Integration & Automation

Automate VPC tagging with AWS Control Tower lifecycle events

When building an enterprise architecture for the cloud, customers often put much initial thought into ensuring they build a structure for success. In most cases, this consists of services like AWS Organizations and AWS Control Tower, which deploy a foundation to support a scalable, multi-account structure. Into this foundation, you can automatically provision Amazon Web Services (AWS) accounts using AWS Control Tower Account Factory. But what about automated resource configuration in these new accounts? For example, can you automate manual tasks such as tagging resources in virtual private clouds (VPCs)? With AWS Control Tower lifecycle events and Amazon EventBridge, the answer is yes. AWS Control Tower lifecycle events extend automation across the organization. It reduces or removes the need to perform manual configuration of resources after account provisioning.

In this post, we demonstrate how to use lifecycle events to automatically configure resources in newly provisioned AWS accounts. Specifically, we use an AWS Lambda function invoked by Amazon EventBridge to tag resources in an AWS account created by AWS Control Tower. We’ve prepared a GitHub repository that contains an AWS CloudFormation template to deploy, and an AWS Lambda function to do the tagging.

About this blog post
Time to read ~8 min.
Time to complete ~30 min.
Cost to complete Costs vary depending on the costs of VPC resources provisioned with AWS Control Tower. See Amazon VPC pricing. Solution services outside of AWS Control Tower are covered by AWS Free Tier.
Learning level Advanced (300)
AWS services AWS Control Tower
AWS CloudFormation
Amazon Virtual Private Cloud (Amazon VPC)
Amazon Simple Storage Service (Amazon S3)
Amazon CloudWatch Events
AWS CloudTrail
Amazon EventBridge
AWS Lambda

Overview

Figure 1 shows the architecture that you deployed in the walkthrough. In the diagram, “Management account” is where the CloudFormation template is deployed. “New account” is the account created by Account Factory.

The following points summarize the workflow and the resources deployed:

  1. AWS Control Tower Account Factory provisions a new AWS account.
  2. CloudTrail captures the new account creation as an AWS Control Tower lifecycle event.
  3. In the management account, AWS Control Tower records the lifecycle event and invokes EventBridge.
  4. EventBridge receives the event and matches the event pattern to a rule. The rule in this case invokes an AWS Lambda function.
  5. The AWS Lambda function assumes the ControlTowerExecutionRole created with the new account to tag resources in the account.
  6. The CloudFormation template also deploys an Amazon Simple Queue Service (Amazon SQS) dead-letter queue to receive EventBridge and AWS Lambda failure messages.

Prerequisites

For the deployment, you must have the following:

Walkthrough

Step 1. Prepare your environment

To prepare your environment for the walkthrough, do the following:

  1. Download the GitHub repository we’ve prepared.
  2. Sign in to your AWS account that contains the AWS Control Tower landing zone, configured previously. Select the AWS Region where AWS Control Tower is deployed in the top toolbar.
  3. Open the Amazon S3 console.
  4. Create a new S3 bucket in the Region in which AWS Control Tower is deployed. Give the bucket a unique name (for example, your 12-digit AWS account number) and make a note of it.
  5. Upload AutomatedTaggingLambda.zip from the Lambda folder of the repository to the new S3 bucket.

Step 2. Deploy the automation stack

Next, deploy the stack using the .yaml template in the repository.

  1. Open the CloudFormation console. Select the Region where AWS Control Tower is deployed from the top toolbar.
  2. On the Stacks page, choose Create stack, then choose With new resources (standard).
  3. On the Create stack page, in the Specify template section, choose Upload a template file.
  4. Choose Choose file. Select vpc-tagging-ct-lifecycle-stack.yml in the CloudFormation folder of the repository. Then choose Next.
  5. On the Specify stack details page, enter a stack name. You can keep or edit the default event bus name. For S3BucketName, enter the name of the S3 bucket you created previously. For S3LambdaZipName, enter AutomatedTaggingLambda.zip. Then choose Next.
  6. On the Configure stack options page, choose Next.
  7. On the Review page, review the parameters and select I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  8. Choose Create stack.

