What is Account Factory for Terraform (AFT)
Account Factory for Terraform (AFT) is a solution provided by AWS that leverages Terraform to automate and manage the creation and configuration of AWS accounts. It is designed to streamline the account provisioning process, enforce consistent configurations, and ensure governance and compliance across multiple AWS accounts.
It may be an oversimplification, but AFT is particularly useful to those organizations (large enterprises, MSPs, education) that require mass account provisioning. AFT can handle the provisioning of multiple accounts simultaneously, making it a valuable tool for organizations with large or rapidly changing AWS environments or organizations.
You can read more about AFT here: https://docs.aws.amazon.com/controltower/latest/userguide/taf-account-provisioning.html
Removing AFT
I deployed AFT in a test organization and though there are no additional charges for AFT, you will pay for those “resources deployed by AFT, the AWS services enabled by AFT, and the resources you deploy in your AFT environment.” (AFT User Guide).
In my account, I saw my AWS Service Catalog and Config charges increased with the addition of AFT. Granted, it was “only” $6 one month and then $9 the next but I don’t have any credits applied to my account right now and that’s a big deal! There’s a pizza place within walking distance of my house that has offers a $5 personal pizza on their lunch menu. When faced with the choice of spending $15 on useless (in this case) AWS Config charges or savoring 3 lunch special pizzas, I’ll always go for the pizza. Thus, I decided to remove AFT.
Seemingly forgetting everything involved in the install, I launched VS Code, opened a console, went into my AFT directory, typed “terraform destroy”, and expected AFT to be quickly removed with no additional effort on my part. Though that was mostly true, there were a few S3 buckets and (1) backup vault that terraform was unable to destroy because they were not empty.
I should have done this:
- Empty the “aft…..” S3 buckets in the AFT AWS Account. There were (2) of these buckets in my account
- Within the AFT Account, empty the AWS Backup Vault, aft-controltower-backup-vault
- Within the Log Archive Account, empty the aws-aft-s3-access bucket
- execute terraform destroy
- In my case, I used a CloudFormation template to deploy a DynamoDB table and an S3 bucket to hold my Terraform state data and to complete the uninstall, I deleted this CFT.
Emptying the Backup Vault
The aft-controltower-backup-value contained over 6000 recovery points. To facilitate this step, I uploaded and launched the following Python code/file from a CloudShell instance while logged into the AFT account.
import boto3
# Initialize the Backup client with default credentials
backup_client = boto3.client('backup')
# Define the backup vault name
backup_vault_name = 'aft-controltower-backup-vault'
# Function to delete recovery points
def delete_recovery_points(vault_name):
# Initialize the pagination token
next_token = None
# Loop to handle pagination
while True:
# List recovery points with pagination token if available
if next_token:
recovery_points = backup_client.list_recovery_points_by_backup_vault(
BackupVaultName=vault_name,
NextToken=next_token
)
else:
recovery_points = backup_client.list_recovery_points_by_backup_vault(
BackupVaultName=vault_name
)
# Delete all listed recovery points
for point in recovery_points['RecoveryPoints']:
backup_client.delete_recovery_point(
BackupVaultName=vault_name,
RecoveryPointArn=point['RecoveryPointArn']
)
print(f"Deleted recovery point: {point['RecoveryPointArn']}")
# Check if there's another page of recovery points
next_token = recovery_points.get('NextToken')
if not next_token:
break
print("All recovery points have been deleted.")
# Call the function to start the deletion process
delete_recovery_points(backup_vault_name)
Final Thoughts
Just an FYI, the day I removed AFT, the AWS Config charges in the AFT account soared to $19.06! That’s nearly 4 personal lunch pizzas for removing AFT bring the total number of lost pizzas to 7!!! Since removing AFT, Config costs have been $0.
