By Colin Andrews
re:Invent 2023 had a lot to live up to if it wanted to be compared with the previous year’s slue of AWS Control Tower announcements. While it was clear from the conference’s outset that AWS had AI related tech in its sight, we still got a few useful tidbits in the landing zone space. I saw this as a positive sign for the Control Tower service. It’s maturing into a functional offering that customers of all levels can readily consume, sharing in the benefits of well architected principles.
In this article, I want to talk about the new Control Tower APIs announced at re:Invent 2023. These APIs now grant platform administrators the ability to create a Control Tower landing zone without entering the AWS Console. On the various landing zone projects I have worked on over the last few years, we always find a moment to joke about the Click-Ops nature of landing zones in AWS. “Yes,” we say, “it is best practice to deploy infrastructure with code, but that’s simply not an option in Control Tower right now.” Thankfully time marches on and the dedicated team at AWS continue to improve this service by enabling programmatic access to more parts of the machine.
When I first saw the announcement I thought, “Great! They must have replaced the landing zone setup button and webform with a single API call and payload.” This was not the case! Reading through the new documentation grants us an insight into how the managed service actually works behind the curtain.
Those of you that have deployed Control Tower will know that after hitting Go on the webform, the console displays a giant banner which proclaims that the creation of your landing zone is in progress and will be completed in approximately 40 minutes. With the new Control Tower APIs we can get a better picture of what’s happening during that 40 minute block.
Deploying Control Tower via the APIs requires you to take several sequential steps:
- Configure AWS Organisations
- Provision a Security OU
- Provision two new accounts to act as the Audit and Log Archive accounts of your landing zone
- Create several IAM roles that the Control Tower service can assume to perform setup and management tasks
- Finally, execute the “aws controltower create-landing-zone” command and provide a configuration file that describes the remaining optional settings for your landing zone
That is quite a number of prerequisite steps for an action that could otherwise be executed from the console in one fell swoop.
“Doesn’t sound too bad,” you say? Let’s not forget that the console takes 40 minutes to perform these steps. Where is that time coming from? Deploying IAM roles does not take long, but provisioning new AWS accounts can take several minutes. The API request to provision a new account returns a response that lets you know the process has started. In order to check the current status of the account you need to call another API, or have previously set up some EventBridge based notification that listens for the completion of new accounts.
All these actions can be executed from the command line, and while that certainly feels more techy than using the console, it comes with its own drawbacks. You need to consider where these APIs are called from, where the parameters you’re passing to the APIs are being stored, who’s approving your ability to call the APIs.
Thankfully, all the necessary resources are available to us in CloudFormation. We can source control our landing zone configuration and track the deployment in a CloudFormation stack.
But it’s still a lot more work than gathering answers to the webform and pressing a button in the console… so who benefits from these new APIs?
If you have an existing AWS landing zone solution with strict access controls for your organisation management account, then this could provide a pathway to upgrade your environment to incorporate Control Tower.
If you operate in an situation where it makes sense to have multiple AWS organisations, then you could develop the automation to provision and upgrade your landing zones and save administration time in the long run.
Whatever your use case, we can all agree that it’s great to see the Control Tower service maturing with new APIs. No doubt we’ll discover interesting ways to leverage these tools over the coming year. Hopefully there will be many more exciting Control Tower announcements at re:Invent 2024!