Integration & Automation

Use AWS Control Tower to deploy AWS Quick Starts to multiple accounts

Have you ever wondered how to deploy Amazon Web Services (AWS) Quick Start workloads to multiple AWS accounts—even thousands of accounts—all at one time? In this post, I show you how to use a configuration file in both your existing deployments of AWS Control Tower and Customizations for AWS Control Tower to deploy a single Quick Start to thousands of AWS accounts.

Using a common scenario, I walk you through the different sections of the configuration file, including how it handles sensitive data. I then cover the process for deploying the Quick Start to the target accounts.

Scenario

Meet Jim, a solutions architect at Acme Inc. Jim’s supervisor asks him to deploy Atlassian Jira to all of Acme’s AWS accounts that are part of the AWS Control Tower organizational unit (OU) called workloads. Organizational units are groups of accounts used to manage access, security, and resources.

Being a tech-savvy engineer, Jim is familiar with the Atlassian Jira Quick Start and plans to deploy it to his target AWS accounts. He thinks to himself, “I’ll just use the Quick Start to deploy Jira to the accounts, and I’m all finished. All right! Who is ready for coffee?”

Jim’s first step is to review the target accounts in the workloads OU. After logging in to the AWS Control Tower console and locating the accounts, he’s surprised to see that the workloads OU has thousands of accounts! He pictures himself up all night, deploying the Quick Start to each account individually, one account at a time. He thinks, “Surely there must be a way to deploy the Quick Start to all those accounts simultaneously.” He puts his coffee idea on hold while he plans a strategy.

Fortunately for Jim, there is a perfect solution. Using Customizations for AWS Control Tower, he can deploy the Quick Start to all AWS accounts in the workloads OU at the same time. And as an added bonus, Customizations for AWS Control Tower configures an AWS Control Tower lifecycle event to deploy the Quick Start to new AWS accounts that are added to the OU in the future. Okay, get that coffee ready because Jim is back in business!

About this blog post
Time to read ~10 min.
Time to complete ~30 min.
Cost to complete $0
Learning level Intermediate (200)
AWS services AWS Control Tower
AWS Control Tower account

Figure 1. AWS Control Tower account

Prerequisites

  • A working knowledge of AWS Control Tower, GitHub, and AWS CloudFormation templates
  • A configured AWS Control Tower environment with Customizations for AWS Control Tower deployed into that environment.

Walkthrough

Tag along with Jim as he completes the steps to deploy Atlassian Jira to thousands of AWS accounts in the AWS Control Tower workloads OU.

  1. Locate the target AWS accounts in AWS Control Tower. Jim signs in to the AWS Management Console and locates the target accounts in the Accounts section of the AWS Control Tower console.

Note: If you want to use a script to create your own manifest.yaml file based on the parameter values entered in an AWS CloudFormation template, see the Extra credit section of this post.

