Getting Started

Complete guide to getting started with AWS Control Tower Landing Zone deployment.

Table of contents

  1. Overview
  2. Prerequisites
    1. Required
    2. Recommended Tools
  3. Installation Steps
    1. Step 1: Clone Repository
    2. Step 2: Setup Pre-Commit Hooks
    3. Step 3: Deploy Backend Infrastructure
    4. Step 4: Configure Variables
    5. Step 5: Initialize Terraform
    6. Step 6: Run Pre-Deployment Checks
    7. Step 7: Review Plan
    8. Step 8: Deploy
    9. Step 9: Post-Deployment
  4. Verification
    1. Verify Control Tower
    2. Verify Security Services
  5. Next Steps
  6. Troubleshooting
    1. Common Issues
  7. Additional Resources

Overview

This guide will walk you through the complete process of deploying AWS Control Tower using this Terraform automation.

Prerequisites Required: Ensure you have AWS Organizations enabled and appropriate permissions before starting.

Prerequisites

Required

  • AWS Organizations enabled in management account
  • Terraform >= 1.6.0
  • AWS CLI >= 2.0
  • Management account access with administrator permissions
  • Minimum 2 email addresses (Log Archive and Audit accounts)
# Install recommended tools
brew install jq tfsec terraform-docs make

# Or using apt (Linux)
apt-get install jq make

Installation Steps

Step 1: Clone Repository 

git clone https://github.com/your-org/aws-control-tower-landingzone.git
cd aws-control-tower-landingzone

Step 2: Setup Pre-Commit Hooks

Pre-commit hooks prevent common mistakes and enforce code quality.

# Install pre-commit hooks
./scripts/setup-pre-commit.sh

# Install git-secrets
./scripts/setup-git-secrets.sh

Step 3: Deploy Backend Infrastructure

This step is only required on first deployment.

# Navigate to backend example
cd examples/terraform-backend

# Copy and customize variables
cp terraform.tfvars.example terraform.tfvars
vim terraform.tfvars

# Deploy backend
terraform init
terraform apply

# Save backend configuration
terraform output -raw backend_config_hcl > ../../backend.hcl

# Return to root
cd ../..

Step 4: Configure Variables 

# Copy production variables template
cp terraform.tfvars.production terraform.tfvars

# Edit with your values
vim terraform.tfvars

Required Variables:

# Project identification
environment  = "production"
project_name = "enterprise-control-tower"

# Control Tower setup
home_region      = "ap-southeast-2"
governed_regions = ["ap-southeast-2", "us-east-1"]

# Notifications
notification_emails = ["platform-team@example.com"]

# Organizational Units
organizational_units = {
  security = {
    name        = "Security"
    environment = "security"
    tags        = {}
  }
  # ... more OUs
}

Step 5: Initialize Terraform 

# Initialize with backend configuration
terraform init -backend-config=backend.hcl

Step 6: Run Pre-Deployment Checks 

# Run validation
make pre-deploy

# Or manually
./scripts/pre-deployment-check.sh

Step 7: Review Plan 

# Generate and review plan
make plan

# Or manually
terraform plan -out=tfplan

Step 8: Deploy

Deployment Time: Control Tower deployment takes 60-90 minutes. Do not interrupt the process.

# Deploy using Make
make apply

# Or manually
terraform apply tfplan

Step 9: Post-Deployment 

# Run post-deployment checklist
./scripts/post-deployment.sh

Verification

Verify Control Tower 

# Check organization
aws organizations describe-organization

# List OUs
aws organizations list-organizational-units-for-parent \
  --parent-id $(aws organizations list-roots --query 'Roots[0].Id' --output text)

# Check Control Tower status
aws controltower list-landing-zones

Verify Security Services 

# Check GuardDuty
aws guardduty list-detectors

# Check Security Hub
aws securityhub describe-hub

# Check Config
aws configservice describe-configuration-recorders

Next Steps

  1. Configure AWS SSO/Identity Center
    • Set up identity source
    • Create permission sets
    • Assign users to accounts
  2. Enable Additional Security Services
    • Configure GuardDuty in all regions
    • Enable Security Hub standards
    • Set up AWS Config rules
  3. Set Up Monitoring
    • Create CloudWatch dashboards
    • Configure SNS notifications
    • Set up cost budgets
  4. Create Additional Accounts
    • Use account vending module
    • Configure account baselines
    • Test account provisioning

Troubleshooting

Common Issues

Issue: Backend initialization fails

# Solution: Ensure backend is deployed first
cd examples/terraform-backend
terraform apply

Issue: Insufficient permissions

# Solution: Verify you're using management account with admin access
aws sts get-caller-identity

Issue: Email already in use

# Solution: Use unique email addresses for each account
# Use email aliases: user+logarchive@example.com

Additional Resources

Need help? Check our Support section or open an issue on GitHub.

Back to top

Copyright © 2024. Distributed under the MIT License.

This site uses Just the Docs, a documentation theme for Jekyll.