Step 3. Review the EventBridge rule

After the stack is created, you can review the deployed EventBridge rule in the EventBridge console. The rule, which is named VPCTaggingHub-Rule, has the following event pattern:

{
  "source": ["aws.controltower"],
  "detail-type": ["AWS Service Event via CloudTrail"],
  "detail": {
    "eventName": ["CreateManagedAccount"]
  }
}

Step 4. Test the automation

There are two methods to test the automation and demonstrate the tagging carried out by the AWS Lambda function. You can emulate a real-world scenario in which you provision an account using AWS Control Tower Account Factory. Or, you can run a test set using JSON parameters that would be passed as part of a typical CreateManagedAccount lifecycle event. In other words, you can manually invoke the AWS Lambda function to tag resources in an existing account. For this second option, you must have previously created an account with AWS Control Tower Account Factory.

Method A. Test by creating a new account with Account Factory

With this method, first create a new AWS account with Account Factory. Then, sign in to the new account to see the tags the AWS Lambda function creates automatically.

  1. Open the Account Factory page in the AWS Control Tower console. In the top toolbar, choose the Region where you previously deployed the AWS Control Tower landing zone.
  2. Choose Enroll account.
  3. Complete the Account details page and choose Enroll account. Enrollment can take up to 45 minutes. After enrollment is complete, VPCTaggingHub-Rule initiates the AWS Lambda function automatically. The function tags the VPC and its subnets, internet gateway, NAT gateway, and route table with the Region and Availability Zone.
  4. To see the results, sign in to the new account and open the VPC console.
  5. Choose a resource in navigation pane. For example, to review tags for the subnets, choose Subnets.
  6. On the resource page, choose the Tags tab.

Method B. Test by manually invoking AWS Lambda

Run the AWS Lambda function manually to tag resources in an existing AWS account. To use this method, the AWS account to be tagged must have been created with Account Factory.

  1. Open the Functions page in the AWS Lambda console. Choose the Region where the CloudFormation stack is deployed in the top toolbar.
  2. In the Function name column, choose <<Account-ID>>- CTLifeCycleEventLambda-AutomatedVPCTagging.
  3. On the function’s detail page, choose the Test tab.
  4. Choose New event.
  5. Enter an event name (for example, test).
  6. Copy and paste the following code into the body of the event. Replace <<MGMT_ACCOUNT_ID>> with the 12-digit account number for your management AWS account. Replace <<FIRST_ACCOUNT_ID>> with the account number of the AWS account that you want to tag.
{
  "detail-type": "AWS Service Event via CloudTrail",
  "source": "aws.controltower",
  "account": "<<MGMT_ACCOUNT_ID>>",
  "detail": {
    "eventSource": "controltower.amazonaws.com",
    "eventName": "CreateManagedAccount",
    "recipientAccountId": "<<TEST_ACCOUNT_ID>>",
    "serviceEventDetails": {
      "createManagedAccountStatus": {
        "account": {
          "accountName": "SampleAccount",
          "accountId": "<<MGMT_ACCOUNT_ID>>"
        },
        "state": "SUCCEEDED"
      }
    }
  }
}
  1. Choose Save changes.
  2. Choose Test. The function can take 2–3 minutes to run, depending on the number of Regions with VPCs deployed with AWS Control Tower. Test results appear on the Test tab, with resources labeled by the function listed in the Log output field.
  3. To see the tags on resources in the target account, sign in to the account and open the VPC console.

Cleanup

To avoid incurring future charges, delete the resources you created during the walkthrough. Follow these steps:

  1. Open the CloudFormation console.
  2. On the Stacks page, select the stack you created during the walkthrough.
  3. Choose Delete.

To decommission or remove accounts you created with Account Factory during testing, see Unmanaging a Member Account.

Conclusion

In this post, we explained how to use AWS Control Tower lifecycle events to automate the tagging of VPC resources in a new account created with AWS Control Tower.

We invite you to adapt the AWS Lambda function we’ve provided in our GitHub repository. Edit the Python code to customize tagging standards. Or, program it to automate a task other than tagging. For an example of an AWS Solution Implementation that also uses CloudFormation templates to customize landing zones, see Customizations for AWS Control Tower. Let us know your questions or findings in the comments, and have fun!

About the authors

Rick Grimaldi

Rick Grimaldi is a solutions architect at AWS. Working on the Public Sector team, Rick works with a diverse set of government organizations and institutions to help build a more connected future for their citizens. Rick also enjoys working with Internet of Things (IoT) and microcontrollers to build robots and other smart machines powered by the cloud.

Diego Magalhaes

Diego Magalhaes is a principal solutions architect on the Public Sector team at Amazon Web Services Canada. Diego is responsible for strategic customers, chief experience officer (CXO) relationship, and tech excellence within educational technology and other startups. Diego leads multiple worldwide engagements in research, SaaS, serverless, and management and governance at AWS.