Recording: https://youtu.be/PASG0NTKUQA?si=1Ih7O9z0Lk0IzX9n Welcome innovators! In this comprehensive tutorial, you will learn how to get started with AWS Cloud and Terraform to build an enterprise-like landing zone for a secure, low-cost environment to develop with Terraform. We'll guide you through setting up AWS Control Tower, Identity and Access Management, and creating a sandbox account, ensuring you have a safe and controlled area for learning and development. You'll also learn about budget management, single sign-on setup, and using AWS organizations for policy management. Plus, dive deep into Terraform basics, including setting up state management, migrating local state to remote state, and making resource modifications using your new infrastructure as code skills. Perfect for beginners looking to master AWS and Terraform essentials!

1. Getting Started with
AWS & Terraform
Enterprise-like Landing Zone for
Terraform Learning & Development
presents

2. Today’s Goals
● Build the Wahl Network Enterprise Landing Zone
● Setup Control Tower and IAM Identity Center
● Construct a learning environment
● Bootstrap a sandbox account with Terraform
● Migrate Terraform local state to remote state in the sandbox

3. 👁👁 Viewer Tips
1. Take it slow
2. Use chapters to skip around
3. Pause when you need
4. Follow along with your environment

4. Setting Expectations
Step by step instructions
Me reading the documentation
“Just follow this exactly”
High level objectives
Desired outcomes
“What good looks like”
👎 👍

5. Part 1
AWS Landing Zone

6. What is a Landing Zone?
• Landing Zones give our apps, data, and
infrastructure a "home".
• They split controls into accounts and roles.
• Landing Zones give us a safe "sandbox" to build.
• Security is separate from where we build.
• Billing and organization-level management are
also isolated.

7. ● 💵Management Account: The central
account that handles all billing and payments.
● 💻Network Account: Centralizes network
resources such as transit gateway, internet
gateway, and NAT gateway.
● 🪵Log Archive Account: Stores logs from
other accounts for auditing and analysis.
● 📃Audit Account: Security auditing &
controls across all environments.
● 🛝Sandbox Account: Provides a safe
environment for experimentation without
affecting production resources.
Basic Landing Zone
Account Structure

8. AWS Control Tower
Easily build your multi-account environment

9. 1. AWS Control Tower offers a straightforward way to set up and govern an AWS
multi-account environment.
2. Control Tower orchestrates the capabilities of AWS Organizations, AWS Service
Catalog, and AWS IAM Identity Center to build a landing zone in less than an
hour.
3. Resources are set up and managed on your behalf.
4. Control Tower applies controls (guardrails) to help keep your organizations and
accounts from drifting.
5. If you are hosting more than a handful of accounts, it’s beneficial to have
Control Tower as an orchestration layer.
AWS Control Tower

10. Control Tower

11. Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning

12. Billing and
Cost Management
Avoid surprise bills and track spend

14. Monthly Budget in Management Account

15. Budget Alert Threshold(s)

16. Multiple Thresholds (50%, 80%)

18. Create a Weekly Budget Report

19. Budget Report Email Example

20. Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Budget Buster
Budget with alarms and
reports to see and
control spend

21. IAM Identity Center
Create users to leverage Single Sign-On (SSO)

22. Create an Identity Source

23. Multi-Factor Authentication (MFA)

24. Control Tower & Custom Groups

25. Limit Developers Group Access

26. Developer & Administrator Users
Limit your “daily use” account to only what you need to develop and learn

27. Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Budget Buster
Budget with alarms and
reports to see and
control spend
Security Guardian
Single sign-on user for
daily development
needs

28. AWS Organizations
Setting policies for all of your AWS Accounts

29. Enable Service Control Policies (SCPs)

30. Add Custom SCP to Deny Public S3 Buckets

31. SCP Details

32. SCP Content

33. AWS
Landing Zone
Summary

34. Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Budget Buster
Budget with alarms and
reports to see and
control spend
Security Guardian
Single sign-on user for
daily development
needs

35. Part 2
Terraform &
Infrastructure as Code

36. Infrastructure as Code
(IaC) is like writing a
recipe for your servers
and networks instead of
setting them up by hand
Terraform is a tool that
lets you write these
recipes in a simple
language

