customizing accounts (post-provisioning).

  • Dependencies:
    Requires backend, provisioning framework, and code repos.

  • Why now?
    Runs after accounts are provisioned to customize them.

8. Feature Options

  • What it does:
    Enables optional features like CloudTrail data events, support enrollment, VPC deletion.

  • Dependencies:
    Depends on frameworks and Lambda layers.

  • Why now?
    Deployed after core provisioning and customizations are ready.

9. IAM Roles

  • What it does:
    Defines IAM roles used for cross-account access and internal permissions.

  • Dependencies:
    Depends on the setup of foundational accounts.

  • Why now?
    Deploys after foundational modules/accounts are ready to assign roles securely.

10. SSM Parameters

  • What it does:
    Stores configuration and metadata in AWS Systems Manager Parameter Store.

  • Dependencies:
    Uses outputs from nearly all other modules.

  • Why last?
    Collects all config and metadata after everything else is deployed.

How This Maps to the GitHub Repo (https://github.com/aws-ia/terraform-aws-control_tower_account_factory)

The GitHub repo is the official AWS-provided Terraform module for Control Tower Account Factory, which contains all these submodules and their logic.

  • The modules/aft-archives corresponds to your Packaging Module.

  • The modules/aft-account-request-framework is the Account Request Framework.

  • aft-lambda-layer, aft-account-provisioning-framework, and others exactly match your deployment plan.

  • The repo README and docs explain usage and dependencies between these modules.

  • Each module folder in the repo contains Terraform code to deploy the specific resources mentioned in your plan.

Summary โ€” Why This Order Matters

  • Packaging artifacts must exist before any Lambda functions can be deployed.

  • Account request infrastructure (queues, tables) is foundational for managing lifecycle.

  • Shared Lambda layers must be ready before Lambdas depending on them are deployed.

  • Backend storage (S3/DynamoDB) must be ready early for state management.

  • Code repos and customizations come after core provisioning to allow customization pipelines.

  • IAM roles and SSM parameters are finalized last to secure access and centralize config.

0
Subscribe to my newsletter

Read articles from Chinnayya Chintha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSaws lambdaaws-cdkAWS Control Tower

