I'm working in a situation where our team's access to Control Tower is limited to another group. As we take on more responsibility for managing our developer accounts, the current process is becoming quite cumbersome. Right now, we manually deploy CloudFormation templates and build anything that doesn't have a template from scratch. For actions across all accounts, like deploying a Lambda function, I have to manually set up the cross-account IAM role in each individual account. I'm looking for a solution that allows me to easily deploy to multiple accounts with just a click or at least select which accounts to deploy to. Recommendations would be greatly appreciated, especially for tools with a GUI since our team isn't very code-oriented. Drift detection isn't a strict requirement for everything, but a more streamlined process would be ideal.
6 Answers
If you're using CloudFormation, look into Service Catalog and Stack Sets. These can help you deploy resources across multiple accounts more efficiently.
Stack Sets may work for you as they can assume roles in other accounts, even those in different organizations.
I suggest you set up a management role in all your accounts. From there, you can use Terraform with tools like Step Functions or Spacelift to automate your infrastructure as code across those accounts and maintain a standard setup. CDK can become quite complicated at scale, especially with drift detection.
One option could be to push back a little. If your team isn't getting the access you need, consider doing the extra work manually and billing the time to the group restricting access. Sometimes, this kind of situation can prompt management to rethink their policies.
Consider using the Landing Zone Accelerator, which can operate without Control Tower and just rely on AWS Organizations. There are plenty of sample configurations available that you can tweak to suit your needs.
Account Factory could be a great choice since it’s Git-based and doesn’t require access to Control Tower itself. You could allow one team to set default configurations for new accounts while letting another team manage Control Tower setups.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures