For managing a multi-account AWS environment, Control Tower is a great tool. But, using the Account Factory to create new AWS accounts is always annoying. With AWS Systems Manager Automations, you can build a custom interface to create AWS accounts.
With wrapping the existing APIs, you can even enforce custom patterns for the accounts you want to create. For complex structures of Organizational Units, you may create multiple automations and restrict access to the ssm:StartAutomationExecution action.
description: Create AWS Account in Control Tower
schemaVersion: "0.3"
parameters:
Name:
type: String
mainSteps:
- name: GetCurrentVersion
action: "aws:executeAwsApi"
inputs:
Service: servicecatalog
Api: DescribeProduct
Name: AWS Control Tower Account Factory
outputs:
- Name: Version
Selector: "$.ProvisioningArtifacts[0].Id"
Type: String
- name: ProvisionServiceCatalog
action: "aws:executeAwsApi"
inputs:
Api: ProvisionProduct
Service: servicecatalog
ProductName: AWS Control Tower Account Factory
ProvisionedProductName: project-{{Name}}
ProvisioningArtifactId: "{{GetCurrentVersion.Version}}"
ProvisioningParameters:
- Key: ManagedOrganizationalUnit
Value: "Project"
- Key: AccountEmail
Value: "root+project-{{Name}}@aws.example.com"
- Key: AccountName
Value: "project-{{Name}}"
- Key: SSOUserEmail
Value: "root@aws.example.com"
- Key: SSOUserFirstName
Value: "AWS Control Tower"
- Key: SSOUserLastName
Value: "Admin"
Use the AWS CLI to create a new Document for AWS Systems Manager Automations.
$ > aws ssm create-document \
--content file://document.yml \
--name "create-project" \
--document-type "Automation" \
--document-format YAML
Execute the automation to create a new AWS account:
$ > aws ssm start-automation-execution \
--document-name "create-project" \
--parameters "Name=example"
This works fine with superwerker and with Control Tower in general.