If you’re running any workload on a public cloud, you already know that maintaining compliance and security is critical.
AWS provides a service called ControlTower that helps with the governance of many AWS accounts and units within an organization.
One great thing about ControlTower is that it offers proactive controls through CloudFormation Hooks, ensuring that non-compliant resources are flagged and blocked during provisioning.
This helps make sure everything follows the right standards for security and compliance.
This level of governance is a game-changer, but what if you’re a Terraform enthusiast? How can you achieve similar proactive controls in your infrastructure-as-code journey?
In this blog, we’re going to discuss how to achieve similar proactive controls using Terraform, and we’ll decipher how Terraform users can adopt analogous approaches to bolster compliance and security within their AWS environments.
Understanding AWS ControlTower Proactive Controls
AWS ControlTower Proactive controls are mechanisms driven by CloudFormation Hooks, acting as evaluative checkpoints during resource provisioning, by using the preCreate and PreUpdate hooks.
These hooks intercept resource deployment requests and subject them to predefined compliance rules and policies. If a resource fails to conform to these standards, the deployment is automatically halted, preventing the introduction of non-compliant or potentially vulnerable components into the environment.
Essentially, these controls serve as a first line of defense, preemptively identifying and mitigating risks before they can manifest as security breaches or regulatory violations.
The Challenge for Terraform Users
Terraform users face a distinct challenge when it comes to AWS Control Tower’s proactive controls. These controls are directly linked to CloudFormation, making their integration seamless within a CloudFormation-centric environment. However, for those utilizing Terraform for infrastructure management, achieving the same level of control presents a hurdle.
Moreover, the challenge extends to the need to allocate precise controls to specific accounts.
Organizations often comprise multiple units, each with its distinct AWS accounts and specific requirements.
With ControlTowers, the granularity of applying controls to specific organizational units or accounts is pretty easy and straightforward.
Consider a scenario with a handful of organizational units overseeing dozens of AWS accounts. Here, the desire to implement “Proactive Control X” solely on “Organizational Unit Y” emerges.
When working with CloudFormation, you can just enable the ControlTower proactive control on the specific organizational unit or account and you’re done.
When you work with your own Terraform CI/CD pipeline you can’t achieve that.
The challenge for Terraform users lies in finding a workaround that not only translates Control Tower’s proactive controls into Terraform-compatible mechanisms but also grants the flexibility to apply these controls meticulously across organizational units and accounts.
Essential Building Blocks for Resolution
To effectively harness the power of AWS Control Tower proactive controls with Terraform, it’s imperative to understand the essential building blocks for resolution:
- Translate each Control Tower proactive control evaluation language which is CloudFormation Guard Rules into your own evaluation language. This step ensures that you’re aligning Control Tower’s requirements with your specific needs and configurations.
- Integrate the proactive controls into your Terraform CI/CD pipeline. This means making them an integral part of your infrastructure-as-code deployment process, allowing for continuous validation and adherence to the specified controls.
- Map what ControlTower proactive controls are enabled on what organizational units to the corresponding Terraform resources.
Consider a scenario where you manage two organizational units, each with distinct proactive controls in place. In such a case, there is a need for a mechanism to translate this hierarchical control structure into your Terraform resources and corresponding Terraform code.
This entails a deep understanding of which resources need validation against specific controls as they traverse the Terraform pipeline.
- Lastly, your feedback loop should be complete. Report back to the user promptly if their suggested change doesn’t align with ControlTower’s proactive controls. Offer guidance on how to amend their proposal to meet these controls effectively.
This holistic approach ensures that your infrastructure remains compliant and secure.
The Solution – ControlMonkey
The ControlMonkey TFOps (Terraform Operations) platform does all the heavy lifting for ControlTower users.
If you’re already using ControlTower’s detective and preventive controls and want to integrate their proactive controls with Terraform, let’s explore how ControlMonkey handles the building blocks mentioned above:
- Translation: ControlMonkey takes care of the heavy lifting by automatically translating all ControlTower proactive control conditions and providing Terraform-ready controls right out of the box.
- Integration in CI/CD: ControlMonkey effortlessly reads the controls you’ve defined in your ControlTower configuration and applies these conditions within ControlMonkey’s Terraform CI/CD pipeline. This ensures that end-users benefit from a proactive approach at the pull request level, well before attempting to apply the code.
- Mapping Proactive to Organizational Units: ControlMonkey streamlines the process by automatically determining which proactive controls should run on specific resources. This is achieved through ControlMonkey’s namespaces and stack hierarchy, eliminating the need for any user configuration.
- Reporting back to the user: ControlMonkey provides immediate feedback at the pull request level, allowing users to quickly grasp whether they can merge and apply the code or if adjustments are needed to meet organizational regulations and requirements.
If you’re using ControlTower and Terraform and you always wanted to utilize ControlTower proactive controls – now you can do it. With ControlMonkey It’s that simple. Book a demo here.