AFT in Terraform: Automating AWS Account Creation the Smart Way

Introduction

Managing AWS accounts manually is slow, risky, and unsustainable. Imagine creating dozens of accounts—configuring security, IAM roles, logging, and compliance by hand. One misstep could lead to security gaps, compliance failures, and operational chaos. AWS Control Tower Account Factory for Terraform (AFT) changes everything—automating account creation with infrastructure as code (IaC). No more errors, no more delays, just secure, compliant AWS accounts in minutes. 

Account Factory For Terraform (AFT) 

AWS Control Tower Account Factory for Terraform (AFT) is like having a smart robot that creates perfect AWS accounts for you. 

AFT combines two powerful tools: 

• AWS Control Tower: Amazon’s service that acts like a security guard and rule enforcer for your accounts. 

• Terraform: A popular tool that lets you define infrastructure using code instead of clicking buttons. 

Setting up AFT 

Infrastructure Prerequisites: 

• Fully deployed AWS Control Tower Landing Zone. 

• Four accounts: Management (Root), Log Archive, Audit, and AFT Management. 

• Primary and secondary regions were configured. 

Technical Requirements: 

• Terraform version 1.6.0+ 

• VCS provider (GitHub, Bitbucket, CodeCommit) with five repositories. 

• Administrator Access in Control Tower Management account. 

• CodeStar Connections for external VCS integration. 

Repository Structure 

AFT operates through a carefully orchestrated set of repositories, each serving a specific purpose in the account lifecycle management. Understanding this structure is crucial for effective AFT implementation. 

Overview: The Five Essential Repositories 

AFT operates through five specialized repositories, each serving a specific purpose in account lifecycle management: 

1. Base setup Configuration Repository (Optional)

   Master configuration defining how AFT operates across your AWS organization with account IDs, regions, and VCS settings.

 

On the terraform.tfvars file, add all the required account IDs, along with the S3 state file’s primary and secondary buckets. 

 

2. Account Request Repository

   Where teams submit new account requests through simple directory structures containing email, name, and OU settings.

 

3. Global Customizations Repository

   Terraform configurations automatically deployed to ALL accounts for security baselines and company-wide standards.

4. Account Customizations Repository

   Environment-specific configurations that only apply to certain accounts, like production monitoring or development cost controls.

5. Account Provisioning Customizations Repository

   Advanced automation and custom business logic that runs during account creation for enterprise requirements.

AFT Architecture 

AFT uses an intelligent pipeline system that automatically creates and configures AWS accounts through code repositories. 

High-Level Workflow 

1. Push Code—Add account request to your repository. 
2. Pipeline Triggers—AFT automatically starts the account creation process. 
3. Account Created—A new account appears with all your standard configurations. 
4. Customizations Applied—Global and account-specific settings deployed automatically. 
5. Resource Deployment—AFT creates dedicated pipelines for ongoing account management. 

Under the Hood: Technical Flow 

When you push an account request, here’s what AFT orchestrates behind the scenes: 

1.  Event Detection & Queuing

• CodePipeline detects repository changes and triggers the account request pipeline. 
• Request details are stored in DynamoDB for tracking and audit purposes. 
• Lambda functions validate the request and insert items into SQS FIFO queues. 
• SQS ensures ordered processing of multiple simultaneous account requests. 

2. Account Provisioning Orchestration

• Step Functions state machines orchestrate the complex account creation workflow. 
• The Control Tower Account Factory receives the request via API calls. 
• A new AWS account is created with baseline guardrails and organizational unit placement from the Service Catalog. 
• EventBridge captures Control Tower lifecycle events for monitoring. 

3. Cross-Account Role Setup

• AFT creates the AWSAFTExecution IAM role in the newly provisioned account. 
• Cross-account role assumptions enable AFT to deploy resources from the AFT management account. 
• The least privilege access model ensures security throughout the pipeline. 

4. State Management & Pipeline Creation

• Terraform state is stored in S3 buckets with DynamoDB state locking. 
• Primary and secondary region replication provides disaster recovery. 
• AFT automatically creates dedicated CodePipelines for the new account. 
• Each account receives its own deployment pipeline for ongoing management. 

5. Resource Deployment

• Global customizations deploy from a central repository to ALL accounts. 
• Account-specific customizations deploy based on account type or team requirements. 
• CloudWatch logs provide detailed execution monitoring and troubleshooting.

Automatic Pipeline Creation 

No manual pipeline setup required. When AFT creates a new account, it automatically generates a dedicated CodePipeline for that account. This means: 

• Zero Manual Work: No need to manually create pipelines for each account. 
• Instant Resource Deployment: Resources are deployed to new accounts immediately after creation. 
• Ongoing Management: Each account gets its pipeline for future updates and resource management. 
• Consistent Infrastructure: Every account receives the same deployment capabilities automatically. 

Existing Account Integration: Bringing Legacy into the Future 

• Import existing AWS accounts that weren’t created through AFT 

• Apply standardized configurations to legacy accounts 

• Deploy resources and customizations to imported accounts using the same pipeline system 

• Bring governance and compliance to accounts that were created manually 

This means you can standardize your entire AWS environment, regardless of how accounts were originally created. 

RE-INVOKING ACCOUNT CUSTOMIZATIONS: 

When you push changes to the aft-account-customization repo or the aft-global-customization repo, the pipeline will not be triggered automatically. Updated customizations will be applied only to newly created accounts. 

To apply this customization to previously created accounts: 

1. Push changes to the global or account customization repository 
2. Navigate to the AWS Step Functions Console in the AFT Management Account. 
3. Select the aft-invoke-customizations step function. 
4. Click the “Start execution” button. 
5. Add JSON input specifying target accounts. 

 

Apply to ALL AFT-managed accounts: 

 

Specific Organizational Units:

Organizational Units and exclude accounts: 

Apply to specific Account IDs: 

 

Advantages 

• Transform 2-4 hours of manual clicking into minutes of automated deployment. 
• Eliminate inconsistent configurations and Human errors. 
• Sets automatic security baselines and compliance controls for every account. 
• Create 50 accounts as easily as creating single account. 
• Centralized visibility and management across all accounts. 
• Import and standardize existing accounts that weren’t created through AFT. 

Real-world Use Cases 

1. Development Team Onboarding – Instantly provision accounts with pre-configured development tools, appropriate permissions, cost budgets, and security baselines for new teams.
2. Multi-Environment Setup – Automatically create development, staging, and production accounts with environment-specific configurations and security policies.
3. Enterprise Compliance & Governance – Maintain consistent logging, monitoring, security scanning, and cost allocation across all accounts for regulatory compliance.

Limitations & Challenges: 

• Learning Curve – Requires understanding of Terraform and AWS concepts 
• Initial Investment – Takes 1-2 weeks setup time, requires dedicated team members 
• Medium to High Complexity – Complexity varies based on your organization’s cloud maturity – multiple moving parts require AWS troubleshooting expertise. 
• Infrastructure Costs – AFT uses AWS services that cost money, overhead for small orgs 
• Limited Flexibility – Once standards are set, changing them affects all accounts. 
• Limited Customization Support – AWS doesn’t provide support for custom modifications beyond standard AFT features 

AWS account management no longer needs to be a bottleneck. AFT transforms operational chaos into orchestrated excellence, replacing manual, error-prone processes with automated, repeatable, and secure workflows. For growing organizations managing multiple accounts, AFT isn’t just a tool—it’s a strategic advantage. 

 

References

• HashiCorp AFT Tutorial 

• AWS AFT Documentation 

• Import existing accounts