  1. Locate the configuration file for the Quick Start. Jim navigates to the GitHub repository for the Atlassian Jira Quick Start and opens the preconfigured manifest.yaml file that’s located in the ct/custom-control-tower-configuration folder. This configuration file contains deployment details, such as the default AWS Region, parameter keys and values, and deployment targets.
  2. Jim reviews the contents of the manifest.yaml file:
---
region: us-east-1
version: 2021-03-15
resources:
  - name: qs-jira-1
    resource_file: s3://aws-quickstart/quickstart-atlassian-jira/templates/quickstart-jira-dc-with-vpc.template.yaml
    parameters:
    - parameter_key: AvailabilityZones
      parameter_value: us-east-1a, us-east-1b
    - parameter_key: DBMasterUserPassword
      parameter_value: _get_ssm_secure_string_/qs/genericpw/8ANS
    - parameter_key: DBMultiAZ
      parameter_value: "false"
    - parameter_key: DBPassword
      parameter_value: _get_ssm_secure_string_/qs/genericpw/8ANS
    - parameter_key: DBStorage
      parameter_value: "100"
    - parameter_key: DBStorageType
      parameter_value: Provisioned IOPS
    - parameter_key: CustomDnsName
      parameter_value: qsjiraci.awsqs.com
    - parameter_key: QSS3BucketName
      parameter_value: aws-quickstart
    - parameter_key: QSS3KeyPrefix
      parameter_value: quickstart-atlassian-jira/
    - parameter_key: AccessCIDR
      parameter_value: 10.0.0.0/16
    - parameter_key: KeyPairName
      parameter_value: aws-qs-tc-all
    - parameter_key: BastionHostRequired
      parameter_value: "false"
    deploy_method: stack_set
    deployment_targets:
      organizational_units:
        - Workloads
    regions:
      - us-east-1
  1. Jim reviews the elements and attributes in more detail:
Elements and attributes
Region The default AWS Region for creating AWS Control Tower resources. Note that you can specify more resource-specific Regions in the Resources section, later in the file.
Version The schema version.
Resources The resources deployed with the Quick Start, including the parameters and the template file that’s stored in Amazon Simple Storage Service (Amazon S3).
Resource file The Amazon S3 bucket where template assets are stored.
Parameters The values required for the deployment. If Jim uses an AWS CloudFormation template to deploy the Quick Start, these are the same values he would add to the template fields.
Deployment method In this scenario, the deployment method uses AWS CloudFormation StackSets. StackSets can create, update, or delete stacks across multiple AWS accounts and Regions.
Deployment targets In this scenario, Jim targets an OU.
Organizational units In this scenario, Jim targets all accounts in the workloads OU. If Jim wanted to target only specific OU accounts, he would define a list of accounts by name or account number instead of OU name.
Regions In this scenario, Jim deploys the Quick Start in the us-east-1 Region.

Secure sensitive information

  1. For security reasons, Jim stores database passwords in the AWS Systems Manager Parameter Store. To retrieve sensitive data, such as passwords, from the Parameter Store, he includes the following script in the manifest.yaml file:
_get_ssm_secure_string_/qs/genericpw/8ANS call
AWS Systems Manager Parameter Store

Figure 2: AWS Systems Manager Parameter Store

  1. Compress the configuration folder. To prepare the deployment, Jim compresses the contents of the custom-control-tower-configuration folder into a .zip file named custom-control-tower-configuration.zip. He stores the .zip file on his local machine.
  2. Deploy the Quick Start to the workloads OU. Jim uploads the .zip file from the previous step to the custom-control-tower-configuration-<accountID>-<region> S3 bucket. The upload automatically initiates AWS CodePipeline to deploy the Quick Start to all AWS accounts in the workloads OU.
  3. Jim monitors the deployment by navigating to the Build > Build Projects section in the AWS CodeBuild console. He views the progress of the Quick Start deployments by opening the Custom-Control-Tower-StackSet-CodeBuild project.
AWS CodeBuild projects

Figure 3. AWS CodeBuild projects

When all three build projects complete, Jim sees that the status next to each line in AWS CodeBuild is Succeeded. Atlassian Jira is now deployed to all AWS accounts in the workloads OU.

Extra credit

If identifying, extracting, and building the manifest.yaml file seems tedious, use the script file I created, which makes generating the manifest.yaml file easier. Download either one of the following versions of the script from the Quick Start examples repository in GitHub.

  • Python: ia4ct.py
  • PowerShell: ia4ct.ps1

Here is an example of how to run the Python version of the script to generate a manifest.yaml file:

python ia4ct.py "templates/linux-bastion.template" "../temp/mypy_manifest.yaml"

The script scans the template and builds the manifest.yaml file based on the parameter data supplied in the AWS CloudFormation template. If you want more information about each parameter, include the -v switch at the end of the script.

Cleanup

As a best practice, remove StackSets using either the AWS Management Console or AWS Command Line Interface (AWS CLI). For more information, see Delete a stack set.

Conclusion

In this post, I discussed how to deploy the Atlassian Jira Quick Start to thousands of AWS accounts simultaneously using Customizations for AWS Control Tower. I encourage you to explore our Quick Start catalog and learn about other Customizations that you can add to future deployments. And if you’re interested in learning more about manifest.yaml files, see the AWS Developer Guide for Customizations for AWS Control Tower.

Use the comments section of this post to let me know your thoughts.

About the author

Tony Bulding is a partner solutions architect for the AWS Integration & Automation team.