37. You describe what you
want your infrastructure
to look like, and
Terraform automatically
builds it for you
Example:
"I need two web servers
and a database"

38. This makes managing and
changing your
infrastructure much
easier and more reliable.
Especially at scale!

39. VSCode Setup
Getting ready to run our first Terraform plan

40. Tool Setup
AWS CLI
https://docs.aws.amazon.com/cli/
Used to interact with AWS
Single-sign on authentication
AWS troubleshooting
Terraform CLI
https://developer.hashicorp.com/terraform/install
Used to run Terraform commands

41. Alternate Method: Use Scoop!

42. Create a tf Alias for Terraform

43. AWS SSO Login Request
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

44. AWS SSO Login Request Approved

45. Gather your SSO Role Name

46. Edit your inputs/sandbox.tfvars File

47. Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI

48. Terraform Files
Commonly used file structure

49. Terraform Files
The names of Terraform files are for
humans, not for the computer.
Terraform combines all files into a single
plan.
We structure our files to make it easier to
work with the code as humans.

50. Terraform Files
• main.tf - The primary file containing
our resources
• outputs.tf - A list of output
information we want once a plan
completes
• provider.tf - Information on the AWS
provider that Terraform uses

51. Planned Terraform Resources
S3 Bucket
State storage
DynamoDB Table
State locks
KMS Key
Server-side
Encryption
AWS Budget
Account-level
Spend

52. Terraform Files
• backend.tf - Tells Terraform how to
reach our backend storage for state
• We’re using a “local” backend for
right now (our computer)
• inputs/sandbox.backend - Inputs for
the backend!

53. Terraform Files
• variables.tf - A list of variables used
by the Terraform plan
• inputs/sandbox.tfvars - Inputs for the
variables!

54. Terraform
Bootstrap Resources
Things Terraform needs in your AWS Account

55. AWS Account Bootstrap Resources
S3 Bucket
State storage
DynamoDB Table
State locks
KMS Key
Server-side
Encryption

56. Bootstrap Process
1. Init Terraform using local state
2. Apply bootstrap resources
3. Adjust Terraform to use remote state
4. Reconfigure Terraform

57. Terraform Plan
Using Terraform to build the initial infrastructure

58. tf init

59. New Files!

60. tf plan --var-file="inputs/sandbox.tfvars"

61. Notice the lock file?
We’re “locking” the state file during a
Terraform operation, even though
we’re using a local backend (our
computer) for state
This file disappears when the
Terraform operation is complete

62. Terraform Plan Summary

63. tf apply --var-file="inputs/sandbox.tfvars"

64. Confirm & Approve the Terraform Actions

67. New Empty S3 Bucket for Remote State

68. S3 Bucket is Limited to our SSO Principal

69. New DynamoDB Table to Lock Remote State

70. New KMS Key & Alias to Encrypt S3 Data

71. New Budget to Monitor & Alert on Spend

72. Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State

73. Backend Migration
Moving your state file to a remote location

74. Update the backend.tf file to use S3

75. Update the inputs/sandbox.backend file

76. tf init --backend-config="inputs/sandbox.backend"

77. Local State is Blank

78. Remote State now Exists …

79. Remote State now Exists … and Versioned!

80. Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Migration Mogul
Migrated to Remote
State in AWS S3

81. Exercise: Change the Budget Value
1. How would you change the
budget amount from $5 to $8?
2. How would you test this
change?
3. How would you apply the
change?
4. What would you look for to
confirm the change?

82. Changing the Budget to USD $8

83. Plan the Change

84. Apply the Change

85. Apply the Change

86. Once we apply this change,
the budget updates to USD
$8 and a new version of the
state file is saved in S3
Verify the change

87. Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Migration Mogul
Migrated to Remote
State in AWS S3
Terraform Innovator
Changed existing AWS
resources via Terraform

88. Terraform & IaC
Summary

89. Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Migration Mogul
Migrated to Remote
State in AWS S3
Terraform Innovator
Changed existing AWS
resources via Terraform

90. How did you do?
What will you build next?

91. Feedback Welcome!
🙏Please leave a comment below
• Liked something specific?
• Something needs improving?
• Found a mistake?
• Ideas for a future topic?
• General good vibes?

92. Thank you!