5 min read

AWS ControlTower Proactive Controls – Terraform Support

Aharon Twizer
Aharon Twizer

CEO & Co-founder

Aharon Twizer
Aharon Twizer

CEO & Co-founder

If you’re running any workload on a public cloud, you already know that maintaining compliance and security is critical.
AWS provides a service called ControlTower that helps with the governance of many AWS accounts and units within an organization.
One great thing about ControlTower is that it offers proactive controls through CloudFormation Hooks, ensuring that non-compliant resources are flagged and blocked during provisioning.
This helps make sure everything follows the right standards for security and compliance.

This level of governance is a game-changer, but what if you’re a Terraform enthusiast? How can you achieve similar proactive controls in your infrastructure-as-code journey?

In this blog, we’re going to discuss how to achieve similar proactive controls using Terraform, and we’ll decipher how Terraform users can adopt analogous approaches to bolster compliance and security within their AWS environments.

Understanding AWS ControlTower Proactive Controls

AWS ControlTower Proactive controls are mechanisms driven by CloudFormation Hooks, acting as evaluative checkpoints during resource provisioning, by using the preCreate and PreUpdate hooks.
These hooks intercept resource deployment requests and subject them to predefined compliance rules and policies. If a resource fails to conform to these standards, the deployment is automatically halted, preventing the introduction of non-compliant or potentially vulnerable components into the environment.
Essentially, these controls serve as a first line of defense, preemptively identifying and mitigating risks before they can manifest as security breaches or regulatory violations. 

The Challenge for Terraform Users

Terraform users face a distinct challenge when it comes to AWS Control Tower’s proactive controls. These controls are directly linked to CloudFormation, making their integration seamless within a CloudFormation-centric environment. However, for those utilizing Terraform for infrastructure management, achieving the same level of control presents a hurdle.

Moreover, the challenge extends to the need to allocate precise controls to specific accounts.
Organizations often comprise multiple units, each with its distinct AWS accounts and specific requirements.
With ControlTowers, the granularity of applying controls to specific organizational units or accounts is pretty straightforward.
Consider a scenario with a handful of organizational units overseeing dozens of AWS accounts. Here, the desire to implement “Proactive Control X” solely on “Organizational Unit Y” emerges.
When working with CloudFormation, you can just enable the ControlTower proactive control on the specific organizational unit or account and you’re done. 

When you work with your own Terraform CI/CD pipeline you can’t achieve that.
The challenge for Terraform users lies in finding a workaround that not only translates Control Tower’s proactive controls into Terraform-compatible mechanisms but also grants the flexibility to apply these controls meticulously across organizational units and accounts. 

Essential Building Blocks for Resolution

To effectively harness the power of AWS Control Tower proactive controls with Terraform, it’s imperative to understand the essential building blocks for resolution:

  • Translate each Control Tower proactive control evaluation language which is CloudFormation Guard Rules into your evaluation language. This step ensures that you’re aligning Control Tower’s requirements with your specific needs and configurations.
  • Integrate the proactive controls into your Terraform CI/CD pipeline. This means making them an integral part of your infrastructure-as-code deployment process, allowing for continuous validation and adherence to the specified controls.
  • Map what ControlTower proactive controls are enabled on what organizational units to the corresponding Terraform resources.
    Consider a scenario where you manage two organizational units, each with distinct proactive controls in place. In such a case, there is a need for a mechanism to translate this hierarchical control structure into your Terraform resources and corresponding Terraform code.
    This entails a deep understanding of which resources need validation against specific controls as they traverse the Terraform pipeline.
  • Lastly, your feedback loop should be complete. Report back to the user promptly if their suggested change doesn’t align with ControlTower’s proactive controls. Offer guidance on how to amend their proposal to meet these controls effectively.

This holistic approach ensures that your infrastructure remains compliant and secure.

The Solution – ControlMonkey

The ControlMonkey TFOps (Terraform Operations) platform does all the heavy lifting for ControlTower users.
If you’re already using ControlTower’s detective and preventive controls and want to integrate their proactive controls with Terraform, let’s explore how ControlMonkey handles the building blocks mentioned above:

  • Translation: ControlMonkey takes care of the heavy lifting by automatically translating all ControlTower proactive control conditions and providing Terraform-ready controls right out of the box.
  • Integration in CI/CD: ControlMonkey effortlessly reads the controls you’ve defined in your ControlTower configuration and applies these conditions within ControlMonkey’s Terraform CI/CD pipeline. This ensures that end-users benefit from a proactive approach at the pull request level, well before attempting to apply the code.
  • Mapping Proactive to Organizational Units: ControlMonkey streamlines the process by automatically determining which proactive controls should run on specific resources. This is achieved through ControlMonkey’s namespaces and stack hierarchy, eliminating the need for any user configuration.
  • Reporting back to the user: ControlMonkey provides immediate feedback at the pull request level, allowing users to quickly grasp whether they can merge and apply the code or if adjustments are needed to meet organizational regulations and requirements.

Summary

If you’re using ControlTower and Terraform and you always wanted to utilize ControlTower proactive controls – now you can do it. With ControlMonkey It’s that simple. Book a demo here.

Recommended from Control Monkey
4 min read
ControlMonkey Top 10 Features
Adopt a Proactive DevOps Strategy and prevent 90% of Production Issues with ControlMonkey's solutions for Terraform Operations....
Aharon Twizer
Aharon Twizer

CEO & Co-Founder

Aharon Twizer
Aharon Twizer

CEO & Co-Founder

1 min read
AWS Blog: How to Import and Manage AWS Networking with Terraform and ControlMonkey
Check out AWS's latest Blog about ControlMonkey and Terraform....
Aharon Twizer
Aharon Twizer

CEO & Co-founder

Aharon Twizer
Aharon Twizer

CEO & Co-founder

4 min read
The Definitive Guide for Shifting from Terraform to OpenTofu
Learn how to migrate your IaC framework from Terraform to OpenTofu with a few simple commands. ...
Ori Yemini
Ori Yemini

CTO & Co-founder

Ori Yemini
Ori Yemini

CTO & Co-founder

6 min read
Proactive DevOps Strategy: From Firefighting to Innovation
Learn how adopting a 'Proactive DevOps Strategy' can free your team from firefighting and allow them to innovate. ...
Aharon Twizer
Aharon Twizer

CEO & Co-founder

Aharon Twizer
Aharon Twizer

CEO & Co-founder

Compliant AWS environments in minutes, with Self-service Infrastructure
Learn how to enable other teams such as Dev and QA to launch pre-defined compliant AWS environments in minutes, by using Terraform.

Contact us

We look forward to hearing from you

AWS Governance & DevOps Productivity with Terraform

Learn how how to shift-left cloud governance with Terraform in this webinar brought to you by AWS and ControlMonkey.

We look forward to hearing from you!

ControlMonkey

Terraform Best Practices with ControlMonkey Webinar

Check out our latest webinar with DoIT International.

In this webinar we showcase together with DoIT how ControlMonkey is helping DevOps teams to make the transition from ClickOps to GitOps easily with Terraform.

This website uses cookies. We use cookies to ensure that we give you the best experience on our website. Privacy policy