Skip to main content

Account Factory Architecture

Overview

Account Factory builds upon Gruntwork's AWS Control Tower Multi Account Factory and Pipelines to provide automated account creation, baselining, and managed IAM policies.

Within your infrastructure-live-root account, the _new-account-requests directory serves as an input to the Gruntwork Control Tower Module. This module runs within your management account and uses AWS Control Tower to provision new accounts.

Each provisioned account is tracked in your infrastructure-live-root repository as a new base directory containing Terragrunt units that are automatically tracked by Pipelines.

Architecture Overview DiagramArchitecture Overview Diagram

Account Vending

Account Vending begins by using the Account Factory Workflow to generate a Pull Request against infrastructure-live-root that adds a file to the _new-account-requests directory. Pipelines detects these new account requests and begins executing terragrunt plan/apply on this module in the management account.

Once the account has been created Pipelines can begin provisioning resources into the account, this includes the IaC controlled OIDC authentication Pipelines will use to deploy infrastructure changes within the account, and IAM policies used to restrict the scope of changes that Pipelines can deploy.

Once this infrastructure has been added to the repository Pipelines deploys it into the AWS account, and runs account baselines in the logs, security, and shared accounts to finish provisioning the new account.

IAM Roles

Each new account has a set of IAM policies that determine the scope of changes Pipelines can plan/apply within AWS. Pipelines will automatically assume the appropriate roles for each account when changes are detected. Read about the roles in full here.

Delegated Repositories

Delegated repositories provide additional control over your infrastructure by expanding on the above architecture. When vending delegated repositories new account security baselines are still tracked in your infrastructure-live-root repository, however other infrastructure is tracked in a new repository specific to this account(s). New IAM roles are added to your infrastructure-live-access-control repository that are inherited by pipelines when deploying infrastructure in the delegated repositories, allowing the central platform team to control what changes can be implemented via Pipelines in the delegated repository.

Delegated Architecture Overview DiagramDelegated Architecture Overview Diagram