AWS Cloud Operations & Migrations Blog

Simplify infrastructure deployments using Customizations for AWS Control Tower and AWS Serverless Application Model

Customers want flexibility and simpler ways to manage their AWS accounts. There are several ways customers can choose to customize their AWS account deployments at scale with flexibility such as Account Factory Customization (AFC), a native solution within AWS Control Tower account factory, or Customizations for Control Tower (CfCT), which this blog focuses on. To perform account level operations with flexibility and less code, customers can use AWS Serverless Application Model (AWS SAM) integration with CfCT that provides an easy way to establish a multi-account environment focused on operational excellence, security, reliability, and performance.

Customers can use AWS SAM and CfCT to perform account level operations such as deploying security services, serverless / event driven workflows, as well as implementing cost controls with significantly less code.  AWS SAM takes care of minimizing overhead of complex deployments by taking care of packaging the customizations.

In this post, we describe how to provision and customize AWS accounts at scale using AWS SAM and CfCT leveraging customization workflows with AWS SAM packages. These packages are stored centrally in the management account to reduce management overhead and simplify maintenance. There is no need to store the packages in the member accounts. We describe how to configure CfCT AWS SAM extension to build and package AWS SAM projects automatically. The solutions can be easily scaled to multiple AWS regions managed with AWS Control Tower. The full solution can be cloned from cfct-sam-extension on GitHub.

Solution overview

The solution leverages an additional AWS CodePipeline which builds and stores AWS SAM packages before triggering CfCT to roll out changes. As there are only two integrations to the official CfCT (CfCT deployment activation trigger and AWS Systems Manager Parameter Store referencing), the solution can be used as an extension to CfCT that customers can easily enable and disable.
As AWS SAM stores packages inside Amazon Simple Storage Service (Amazon S3), the corresponding locations are stored as AWS Systems Manager parameters to be referenceable for CfCT parameters within manifest.yml file.

Figure 1. Diagram describing the workflows to deploy AWS SAM packages on top of Customization for AWS Control Tower (CfCT) automation using the solution CfCT-SAM-extension.

CfCT can leverage SAM until certain degree by adding Transform: AWS::Serverless-2016-10-31. However, this will not include Amazon S3 packaged resources to be deployed. CfCT-SAM-extension itself closes the gap for the following AWS SAM features.

AWS SAM resource Supported by CfCT Additional support with CfCT-SAM-extension
AWS::Serverless::Api Will work as inline string, but not as an S3 path for the definition. Provides S3 support by storing and referencing definitions.
AWS::Serverless::Application S3 path required, but unsupported. Provides S3 support by storing and referencing definitions.
AWS::Serverless::Function Will work as inline string, but not as an S3 path for the definition. Provides S3 support by storing and referencing definitions.
AWS::Serverless::HttpApi Will work as inline string, but not as an S3 path for the definition. Provides S3 support by storing and referencing definitions.
AWS::Serverless::LayerVersion S3 path required, but unsupported.
AWS::Serverless::SimpleTable Yes, fully.
AWS::Serverless::StateMachine Will work as inline string, but not as an S3 path for the definition. Provides S3 support by storing and referencing definitions.

Integration of stored SAM packages can be referenced within CfCT as AWS Systems Manager parameters like this:

manifest.yml

- name: test-sam-extension
  resource_file: test-sam-extension.yaml
  deploy_method: stack_set
  parameters:
    - parameter_key: SAMExtensionBucketsPrefix
      parameter_value: $[alfred_ssm_/cfct-sam-extension/package-buckets-prefix]
    - parameter_key: TestServerlessFunctionPackagePath
      parameter_value: $[alfred_ssm_/cfct-sam-extension/serverless-functions/test-lambda]
  deployment_targets:
    organizational_units:
      - OUName1
      - OUName2

test-sam-extension.yml

Parameters:
  SAMExtensionBucketsPrefix:
    Type: String
  TestServerlessFunctionPackagePath:
    Type: String

Resources:
  TestLambda:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: python3.10
      CodeUri:
        Bucket: !Sub "${SAMExtensionBucketsPrefix}-${AWS::Region}"
        Key: !Ref TestServerlessFunctionPackagePath

Prerequisites

For successfully usage of CfCT-SAM-extension, the following AWS solutions need to be deployed on your AWS management account:

  1. AWS Control Tower is up and running
  2. Customizations for Control Tower (CfCT) is deployed

CfCT-SAM-extension integrates natively with both, there’s no need to additionally configure AWS Control Tower or CfCT. For this walkthrough, we assume CfCT configuration CodePipelineSource=AWS CodeCommit and CodeCommitRepositoryName=custom-control-tower-configuration.

