What do people do nowadays when setting up a multi...
# terraform
h
What do people do nowadays when setting up a multi account aws setup from scratch using aws organisations and aws identity center and where is the boundary between full automation and practical automation? For the sake of this question, lets imagine a smaller company with a handfull teams and a devops team with 1-2 people in it. I still hear mixed reviews about aws control tower / landingzone.
r
1 or 2 devops eng who are deeply experienced with AWS? or new to it?
Control Tower is worth it when you are building landing zones or multi-account org structures in aws BUT only for Initial account creation, IAM, and Roles/Policy IMO. Putting anything else in control tower like networking or other infra or apps is a trap (again this is just my opinion and you might have more use-cases that require more governance. Back to your first question, automation vs practical... https://xkcd.com/1205/
tldr: If it saves you time in the future it should go in IaC
h
Thanks for the comment! Regarding the iam roles / policies for control tower, I assume these are the general roles / policies that needs to be in place in all accounts and not the more specific roles / policies eg for services?
r
Some people insist everything go into CT but I personally think service accounts should live as close to the project code as possible
It depends on how much control you need across the org
using CT does allow you to prevent sprawl in favor of strict standards but it may slow you down if you don't have good pipeline integration
No matter what, do ensure you create all your roles/policies with some IaC pipeline though. Do not let people manually make changes or you will regret it later
h
thanks! Then I think we are doing good so far, there is currently no manual creation, but that it probably beacuse the teams don't have any cloud experience and we aren't that many yet