Provision Platform Resources

Owned by Victoria Guido
Last updated: Jan 24, 2024 by Mina Slater

This is an advanced topic for platform engineers.

On AWS, thoughtbot uses Control Tower to implement security best practices and reliable workload isolation. This provides a quick starting point for a multi-account setup while still allowing for significant customization and expansion later.

Rather than managing individual IAM accounts, Control Tower makes it easy to use AWS SSO to manage users centrally and integrate with existing identity stores like a Google or Microsoft user directory.

We use Customizations for Control Tower to configure account baselines and deploy service control policies.

We have a standardized account infrastructure we use to structure organizations.

Getting Started

To install the platform, you can follow these guides:

Installing without Control Tower

If you're using a single AWS account or not using Control Tower for another reason, you'll need to create the baseline role and S3 backend for Terraform by hand. Once these are in place, you can proceed with deploying the ingress stack.