Use AWS Control Tower to deploy AWS Quick Starts to multiple accounts
Have you ever wondered how to deploy Amazon Web Services (AWS) Quick Start workloads to multiple AWS accounts—even thousands of accounts—all at one time? In this post, I show you how to use a configuration file in both your existing deployments of AWS Control Tower and Customizations for AWS Control Tower to deploy a single Quick Start to thousands of AWS accounts.
Using a common scenario, I walk you through the different sections of the configuration file, including how it handles sensitive data. I then cover the process for deploying the Quick Start to the target accounts.
Meet Jim, a solutions architect at Acme Inc. Jim’s supervisor asks him to deploy Atlassian Jira to all of Acme’s AWS accounts that are part of the AWS Control Tower organizational unit (OU) called workloads. Organizational units are groups of accounts used to manage access, security, and resources.
Being a tech-savvy engineer, Jim is familiar with the Atlassian Jira Quick Start and plans to deploy it to his target AWS accounts. He thinks to himself, “I’ll just use the Quick Start to deploy Jira to the accounts, and I’m all finished. All right! Who is ready for coffee?”
Jim’s first step is to review the target accounts in the workloads OU. After logging in to the AWS Control Tower console and locating the accounts, he’s surprised to see that the workloads OU has thousands of accounts! He pictures himself up all night, deploying the Quick Start to each account individually, one account at a time. He thinks, “Surely there must be a way to deploy the Quick Start to all those accounts simultaneously.” He puts his coffee idea on hold while he plans a strategy.
Fortunately for Jim, there is a perfect solution. Using Customizations for AWS Control Tower, he can deploy the Quick Start to all AWS accounts in the workloads OU at the same time. And as an added bonus, Customizations for AWS Control Tower configures an AWS Control Tower lifecycle event to deploy the Quick Start to new AWS accounts that are added to the OU in the future. Okay, get that coffee ready because Jim is back in business!
|About this blog post|
|Time to read||~10 min.|
|Time to complete||~30 min.|
|Cost to complete||$0|
|Learning level||Intermediate (200)|
|AWS services||AWS Control Tower|
- A working knowledge of AWS Control Tower, GitHub, and AWS CloudFormation templates
- A configured AWS Control Tower environment with Customizations for AWS Control Tower deployed into that environment.
Tag along with Jim as he completes the steps to deploy Atlassian Jira to thousands of AWS accounts in the AWS Control Tower workloads OU.
- Locate the target AWS accounts in AWS Control Tower. Jim signs in to the AWS Management Console and locates the target accounts in the Accounts section of the AWS Control Tower console.
Note: If you want to use a script to create your own
manifest.yamlfile based on the parameter values entered in an AWS CloudFormation template, see the Extra credit section of this post.
- Locate the configuration file for the Quick Start. Jim navigates to the GitHub repository for the Atlassian Jira Quick Start and opens the preconfigured
manifest.yamlfile that’s located in the
ct/custom-control-tower-configurationfolder. This configuration file contains deployment details, such as the default AWS Region, parameter keys and values, and deployment targets.
- Jim reviews the contents of the
- Jim reviews the elements and attributes in more detail:
|Elements and attributes|
|Region||The default AWS Region for creating AWS Control Tower resources. Note that you can specify more resource-specific Regions in the Resources section, later in the file.|
|Version||The schema version.|
|Resources||The resources deployed with the Quick Start, including the parameters and the template file that’s stored in Amazon Simple Storage Service (Amazon S3).|
|Resource file||The Amazon S3 bucket where template assets are stored.|
|Parameters||The values required for the deployment. If Jim uses an AWS CloudFormation template to deploy the Quick Start, these are the same values he would add to the template fields.|
|Deployment method||In this scenario, the deployment method uses AWS CloudFormation StackSets. StackSets can create, update, or delete stacks across multiple AWS accounts and Regions.|
|Deployment targets||In this scenario, Jim targets an OU.|
|Organizational units||In this scenario, Jim targets all accounts in the workloads OU. If Jim wanted to target only specific OU accounts, he would define a list of accounts by name or account number instead of OU name.|
|Regions||In this scenario, Jim deploys the Quick Start in the
Secure sensitive information
- For security reasons, Jim stores database passwords in the AWS Systems Manager Parameter Store. To retrieve sensitive data, such as passwords, from the Parameter Store, he includes the following script in the
- Compress the configuration folder. To prepare the deployment, Jim compresses the contents of the
custom-control-tower-configurationfolder into a .zip file named
custom-control-tower-configuration.zip. He stores the .zip file on his local machine.
- Deploy the Quick Start to the workloads OU. Jim uploads the .zip file from the previous step to the
custom-control-tower-configuration-<accountID>-<region>S3 bucket. The upload automatically initiates AWS CodePipeline to deploy the Quick Start to all AWS accounts in the workloads OU.
- Jim monitors the deployment by navigating to the Build > Build Projects section in the AWS CodeBuild console. He views the progress of the Quick Start deployments by opening the
When all three build projects complete, Jim sees that the status next to each line in AWS CodeBuild is Succeeded. Atlassian Jira is now deployed to all AWS accounts in the workloads OU.
If identifying, extracting, and building the
manifest.yaml file seems tedious, use the script file I created, which makes generating the
manifest.yaml file easier. Download either one of the following versions of the script from the Quick Start examples repository in GitHub.
Here is an example of how to run the Python version of the script to generate a
The script scans the template and builds the
manifest.yaml file based on the parameter data supplied in the AWS CloudFormation template. If you want more information about each parameter, include the
-v switch at the end of the script.
As a best practice, remove StackSets using either the AWS Management Console or AWS Command Line Interface (AWS CLI). For more information, see Delete a stack set.
In this post, I discussed how to deploy the Atlassian Jira Quick Start to thousands of AWS accounts simultaneously using Customizations for AWS Control Tower. I encourage you to explore our Quick Start catalog and learn about other Customizations that you can add to future deployments. And if you’re interested in learning more about
manifest.yaml files, see the AWS Developer Guide for Customizations for AWS Control Tower.
Use the comments section of this post to let me know your thoughts.
About the author
Tony Bulding is a partner solutions architect for the AWS Integration & Automation team.