✅ Getting Started with AWS Control Tower and Account Factory for Terraform (AFT)

AWS Control Tower makes it easier to set up and govern a secure, multi-account AWS environment based on AWS best practices. When combined with Account Factory for Terraform (AFT), it becomes even more powerful—enabling automated, Git-driven, scalable AWS account provisioning and customization.

In this article, we’ll walk through all the prerequisites you need to prepare before deploying AFT successfully.

---

🚀 What is AFT?

Account Factory for Terraform (AFT) is an AWS solution that uses Terraform and DevOps principles to automate account creation, configuration, and governance in an AWS Control Tower environment. It enables you to define account templates and customizations via Git repositories.

---

✅ Prerequisites for AFT Deployment

Before deploying AFT, ensure you meet all of the following requirements

---

1️⃣ AWS Control Tower Landing Zone

You must have a fully deployed AWS Control Tower landing zone, which includes:

• A Management Account (payer account in your AWS Organization).

• One or more Organizational Units (OUs).

• Governance guardrails (mandatory or optional) applied.

• AWS IAM Identity Center (formerly AWS SSO) configured and enabled.

---

2️⃣ AFT Management Account

You need a dedicated AWS account just for running the AFT infrastructure. This is called the AFT Management Account.

• Must be created using Control Tower's Account Factory.

• Assign it to an appropriate OU (e.g., Infrastructure).

• This account will host:

  • Terraform modules

  • CodePipeline and CodeBuild

  • Lambda functions used by AFT

---

3️⃣ Email Addresses

You need two unique email addresses:

• One for the AFT Management Account (e.g., user+aft@yourdomain.com)

• One for the test (vending) account that you’ll create using AFT (e.g., user+vending1@yourdomain.com)

💡 Tip: Many email providers (like Gmail) support the +alias trick to create email variations.

---

4️⃣ Git Repositories (VCS)

AFT requires four separate Git repositories hosted in a supported Version Control System (VCS) like GitHub, GitLab, or Bitbucket.

Import the following repositories from the AWS samples into your personal or organization Git account:

✅ Set the repositories to private and ensure you have credentials (token or OAuth) for pipeline access.

---

5️⃣ Developer Tools & CLI Setup

If you are using a local development environment (instead of AWS CloudShell), install:

• Terraform CLI
  Install Guide

    terraform --version
  

• jq (for JSON parsing)
  Install Guide

    jq --version
  

• AWS CLI
  Install Guide

    aws --version
  

• Git

    git --version
  

---

6️⃣ AWS CLI SSO Profile

Configure AWS CLI with your Control Tower Management Account using SSO:

aws configure sso

Follow the prompts to authenticate and store your profile locally.

🔑 You must have AdministratorAccess to deploy AFT resources.

---

7️⃣ Permissions & Access

Ensure the following:

• You have Admin access on the Control Tower Management Account.

• Your GitHub (or VCS) token or OAuth app has access to the 4 repositories.

• IAM Identity Center (SSO) is configured to allow account access and provisioning.

• You can assume the necessary IAM roles (used by AFT Lambda and CodePipeline).

---

8️⃣ Terraform Backend (Recommended for Production)

• Use an S3 bucket for remote state storage.

• Enable DynamoDB table for state locking.

• Define this backend in backend.tf.

This improves team collaboration and safeguards Terraform state.

---

📌 Summary Checklist

Here’s a quick overview of all prerequisites:

---

🎯 Next Step

Once these prerequisites are met, you’re ready to deploy the AFT Terraform module and start managing AWS accounts with DevOps efficiency.