25092025-AWS Meetup-AFT Migration

Transcript

1. M i g rat i n g t o AW

   S A ccou nt Fac tor y for Ter raf orm From Fragile to Flexible Markus Toivakka / Ari Luokkala 30.9.2025 Migrating to AWS Account Factory for Terraform

2. Agenda 30.9.2025 2 1. Background 2. SOK Migration Story 3.

   Sum Up

3. Cloud Architect at SOK AWS Platform Team AWS Community Builder

   Keeper of the All Certs Golden Jacket Principal Cloud Engineer at SOK AWS Platform team I am passionate about cloud technology and a strong believer in continuous learning Outside of work, you might find me enjoying sports or fishing Ari Luokkala Markus Toivakka 30.9.2025 Introduction

4. 30.9.2025 1. Background 4

5. • Networking • Access control (SSO) • Compliance / Governance

   o GuardDuty o Security Hub standards o Platform Logs (CloudTrail, Route53, VPC Flow Logs) o SCP • Everything else(AWS Backup, Shield Advanced, Systems Manager automations ...) • Fully automated • Micro-account strategy • Account is Tagged and Categorized to OUs Account Vending Baseline Resources Overview of SOK account management practices 30.9.2025 Account Management 5 - Organization level dashboards for combined results. - Baseline Resources are dynamic, continuously reviewed and updated. Changes to "All accounts" made frequently. - Environment promotion flow for deployments.

6. 30.9.2025 6 Account Management 6

7. History 30.9.2025 Account Management 7 Cloudformation Stacksets ADF Control Tower

   - AFT

8. • ADF project activity, it lacks proper maintenance and product

   management. o Release cycle slow and unpredictable. o Deprecated dependencies like CDK v1. o SAR installation process -> Lambda updates manually from AWS Console. • Not official AWS product but just a sidekick of 2-3 AWS ProServe consultants. o Official AWS support missing, very small internet community. o Availability of skilled labor? • No proper observability although kind of complex solution, Lambdas, Codepipeline, Step Functions. • We need better pipeline orchestration. • ADF deploys Cloudformation stacks as separate stack instances. No combined drift detection. How to know if something has changed? Main pain points: 30.9.2025 Why ADF must go? 8

9. o Spacelift o Terraform, Cloudformation, Opentofu o No account vending

   o Enterprise plan $$$ • org-formation-cli o https://github.com/org-formation/org-formation-cli o Cloudformation • Takomo.io, starfleet • Terragrunt Landing Zone o https://docs.gruntwork.io/foundations/overview/ o Extends Control Tower o Everything is run from Github • Landing Zone Accelerator o https://aws.amazon.com/solutions/implementations/landing-zone- accelerator-on-aws/ o Cloudformation o AWS Managed o Integrates to Control Tower(Account Factory) • Customizations for AWS Control Tower(CfCt) o Cloudformation StackSets • Account Factory for Terraform(AFT) o Terraform o AWS Managed Control Tower Landing Zone + : All else 30.9.2025 What's next? 9

10. • Flexible imports of existing accounts, resources • Shared customizations

    (global, dev, prod, more granular) • Terraform o Improves drift detection o More detailed plan on updates • Supports self-hosted Gitlab • AWS Managed • "Free" Winner! PRESENTATION NAME / AUTHOR 30.9.2025 Control Tower AFT 10

11. 30.9.2025 AFT & Control Tower 11 Baseline account product Global

    and custom configurations per OUs

12. 30.9.2025 2. SOK Migration Story 12

13. 30.9.2025 13 Preparing the Team 13 Bandwidth allocation Hands-dirty in

    sandbox environment Q/A sessions with AWS product lead

14. Overview 30.9.2025 AFT Account Vending Overview 14 Control Tower Account

    provisioning • SCP • AWS Config AFT Add baseline resources: • Pre – bash script • Apply Terraform • Post – bash script Apply Customization Create account Ready! Our goal was to have minimalistic Control Tower features; account factory is the key feature for AFT!

15. • Transform account bootstrap customizations from Cloudformation to Terraform •

    Enrol organisation units (OUs) to Control Tower Preparations 30.9.2025 AFT Migration Phases 15 • Deattach account from ADF Management • Remove ADF Cloudformation customizations • Create AFT account request • Apply AFT Terraform customizations Migration steps

16. Focus on importing only critical resources. • Networking( VPCs, subnets..)

    • AWS Backup vaults, KMS keys ... • Non-critical resources can be re-created. • Delete ADF-managed stacks. • Recreate using AFT terraform modules. Imports MUST adapt! • "If exists -> import, if not -> create." Terraform imports rely HEAVILY on AWS Organizations tags. • Are tags consistent and up-to-date? Previously bootstrapped resources weren't protected by SCP, allowing dev teams to cause drift • Older configurations may be non-standard or modified. Identify resources that cannot be recreated. Discovery Selective Resource Migration Ensuring Terraform readiness 30.9.2025 AFT Migration Story 16 Terraform resource imports at this scale are possible, but can be complex and error-prone.

17. First try – Orchestrate with ADF pipelines. 30.9.2025 AFT Migration

    Story 17 ADF, leave the account alone!!! Delete ADF Stack(s) Create ADF Stack(s) Tags? Wait for pipelines to finish. 1h -> ???!!! I said... + ADF already has access and pipelines to accounts. + Organisation account tags can be used to target accounts and to delete stacks. - No observability, no confidence. - Solves small part of the problem. - Slow.

18. Second try – Scripting Approach 30.9.2025 AFT Migration Story 18

    Detach from ADF Verify tagging and import parameters Delete ADF Stacks Create account_request for AFT the_big_beautiful_script.py + Fail fast. Fix what is needed and retry. + Logging on every step. + Work in batches. - Multi-account scripting from local.

19. 30.9.2025 Problems & Solutions 19

20. From Custom Resource 30.9.2025 Solutions 20 Pre-2025: If Cloudformation native

    support is missing, use Custom Resource. 2025->: Resource logic lives in the TF provider and runs during `terraform apply`. To Terraform Resource - Terraform AWS provider usually get new features faster than Cloudformation. - CloudFormation Custom Resource infra must be maintained (runtime updates) and monitored.

21. 30.9.2025 21 Solutions 21 Import patterns

22. Orchestration 30.9.2025 Solutions 22 ADF - Sequential orchestration is hard.

    - Yes, pipelines fail on the first run -> alarm fatigue. Control Tower AFT - Terraform state, intrinsic depends_on between providers. - Master account does not trust member. Both trust AFT management account.

23. AWS Support + AFT release cycle PRESENTATION NAME / AUTHOR

    30.9.2025 Solutions 23

24. 30.9.2025 3. Sum Up 24

25. Familiarization: Spend time with hands-on with the new framework Automation

    from the start: Script, script, script - pays off in the long run Re-alignment: The more we explored the more we learned to do things better Batch flow: Categorize tasks, execute batch tasks in parallel Our Key Success Factors

26. Migration status 30.9.2025 Where are we today? 26 • ~

    200 DEV accounts already migrated • Next focus on PROD accounts • Estimated completion end of November

27. 30.9.2025 27 Next Steps 27 We probably cook something with

    combining these ...

28. Thank you! 30.9.2025