aws / aws-cdk-rfcs

RFCs for the AWS CDK

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AWS Landing Zone CDK pattern request

erupare opened this issue · comments

May I suggest an AWS Landing Zone CDK pattern request :-). Would further suggest that the pattern be compossable using constructs. e.g security construct, logging construct , service catalog construct etc to allow customers to cherry pick what they want for their ALZ.

Happy to collaborate on this, having deployed Landing Zones.

@erupare Way more detail needs to be added to this issue.
I have attached a link to the AWS Landing Zones home page.
One thing about Landing zones is it heavily uses cloud formation to install a number of sets of step-functions & Lamba.

Hey @erupare,

This looks like it would be a beneficial feature to add. As @slipdexic mentioned though, Landing Zone is a very intensive pattern and would require a lot of dev work.

If either of you would like to start on this and put in a PR, we would all be happy to advise and review as the process goes. Otherwise, once someone has a chance to address this, we can update the issue.

😸

This is a very interesting idea. I am transferring this to the RFC repo. Please follow the RFC Repo README in order to submit this as an RFC.

Any updates on this? @slipdexic @eladb

Also, any idea if CDK will do anything with AWS Control Tower going forward as that looks like what is recommended compared to starting with AWS Landing Zone?

Any updates on this? @slipdexic @eladb

Also, any idea if CDK will do anything with AWS Control Tower going forward as that looks like what is recommended compared to starting with AWS Landing Zone?

Also keep GovCloud in mind. No official Control Tower support there... yet.

We are looking to implement Landing Zones, if we were to request our AWS TAM for CDK constructs and patterns as a part of our migration who should we refer to within AWS to implement the pattern?

It would be interesting to begin with developing CDK constructs for AWS Organizations API ... As it seems, there's no direct CloudFormation support and hence custom resources would need to be used

In the implementation of a LZ (which basically defines whether or not CDK can be used in any operational or workload accounts) no CDK is used by AWS Contractors raising issues around testability and repeatability of Cloudformation patters. Eg. Lambda's embedded in Cfn which cannot be tested or patched easily. CDK needs to take ownership of Organisations setup rather than leave it to the old & broken LZ technology

Anyone interested in doing this anytime soon should probably take a look at the org-formation project here:

https://github.com/org-formation/org-formation-cli

It's a mature project that is more flexible than Control Tower and capital-L Landing Zones, and it already has a powerful CloudFormation-like superset syntax of CFN yaml for managing AWS Organizations and cross-account governance and deployments. They also have CDK support via a CDK task, and you can extend the whole thing via customization if you're hitting any current limitations.

They seem very responsive to reasonable requests in their issue tracker and Slack channel. I'm not affiliated with the project, but I was happy to discover it after bumping my head against IaC limitations with Control Tower and AWS Organisations, and I'm happily learning as I go.

It'd probably be more practical at this point to shift to working on improving CDK interop with org-formation, rather than recreating all that it already does from scratch. I even see that AWS is listed as a sponsor on the account, although I'm not sure how much love they actually get from Amazon.