By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Provisioning new AWS Accounts via CloudFormation

0

Hi,

There are boatloads of articles on the internet about automating the provisioning of AWS Accounts, however, these mostly seem to end up using the AWS API to provision the accounts, e.g one of them I saw just uses the CreateAccount action of the Organisations API.

What I'd like to do (or at least, what I think I want), is to use Control Tower Account Factory to provision the accounts, but invoked via CloudFormation. Essentially, it would be the same as clicking the "Enroll Account" button in the AWS Control Tower console.

Since Account Factory is just a Service Catalog Product, I figured you could put together a CloudFormation template that looks something like this:

AWSTemplateFormatVersion: "2010-09-09"  
  
Description: Provision a new AWS Account.  
  
Resources:  
  Account:  
    Type: AWS::ServiceCatalog::CloudFormationProvisionedProduct  
    Properties:  
      ProductId: prod-xxxxxxxxxxxx  
      ProvisionedProductName: my-new-account  
      ProvisioningArtifactId: pa-xxxxxxxxxxx  
      ProvisioningParameters:  
        - Key: AccountEmail  
          Value: mynewaccountemail@domain.tld  
        - Key: AccountName  
          Value: my-new-account  
        - Key: ManagedOrganisationalUnit  
          Value: ou-xxxx-xxxxxxxx  
        - Key: SSOUserEmail  
          Value: myssouser@domain.tld  
        - Key: SSOUserFirstName  
          Value: ssouserfirstname  
        - Key: SSOUserLastName  
          Value: ssouserlastname

Ideally, you would be able to grab the ID of the new Account out of this as well --- by inspection of some accounts we created manually and reviewing the docs for AWS::ServiceCatalog::CloudFormationProvisionedProduct, it seems you should be able to pull out the account ID from the Resource like so: !Sub ${Account.Outputs.AccountId}.

Now that we have the ID, you could provide it as a DeploymentTarget for a StackSet to perform the rest of the setup in the new account.

However, when I tried this, Stack creation failed, simply saying "Internal Error".

Anyone has managed to get this to work before? Or someone at AWS can tell me I dunno what I'm doing xD

Cheers,

Edited by: quantiful-antony-2 on Feb 2, 2021 9:47 PM

Unfortunately, the formatting of the YAML seems to be lost? Hopefully the gist of it still comes through, but let me know if not.

Topics
Management & Governance
Tags
AWS Control Tower
Language
English
quantiful-antony-2
asked 3 years ago454 views
1 Answer
0

GOT IT!!

Turns out there were a couple of things:

  1. It looks the AWS Control Tower Account Factory product that is added to AWS Service Catalog when you create your landing zone does not have a default launch path set. This means you must provide one to the Resource in the CloudFormation template (PathId parameter). In our case, DescribeProduct only lists a single launch path, so I just provided that one to the template.

  2. I used the British spelling of "Organisational" instead of the expected (American) spelling of "Organizational", when specifying the ManagedOrganizationalUnit provisioning parameter.

I also tried using the AWS CLI to invoke the ProvisionProduct API manually, using the same parameter values as specified in the CloudFormation template. This also failed initially, but in that case I was simply making the most noob-y AWS mistake of all: forgot to set the region correctly! Setting the correct region (via --region ap-southeast-2, in my case) allowed the operation to proceed successfully.

Hopefully this helps anyone in future who might try provisioning AWS accounts via CloudFormation.

quantiful-antony-2
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content