Deployment

The deployment includes one CloudFormation template which needs to be deployed within your management account’s main region. The CloudFormation stack includes the following parameters:

Parameter Description Default Example
EnabledRegions To fully support AWS Control Tower enabled regions, this parameter needs to hold the same AWS regions AWS Control Tower is activated for. This value can be changed later to enable cfct-sam-extension for further regions. us-east-1, eu-central-1
CodePipelineSource Defines the CodePipeline source provider to be used as reference. AWS CodeCommit AWS CodeCommit / Amazon S3
CodeCommitRepositoryName Name of the CodeCommit repository that contains AWS SAM packages. cfct-sam-extension-configuration
EnableContinuousDeployment Enable Continuous Deployment of AWS SAM packages with CfCT. Each successful run of cfct-sam-extension pipeline will trigger a CfCT build. true true / false

Configuration

Inside samples/ folder are some examples to deploy as reference. We will follow one example for serverless-function to deploy it with CfCT. The following description expects you to provide the parameters CodePipelineSource=AWS CodeCommit and CodeCommitRepositoryName=cfct-sam-extension-configuration for the SAM extension. And for CfCT the parameters CodePipelineSource=AWS CodeCommit  and CodeCommitRepositoryName=custom-control-tower-configuration.

Step 1: Download samples/cfct-sam-extension/serverless-functions and put it into your newly created repository within the same folder structure (serverless-functions/). You can try to change the AWS Lambda content to your needs. The provided demo code configures the block public access settings for an account.

.
 ├── source
 └── samples/
  └── cfct-sam-extension/
   └── serverless-functions

Step 2 (optional): Check pipeline execution after CodeCommit push. The CodePipeline (also named cfct-sam-extension) will automatically start and build the SAM package. Once done you can check the packages within S3 bucket called cfct-sam-extension-packages-ACCOUNTID-REGION (Hint: For each EnabledRegions there is one separate Bucket as CloudFormation supports using S3Uris only from same region).

Step 3: Go to AWS Systems Manager Parameter Store and note down the parameter names for

  • /cfct-sam-extension/package-buckets-prefix and
  • /cfct-sam-extension/serverless-functions/*

Step 4: Go to your CfCT repository custom-control-tower-configuration and change/create the following files.

manifest.yml

resources:
- name: test-sam-extension
  resource_file: test-sam-extension.yml
  deploy_method: stack_set
  parameters:
    - parameter_key: SAMExtensionBucketsPrefix
      parameter_value: $[alfred_ssm_/cfct-sam-extension/package-buckets-prefix]
    - parameter_key: TestServerlessFunctionPackagePath
      parameter_value: $[alfred_ssm_/cfct-sam-extension/serverless-functions/test-lambda]
  deployment_targets:
    organizational_units:
      - OUName1
      - OUName2

test-sam-extension.yml

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31

Parameters:
  SAMExtensionBucketsPrefix:
    Type: String
  TestServerlessFunctionPackagePath:
    Type: String

Resources:
  TestLambda:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: python3.10
      CodeUri:
        Bucket: !Sub "${SAMExtensionBucketsPrefix}-${AWS::Region}"
        Key: !Ref TestServerlessFunctionPackagePath

Step 5 (optional): If you selected EnableContinuousDeployment=true, then CfCT will automatically start again once a cfct-sam-extension pipeline run succeeds in the future.

Once the CfCT pipeline has run, you will see a new CloudFormation StackSet available with name CustomControlTower-test-sam-extension (derived from the resource yaml file).

Cleanup

To clean up the resources deployed in this post, perform the following steps in your management account:

  1. Delete SAM extension CloudFormation stack
  2. Delete the CodeCommit repository cfct-sam-extension-configuration
  3. Delete the CloudFormation StackSet CustomControlTower-test-sam-extension
  4. Delete the following Amazon CloudWatch log groups:
    • /aws/lambda/CustomControlTowerSamExtensionDeleteSsmParametersLambda
    • /aws/lambda/CustomControlTowerSamExtensionEmptyS3BucketsLambda
    • /aws/lambda/CustomControlTowerSamExtensionSAMPackageBucketsCreatorLambda

Conclusion

With this extension, you can use AWS SAM with Customizations for AWS Control Tower (CfCT) to deploy sophisticated multi-account serverless solutions at scale with flexibility while reducing complexity or need to code. The extension adds the full set of AWS SAM functionality, e.g. to deploy large Lambda functions without the need of inline code and nested SAM stacks. The solution is integrated in a non-invasive way with only two integration points within CfCT: i) AWS Systems Manager parameters with SAM package locations and ii) an optional CfCT pipeline execution call after successful AWS SAM extension runs. To learn more about the solution and deploy it to your AWS Organizations visit the GitHub link here.

Additional details on how to use CfCT for account customization, security, cost control, monitoring, etc. are available in AWS Control Tower Workshops and CfCT tutorial.

Now, let’s go build and give it a try to customize your accounts using AWS SAM and CfCT!

About the authors

Ivan Girardi, based in Switzerland, is a Cloud Infrastructure Architect in AWS Professional Services. He is passionate about building secure, scalable, and efficient architectures to help customers innovate on AWS. Outside of work, Ivan enjoys spending time with his family, snowboarding, warm weather, and movies.
Jonas Koenig is a DevOps Consultant in AWS Professional Services. He likes to automate the building of infrastructure on AWS and to solve problems efficiently. In his free time, he likes playing sports and listening to electronic music.
Michael Dähnert is a Senior Cloud Infrastructure Architect at AWS. He has a diverse background, starting as software developer / software architect and finally leveraging his knowledge for cloud infrastructures. In his recent projects, he has built resilient cross-account solutions for his customers at scale.