Getting Started with
AWS & Terraform
Enterprise-like Landing Zone for
Terraform Learning & Development
presents
Today’s Goals
● Build the Wahl Network Enterprise Landing Zone
● Setup Control Tower and IAM Identity Center
● Construct a learning environment
● Bootstrap a sandbox account with Terraform
● Migrate Terraform local state to remote state in the sandbox
👁👁 Viewer Tips
1. Take it slow
2. Use chapters to skip around
3. Pause when you need
4. Follow along with your environment
Setting Expectations
Step by step instructions
Me reading the documentation
“Just follow this exactly”
High level objectives
Desired outcomes
“What good looks like”
👎 👍
Part 1
AWS Landing Zone
What is a Landing Zone?
• Landing Zones give our apps, data, and
infrastructure a "home".
• They split controls into accounts and roles.
• Landing Zones give us a safe "sandbox" to build.
• Security is separate from where we build.
• Billing and organization-level management are
also isolated.
● 💵Management Account: The central
account that handles all billing and payments.
● 💻Network Account: Centralizes network
resources such as transit gateway, internet
gateway, and NAT gateway.
● 🪵Log Archive Account: Stores logs from
other accounts for auditing and analysis.
● 📃Audit Account: Security auditing &
controls across all environments.
● 🛝Sandbox Account: Provides a safe
environment for experimentation without
affecting production resources.
Basic Landing Zone
Account Structure
AWS Control Tower
Easily build your multi-account environment
1. AWS Control Tower offers a straightforward way to set up and govern an AWS
multi-account environment.
2. Control Tower orchestrates the capabilities of AWS Organizations, AWS Service
Catalog, and AWS IAM Identity Center to build a landing zone in less than an
hour.
3. Resources are set up and managed on your behalf.
4. Control Tower applies controls (guardrails) to help keep your organizations and
accounts from drifting.
5. If you are hosting more than a handful of accounts, it’s beneficial to have
Control Tower as an orchestration layer.
AWS Control Tower
Control Tower
Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Billing and
Cost Management
Avoid surprise bills and track spend
Monthly Budget in Management Account
Budget Alert Threshold(s)
Multiple Thresholds (50%, 80%)
Create a Weekly Budget Report
Budget Report Email Example
Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Budget Buster
Budget with alarms and
reports to see and
control spend
IAM Identity Center
Create users to leverage Single Sign-On (SSO)
Create an Identity Source
Multi-Factor Authentication (MFA)
Control Tower & Custom Groups
Limit Developers Group Access
Developer & Administrator Users
Limit your “daily use” account to only what you need to develop and learn
Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Budget Buster
Budget with alarms and
reports to see and
control spend
Security Guardian
Single sign-on user for
daily development
needs
AWS Organizations
Setting policies for all of your AWS Accounts
Enable Service Control Policies (SCPs)
Add Custom SCP to Deny Public S3 Buckets
SCP Details
SCP Content
AWS
Landing Zone
Summary
Landing Zone Achievement Badges Earned:
Awesome Architect
Multi-account,
Well-Architected AWS
landing zone
Sandbox Hero
Sandbox AWS account
for learning
Budget Buster
Budget with alarms and
reports to see and
control spend
Security Guardian
Single sign-on user for
daily development
needs
Part 2
Terraform &
Infrastructure as Code
Infrastructure as Code
(IaC) is like writing a
recipe for your servers
and networks instead of
setting them up by hand
Terraform is a tool that
lets you write these
recipes in a simple
language
You describe what you
want your infrastructure
to look like, and
Terraform automatically
builds it for you
Example:
"I need two web servers
and a database"
This makes managing and
changing your
infrastructure much
easier and more reliable.
Especially at scale!
VSCode Setup
Getting ready to run our first Terraform plan
Tool Setup
AWS CLI
https://docs.aws.amazon.com/cli/
Used to interact with AWS
Single-sign on authentication
AWS troubleshooting
Terraform CLI
https://developer.hashicorp.com/terraform/install
Used to run Terraform commands
Alternate Method: Use Scoop!
Create a tf Alias for Terraform
AWS SSO Login Request
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
AWS SSO Login Request Approved
Gather your SSO Role Name
Edit your inputs/sandbox.tfvars File
Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Files
Commonly used file structure
Terraform Files
The names of Terraform files are for
humans, not for the computer.
Terraform combines all files into a single
plan.
We structure our files to make it easier to
work with the code as humans.
Terraform Files
• main.tf - The primary file containing
our resources
• outputs.tf - A list of output
information we want once a plan
completes
• provider.tf - Information on the AWS
provider that Terraform uses
Planned Terraform Resources
S3 Bucket
State storage
DynamoDB Table
State locks
KMS Key
Server-side
Encryption
AWS Budget
Account-level
Spend
Terraform Files
• backend.tf - Tells Terraform how to
reach our backend storage for state
• We’re using a “local” backend for
right now (our computer)
• inputs/sandbox.backend - Inputs for
the backend!
Terraform Files
• variables.tf - A list of variables used
by the Terraform plan
• inputs/sandbox.tfvars - Inputs for the
variables!
Terraform
Bootstrap Resources
Things Terraform needs in your AWS Account
AWS Account Bootstrap Resources
S3 Bucket
State storage
DynamoDB Table
State locks
KMS Key
Server-side
Encryption
Bootstrap Process
1. Init Terraform using local state
2. Apply bootstrap resources
3. Adjust Terraform to use remote state
4. Reconfigure Terraform
Terraform Plan
Using Terraform to build the initial infrastructure
tf init
New Files!
tf plan --var-file="inputs/sandbox.tfvars"
Notice the lock file?
We’re “locking” the state file during a
Terraform operation, even though
we’re using a local backend (our
computer) for state
This file disappears when the
Terraform operation is complete
Terraform Plan Summary
tf apply --var-file="inputs/sandbox.tfvars"
Confirm & Approve the Terraform Actions
New Empty S3 Bucket for Remote State
S3 Bucket is Limited to our SSO Principal
New DynamoDB Table to Lock Remote State
New KMS Key & Alias to Encrypt S3 Data
New Budget to Monitor & Alert on Spend
Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Backend Migration
Moving your state file to a remote location
Update the backend.tf file to use S3
Update the inputs/sandbox.backend file
tf init --backend-config="inputs/sandbox.backend"
Local State is Blank
Remote State now Exists …
Remote State now Exists … and Versioned!
Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Migration Mogul
Migrated to Remote
State in AWS S3
Exercise: Change the Budget Value
1. How would you change the
budget amount from $5 to $8?
2. How would you test this
change?
3. How would you apply the
change?
4. What would you look for to
confirm the change?
Changing the Budget to USD $8
Plan the Change
Apply the Change
Apply the Change
Once we apply this change,
the budget updates to USD
$8 and a new version of the
state file is saved in S3
Verify the change
Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Migration Mogul
Migrated to Remote
State in AWS S3
Terraform Innovator
Changed existing AWS
resources via Terraform
Terraform & IaC
Summary
Terraform Achievement Badges Earned:
Tools of the Trade
VSCode, Terraform CLI,
and AWS CLI
Terraform Wizardry
Terraform Plan & Apply
with Local State
Migration Mogul
Migrated to Remote
State in AWS S3
Terraform Innovator
Changed existing AWS
resources via Terraform
How did you do?
What will you build next?
Feedback Welcome!
🙏Please leave a comment below
• Liked something specific?
• Something needs improving?
• Found a mistake?
• Ideas for a future topic?
• General good vibes?
Thank you!

Getting Started with AWS - Enterprise Landing Zone for Terraform Learning & Development