Written by

Chinnayya Chintha
Chinnayya Chintha

I am ๐—–๐—ต๐—ถ๐—ป๐—ป๐—ฎ๐˜†๐˜†๐—ฎ ๐—–๐—ต๐—ถ๐—ป๐˜๐—ต๐—ฎ, ๐—ฎ ๐—ฟ๐—ฒ๐˜€๐˜‚๐—น๐˜๐˜€-๐—ฑ๐—ฟ๐—ถ๐˜ƒ๐—ฒ๐—ป ๐—ฆ๐—ถ๐˜๐—ฒ ๐—ฅ๐—ฒ๐—น๐—ถ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐˜† ๐—˜๐—ป๐—ด๐—ถ๐—ป๐—ฒ๐—ฒ๐—ฟ (๐—ฆ๐—ฅ๐—˜) with proven expertise in ๐—ฎ๐˜‚๐˜๐—ผ๐—บ๐—ฎ๐˜๐—ถ๐—ป๐—ด, ๐—ฎ๐—ป๐—ฑ ๐—บ๐—ฎ๐—ป๐—ฎ๐—ด๐—ถ๐—ป๐—ด ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ, ๐˜€๐—ฐ๐—ฎ๐—น๐—ฎ๐—ฏ๐—น๐—ฒ, ๐—ฎ๐—ป๐—ฑ ๐—ฟ๐—ฒ๐—น๐—ถ๐—ฎ๐—ฏ๐—น๐—ฒ ๐—ถ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐˜€๐—ผ๐—น๐˜‚๐˜๐—ถ๐—ผ๐—ป๐˜€. My experience spans ๐—ฐ๐—น๐—ผ๐˜‚๐—ฑ-๐—ป๐—ฎ๐˜๐—ถ๐˜ƒ๐—ฒ ๐˜๐—ฒ๐—ฐ๐—ต๐—ป๐—ผ๐—น๐—ผ๐—ด๐—ถ๐—ฒ๐˜€, ๐—–๐—œ/๐—–๐—— ๐—ฎ๐˜‚๐˜๐—ผ๐—บ๐—ฎ๐˜๐—ถ๐—ผ๐—ป, ๐—ฎ๐—ป๐—ฑ ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐—ฎ๐˜€ ๐—–๐—ผ๐—ฑ๐—ฒ (๐—œ๐—ฎ๐—–), enabling me to deliver ๐—ต๐—ถ๐—ด๐—ต-๐—ฝ๐—ฒ๐—ฟ๐—ณ๐—ผ๐—ฟ๐—บ๐—ถ๐—ป๐—ด ๐˜€๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€ that enhance operational efficiency and drive innovation. As a ๐—™๐—ฟ๐—ฒ๐—ฒ๐—น๐—ฎ๐—ป๐—ฐ๐—ฒ ๐—ฆ๐—ถ๐˜๐—ฒ ๐—ฅ๐—ฒ๐—น๐—ถ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐˜† ๐—˜๐—ป๐—ด๐—ถ๐—ป๐—ฒ๐—ฒ๐—ฟ, I specialize in: โœ…๐—œ๐—บ๐—ฝ๐—น๐—ฒ๐—บ๐—ฒ๐—ป๐˜๐—ถ๐—ป๐—ด ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ ๐—ฎ๐—ป๐—ฑ ๐˜€๐—ฐ๐—ฎ๐—น๐—ฎ๐—ฏ๐—น๐—ฒ ๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜ ๐—ด๐—ฎ๐˜๐—ฒ๐˜„๐—ฎ๐˜† ๐˜€๐—ผ๐—น๐˜‚๐˜๐—ถ๐—ผ๐—ป๐˜€ ๐˜‚๐˜€๐—ถ๐—ป๐—ด ๐—”๐—ช๐—ฆ ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ๐˜€ ๐—น๐—ถ๐—ธ๐—ฒ ๐—”๐—ฃ๐—œ ๐—š๐—ฎ๐˜๐—ฒ๐˜„๐—ฎ๐˜†, ๐—Ÿ๐—ฎ๐—บ๐—ฏ๐—ฑ๐—ฎ, ๐—ฎ๐—ป๐—ฑ ๐——๐˜†๐—ป๐—ฎ๐—บ๐—ผ๐——๐—•.. โœ…๐—”๐˜‚๐˜๐—ผ๐—บ๐—ฎ๐˜๐—ถ๐—ป๐—ด ๐—ถ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐˜ƒ๐—ถ๐˜€๐—ถ๐—ผ๐—ป๐—ถ๐—ป๐—ด with ๐—ง๐—ฒ๐—ฟ๐—ฟ๐—ฎ๐—ณ๐—ผ๐—ฟ๐—บ. โœ…๐—ข๐—ฝ๐˜๐—ถ๐—บ๐—ถ๐˜‡๐—ถ๐—ป๐—ด ๐—บ๐—ผ๐—ป๐—ถ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด using ๐—–๐—น๐—ผ๐˜‚๐—ฑ๐—ช๐—ฎ๐˜๐—ฐ๐—ต. โœ…Ensuring compliance with ๐—ฃ๐—–๐—œ-๐——๐—ฆ๐—ฆ ๐˜€๐˜๐—ฎ๐—ป๐—ฑ๐—ฎ๐—ฟ๐—ฑ๐˜€ through ๐—ฒ๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ถ๐—ผ๐—ป ๐—บ๐—ฒ๐—ฐ๐—ต๐—ฎ๐—ป๐—ถ๐˜€๐—บ๐˜€ โœ…implemented with ๐—”๐—ช๐—ฆ ๐—ž๐— ๐—ฆ and ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€ ๐— ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—ฟ. These efforts have resulted in ๐—ฒ๐—ป๐—ต๐—ฎ๐—ป๐—ฐ๐—ฒ๐—ฑ ๐˜๐—ฟ๐—ฎ๐—ป๐˜€๐—ฎ๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—ฟ๐—ฒ๐—น๐—ถ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐˜† and ๐˜€๐˜๐—ฟ๐—ฒ๐—ฎ๐—บ๐—น๐—ถ๐—ป๐—ฒ๐—ฑ ๐—ผ๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐—ฎ๐—น ๐˜„๐—ผ๐—ฟ๐—ธ๐—ณ๐—น๐—ผ๐˜„๐˜€ for payment processing systems. I am passionate about ๐—บ๐—ฒ๐—ป๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด ๐—ฎ๐—ป๐—ฑ ๐—ธ๐—ป๐—ผ๐˜„๐—น๐—ฒ๐—ฑ๐—ด๐—ฒ ๐˜€๐—ต๐—ฎ๐—ฟ๐—ถ๐—ป๐—ด, having delivered ๐—ต๐—ฎ๐—ป๐—ฑ๐˜€-๐—ผ๐—ป ๐˜๐—ฟ๐—ฎ๐—ถ๐—ป๐—ถ๐—ป๐—ด in ๐—ฐ๐—น๐—ผ๐˜‚๐—ฑ ๐˜๐—ฒ๐—ฐ๐—ต๐—ป๐—ผ๐—น๐—ผ๐—ด๐—ถ๐—ฒ๐˜€, ๐—ž๐˜‚๐—ฏ๐—ฒ๐—ฟ๐—ป๐—ฒ๐˜๐—ฒ๐˜€, ๐—ฎ๐—ป๐—ฑ ๐—ฎ๐˜‚๐˜๐—ผ๐—บ๐—ฎ๐˜๐—ถ๐—ผ๐—ป. My proactive approach helps me anticipate system challenges and create ๐—ฟ๐—ผ๐—ฏ๐˜‚๐˜€๐˜, ๐˜€๐—ฐ๐—ฎ๐—น๐—ฎ๐—ฏ๐—น๐—ฒ ๐˜€๐—ผ๐—น๐˜‚๐˜๐—ถ๐—ผ๐—ป๐˜€ ๐˜๐—ต๐—ฎ๐˜ ๐—ฒ๐—ป๐—ต๐—ฎ๐—ป๐—ฐ๐—ฒ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜†, ๐—ฐ๐—ผ๐—บ๐—ฝ๐—น๐—ถ๐—ฎ๐—ป๐—ฐ๐—ฒ, ๐—ฎ๐—ป๐—ฑ ๐—ผ๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐—ฎ๐—น ๐—ฒ๐—ณ๐—ณ๐—ถ๐—ฐ๐—ถ๐—ฒ๐—ป๐—ฐ๐˜†. Dedicated to ๐—ฐ๐—ผ๐—ป๐˜๐—ถ๐—ป๐˜‚๐—ผ๐˜‚๐˜€ ๐—น๐—ฒ๐—ฎ๐—ฟ๐—ป๐—ถ๐—ป๐—ด, I stay updated with ๐—ฒ๐—บ๐—ฒ๐—ฟ๐—ด๐—ถ๐—ป๐—ด ๐˜๐—ฒ๐—ฐ๐—ต๐—ป๐—ผ๐—น๐—ผ๐—ด๐—ถ๐—ฒ๐˜€ and thrive on contributing to ๐˜๐—ฟ๐—ฎ๐—ป๐˜€๐—ณ๐—ผ๐—ฟ๐—บ๐—ฎ๐˜๐—ถ๐˜ƒ๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐—ท๐—ฒ๐—ฐ๐˜๐˜€ that push boundaries in technology.