AWS Public Sector Blog

Moving from AWS CodeCommit or Amazon S3 to external configuration repositories for Landing Zone Accelerator on AWS

AWS branded background design with text overlay that says "Moving from AWS CodeCommit or Amazon S3 to external configuration repositories for Landing Zone Accelerator on AWS"

Organizations deploying Landing Zone Accelerator on AWS (LZA), provided by Amazon Web Services (AWS), often face challenges in managing and versioning their configuration files. In this post, we explore how to use GitHub as a configuration file repository for the Landing Zone Accelerator on AWS solution, allowing better version control, collaboration, and automation in your LZA deployments.

You may be asking, how does GitHub integration with the LZA solution work? 

GitHub serves as a centralized repository for storing and managing LZA configuration files. This integration allows teams to use Git‘s version-control capabilities, so they can track changes, collaborate on configurations, and maintain a history of modifications to their LZA setup.

The GitHub repository acts as the single source of truth for LZA configurations, which can be pulled and applied to your AWS environment during the LZA deployment or update processes.

The benefits of using GitHub for LZA configurations include: 

  • Version control – Track changes and maintain a history of configuration modifications.
  • Collaboration – Allow team members to review and contribute to LZA configurations.
  • Automation – Integrate with continuous integration and continuous delivery or deployment (CI/CD) pipelines for automated LZA deployments.
  • Backup and recovery – Easily restore previous configurations, if needed.
  • Auditing – Maintain a clear audit trail of who made changes and when.

Prerequisites

Before implementing GitHub as your configuration repository for LZA, make sure that you have the following:

  1. An active AWS account with appropriate permissions to deploy and manage LZA
  2. The existing configuration files for the LZA stored in an Amazon Simple Storage Service (Amazon S3) bucket or in an AWS CodeCommit repository
  3. A GitHub account with the ability to create and manage repositories
  4. Landing Zone Accelerator on AWS solution deployed in your AWS environment
  5. AWS Command Line Interface (AWS CLI) installed and configured on your local machine
  6. A basic understanding of Git and GitHub operations
  7. Knowledge of your organization’s security and compliance requirements for managing configuration files

Solution overview

LZA is a solution that helps organizations quickly set up a secure, multi-account AWS environment based on AWS best practices. It provides a framework for implementing governance, security, and compliance controls across your AWS accounts. However, managing the configuration files for LZA can become complex as your environment grows.

Our solution uses GitHub as a centralized repository for storing and managing LZA configuration files. By integrating GitHub with LZA, you can create a streamlined workflow that combines the power of Git version control with the flexibility of LZA. This integration allows teams to store their LZA configurations in a GitHub repository, track changes over time, collaborate on configurations, and automate the deployment process.

The solution consists of three main components:

  1. The GitHub repository containing LZA configuration files
  2. The LZA deployment pipeline
  3. The AWS CodePipeline that connects the two

When changes are pushed to the GitHub repository, CodePipeline can automatically trigger a new LZA deployment, making sure that your AWS environment always reflects the latest approved configurations.

The steps to create a GitHub repository for storing and managing LZA configuration files are the following:

  1. Create a new private GitHub repository.
  2. Export the existing configuration from the Amazon S3 bucket or AWS CodeCommit repository.
  3. Import the configuration into the new GitHub repository.
  4. Create the code connection.
  5. Pick your private repository where your configuration files are stored.
  6. Update the LZA installer stack in AWS CloudFormation.

Figure 1. The process for implementing GitHub as a configuration repository for Landing Zone Accelerator on AWS.

Solution walkthrough: Moving from AWS CodeCommit or Amazon S3 to external configuration repositories for Landing Zone Accelerator on AWS

To implement GitHub as your configuration repository for LZA, follow these steps.

Step 1: Create a new private GitHub repository, as shown in figure 2.

  1. Sign in to your GitHub account and go to the Repositories
  2. Use the New button to create a new repository.
  3. Choose a descriptive name for your repository, such as landing-zone-accelerator-config.
  4. Select Private as the repository visibility.
  5. Initialize the repository with a README
  6. Choose Create repository to complete the process.
  7. Pull the repository contents to your local machine by running git pull.

Figure 2. Creating a new repository.

Step 2: Export the existing configuration from the Amazon S3 bucket or AWS CodeCommit repository.

To export from the Amazon S3 bucket:

1. Sign in to the AWS Management Console and go to the Amazon S3 service.

2. Locate the Amazon S3 bucket containing the Landing Zone Accelerator configuration.

Figure 3. Exporting the existing configuration in Amazon S3.

3. Download the contents of the bucket as a .zip file.

Figure 4. Downloading the contents of the bucket as a .zip file.

To export from the CodeCommit repository:

1. Sign in to the AWS Management Console and go to the AWS CodeCommit service.

2. Locate the Amazon AWS CodeCommit repository containing the Landing Zone Accelerator configuration.

Figure 5: Locating the AWS CodeCommit repository containing the LZA configuration.

3. Follow the steps defined in Connect to an AWS CodeCommit repository.

Step 3: Import the configuration into the new GitHub repository.

  1. Unzip the contents of the Amazon S3 bucket. The CodeCommit repository content will be in the same file and folder structure, which means that you can use the files as is.
  2. Open a terminal or command prompt and go to the extracted folder.
  3. Initialize a new Git repository by running git init.
  4. Add the files to the repository using git add. The file structure should be unzipped. There is no top-level folder, just the configuration files.
  5. Commit the changes with git commit -m Initial commit of Landing Zone Accelerator configuration.
  6. Add the new GitHub repository as a remote using git remote add origin.
  7. Push the local repository to the new GitHub repository using git push -u origin main.

Step 4: Create the code connection.

1. Go to the CodePipeline service and the Connections section under Settings on the left windowpane.

Figure 6: Accessing the Connections tab

2. In the Connections tab, choose Create connection and pick the GitHub option. Give it a distinct name, such as LZA, and choose Connect to GitHub.

Figure 7: Creating a connection.

3. After you choose Install a new app, as shown in figure 8, the external repository sign-in page will open.

Figure 8: Installing a new app.

4. Sign in to GitHub.

Figure 9. Signing in to GitHub.

5. Authorize AWS Connector for GitHub.

Figure 10. Authorizing AWS Connector for GitHub.

Step 5: Pick your private repository where your configuration files are stored.

1. After authorizing the connection, you will receive an App ID, which will be automatically populated in the App Installation section.

Figure 11. Receiving the App ID after installation.

  1. Don’t forget to select Install a new app, otherwise your source stage will fail while attempting to connect to your configuration files repository in GitHub.
  2. Choose Connect to create the connection.
  3. You should receive a page that says the connection was created successfully, as shown in figure 12.

Figure 12: The page shows that connection was created successfully.

Step 6: Update the LZA installer stack in AWS CloudFormation.

1. Go to the CloudFormation service and locate the AWSAccelerator-InstallerStack.

2. Choose Update and use an existing template.

Figure 13: Updating the stack.

3. Set the parameters in the installer stack to the following:

      • Configuration repository location: codeconnection
      • UseExistingConfigRepo: Yes
      • ExistingConfigRepositoryName: LZA
      • Existing config repository branch name: main
      • Existing Config Repository Owner: bullittbirant
        • The URL is: https://github.com/bullittbirant/LZA)
      • Existing Config Repository CodeConnection ARN: Get this from your Settings and Connections menus.

Figure 14: Config Repository Configuration.

4. Choose Next and review, checking that the change sets are generated, as shown in figure 15.

5. Choose Submit.

Figure 15: Change set preview.

6. After the stack is successfully updated, release the changes in the installer pipeline.

Figure 16. Releasing changes in the installer pipelines.

7. After the installer pipeline runs successfully, AWSAccelerator-Pipeline should run the whole pipeline.

8. Test the integration by doing the following:

      • Make a change to a configuration file in your GitHub repository.
      • Commit and push the change to trigger AWS CodePipeline.
      • Monitor the pipeline execution and verify that the changes are applied to your AWS environment.

Now you have established a robust system for managing your LZA configurations using GitHub, enabling version control, collaboration, and automated deployments.

Cleanup

To avoid future charges, you can delete the resources created during this migration process by completing the following steps:

  1. In the CodeCommit repository, delete the old configuration files.
  2. In the Amazon S3 console, delete the bucket containing the old configuration files.

Conclusion

In this post, we explored how organizations can use GitHub as a configuration file repository for the Landing Zone Accelerator on AWS solution. We discussed the benefits of this approach, including improved version control, collaboration, and automation in LZA deployments.

By implementing GitHub as your LZA configuration repository, organizations can achieve consistent configuration management, reduce operational complexity, and enhance scalability. This approach aligns with best practices for cloud configuration management and DevOps principles, offering flexibility in managing different environments while maintaining a strong governance posture.

TAGS: , , , , , , ,
Birant Akarslan

Birant Akarslan

Birant is a senior security consultant at Amazon Web Services (AWS) specializing in security, risk and compliance, and multi-account infrastructures. With 25-plus years of experience in cloud architecture and security, Birant is passionate about helping organizations build secure, scalable, and efficient cloud environments. Away from work, he enjoys time with friends and family, diving, cooking, reading, and finding the perfect food in every city he visits.

Phuong Nguyen

Phuong Nguyen

Phuong is a security consultant at Amazon Web Services (AWS) specializing in security, risk and compliance, migrations, and networking infrastructure implementations for public sector customers globally. Her work in cloud architecture and security fuels a commitment to helping organizations create robust, expandable, and optimized cloud ecosystems. Outside of work, Phuong enjoys traveling, sheltering animals, concerts, and time with friends and family.