The rapid adoption of cloud computing offers organizations unprecedented agility and scalability. However, this perceived simplicity often leads to a "build first, organize later" approach, resulting in operational chaos, security vulnerabilities, and escalating technical debt. To mitigate these risks and harness the full potential of the cloud, establishing a Landing Zone, a pre-configured, secure, multi-account environment based on architectural best practices, is essential. While automation tools exist to deploy these environments on Amazon Web Services (AWS), an analysis reveals a fundamental trade-off in the current landscape. Managed services like AWS Control Tower offer a streamlined setup but sacrifice the flexibility required for complex enterprise needs, while powerful frameworks like Account Factory for Terraform (AFT) introduce significant operational complexity and fragmented workflows. This thesis addresses this gap by designing and implementing a novel Landing Zone builder leveraging the Cloud Development Kit for Terraform (CDKTF). The proposed solution is engineered to codify and automatically enforce architectural best practices drawn from established standards, such as the provider's Well-Architected Framework, as well as from the practical, on-field experience of beSharp. Guided by principles of operational transparency and a superior developer experience, it combines the imperative power of TypeScript for configuration with the robust, declarative state management of Terraform. The resulting framework provides a unified GitOps workflow from a single, type-safe configuration source, eliminating the overhead associated with managing multiple repositories. It incorporates proactive validation mechanisms, such as integrated IPAM checks, and features a modular, open-code architecture. The implementation demonstrates that it is possible to achieve the flexibility required for enterprise-grade governance without sacrificing operational simplicity, providing a resilient and maintainable foundation for scalable cloud environments.
The rapid adoption of cloud computing offers organizations unprecedented agility and scalability. However, this perceived simplicity often leads to a "build first, organize later" approach, resulting in operational chaos, security vulnerabilities, and escalating technical debt. To mitigate these risks and harness the full potential of the cloud, establishing a Landing Zone, a pre-configured, secure, multi-account environment based on architectural best practices, is essential. While automation tools exist to deploy these environments on Amazon Web Services (AWS), an analysis reveals a fundamental trade-off in the current landscape. Managed services like AWS Control Tower offer a streamlined setup but sacrifice the flexibility required for complex enterprise needs, while powerful frameworks like Account Factory for Terraform (AFT) introduce significant operational complexity and fragmented workflows. This thesis addresses this gap by designing and implementing a novel Landing Zone builder leveraging the Cloud Development Kit for Terraform (CDKTF). The proposed solution is engineered to codify and automatically enforce architectural best practices drawn from established standards, such as the provider's Well-Architected Framework, as well as from the practical, on-field experience of beSharp. Guided by principles of operational transparency and a superior developer experience, it combines the imperative power of TypeScript for configuration with the robust, declarative state management of Terraform. The resulting framework provides a unified GitOps workflow from a single, type-safe configuration source, eliminating the overhead associated with managing multiple repositories. It incorporates proactive validation mechanisms, such as integrated IPAM checks, and features a modular, open-code architecture. The implementation demonstrates that it is possible to achieve the flexibility required for enterprise-grade governance without sacrificing operational simplicity, providing a resilient and maintainable foundation for scalable cloud environments.
Orchestration Strategies for Multi-Account AWS Environments: Design and Implementation of a CDKTF-Based Landing Zone Builder
FERRARI, DAVIDE
2024/2025
Abstract
The rapid adoption of cloud computing offers organizations unprecedented agility and scalability. However, this perceived simplicity often leads to a "build first, organize later" approach, resulting in operational chaos, security vulnerabilities, and escalating technical debt. To mitigate these risks and harness the full potential of the cloud, establishing a Landing Zone, a pre-configured, secure, multi-account environment based on architectural best practices, is essential. While automation tools exist to deploy these environments on Amazon Web Services (AWS), an analysis reveals a fundamental trade-off in the current landscape. Managed services like AWS Control Tower offer a streamlined setup but sacrifice the flexibility required for complex enterprise needs, while powerful frameworks like Account Factory for Terraform (AFT) introduce significant operational complexity and fragmented workflows. This thesis addresses this gap by designing and implementing a novel Landing Zone builder leveraging the Cloud Development Kit for Terraform (CDKTF). The proposed solution is engineered to codify and automatically enforce architectural best practices drawn from established standards, such as the provider's Well-Architected Framework, as well as from the practical, on-field experience of beSharp. Guided by principles of operational transparency and a superior developer experience, it combines the imperative power of TypeScript for configuration with the robust, declarative state management of Terraform. The resulting framework provides a unified GitOps workflow from a single, type-safe configuration source, eliminating the overhead associated with managing multiple repositories. It incorporates proactive validation mechanisms, such as integrated IPAM checks, and features a modular, open-code architecture. The implementation demonstrates that it is possible to achieve the flexibility required for enterprise-grade governance without sacrificing operational simplicity, providing a resilient and maintainable foundation for scalable cloud environments.| File | Dimensione | Formato | |
|---|---|---|---|
|
landing_zone_pdfa.pdf
non disponibili
Dimensione
5.1 MB
Formato
Adobe PDF
|
5.1 MB | Adobe PDF | Richiedi una copia |
È consentito all'utente scaricare e condividere i documenti disponibili a testo pieno in UNITESI UNIPV nel rispetto della licenza Creative Commons del tipo CC BY NC ND.
Per maggiori informazioni e per verifiche sull'eventuale disponibilità del file scrivere a: unitesi@unipv.it.
https://hdl.handle.net/20.500.14239/33596