DEV Community

Cover image for Getting Started with AWS Landing Zone: Tips for Terraform Setup
Wojciech Kaczmarczyk
Wojciech Kaczmarczyk

Posted on

Getting Started with AWS Landing Zone: Tips for Terraform Setup

AWS Landing Zone is a powerful framework designed to help organizations establish secure, multi-account environments in AWS. It provides a foundation for deploying and managing an enterprise-ready AWS environment with governance, compliance, and security best practices baked in. For those working with Infrastructure as Code (IaC), Terraform can be an ideal choice to automate the setup of a Landing Zone. Here, we’ll go over the basics and provide some tips for using Terraform to manage your AWS Landing Zone.

What is AWS Landing Zone?

AWS Landing Zone offers a standardized, secure, and scalable environment for managing AWS accounts. It's aimed at simplifying the setup of new AWS accounts within an organization while enforcing policies, security controls, and compliance requirements. Key features include:

  • Account Vending Machine (AVM) for automated account creation.
  • Centralized logging for tracking account activities.
  • Network Baseline Configuration including VPCs, subnets, and route tables.
  • Guardrails for consistent security policies across accounts.

Setting Up AWS Landing Zone with Terraform

Using Terraform with AWS Landing Zone provides several benefits, such as reproducibility, scalability, and automation. Here’s a simple outline to get started:

  1. Define Your Landing Zone Resources: Start by defining essential resources like Organizational Units (OUs), Accounts, and necessary roles within your Terraform configuration files.

  2. Use the AWS Organizations Module: AWS offers a Terraform module for AWS Organizations, which simplifies the process of managing multi-account setups and can integrate with AWS Control Tower.

  3. Create Policies as Code: With Terraform, you can define Service Control Policies (SCPs) to manage account permissions. SCPs can restrict or allow specific services or actions, which is useful for maintaining a compliant setup.

  4. Automate VPC and Network Setup: Use Terraform modules to set up a standardized VPC architecture. AWS provides a VPC module that can help establish subnets, route tables, and NAT gateways across multiple accounts in your Landing Zone.

  5. Enable CloudTrail and Centralized Logging: Set up CloudTrail and centralized logging to S3. This allows you to monitor activities across all accounts in a single location for better security and compliance.

Tips for Using Terraform with AWS Landing Zone

  • Plan Organizational Units (OUs) Carefully Organize accounts based on their purpose, such as Dev, Test, and Prod, and create distinct OUs. This structure enables easier management and policy application.

resource "aws_organizations_organizational_unit" "dev" {
name = "Development"
parent_id = aws_organizations_organization.example.root_id
}

  • Leverage the AWS Control Tower Module
    If you're using AWS Control Tower, Terraform's Control Tower module can help automate account creation. Control Tower adds guardrails, SCPs, and baselines, further simplifying multi-account management.

  • Create Custom Policies as Code
    Define Service Control Policies (SCPs) in Terraform to enforce rules across your organization. This example restricts users in specific accounts from launching certain EC2 instance types:

resource "aws_organizations_policy" "restrict_ec2_instances" {
name = "RestrictEC2Instances"
type = "SERVICE_CONTROL_POLICY"
content = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro",
"t2.small"
]
}
}
}
]
}
POLICY
}

  • Automate Account Provisioning Use Terraform's for_each functionality to iterate through a list of accounts and create each account in the Landing Zone setup:

resource "aws_organizations_account" "accounts" {
for_each = toset(var.account_names)
name = each.key
email = "${each.key}@yourdomain.com"
role_name = "OrganizationAccountAccessRole"
parent_id = aws_organizations_organizational_unit.prod.id
}

  • Implement Centralized IAM Roles Create IAM roles with permissions that can be assumed by users across accounts, allowing centralized access management and simplifying security.

Final Thoughts

AWS Landing Zone is a fantastic framework for establishing secure, compliant, and scalable AWS environments. By using Terraform, you can bring Infrastructure as Code best practices to Landing Zone setups, allowing for repeatable, consistent, and efficient account provisioning and management.

Whether you're setting up a new environment or looking to improve an existing one, Terraform can simplify **AWS Landing Zone management, streamline workflows, and enhance overall **governance.

Credits.

Top comments (0)