Cloud Account Management (CAM) - Setup Terraform & Git ConfigurationPurpose: Cloud Account Management (CAM) creates subscription accounts in AWS using Terraform Cloud Account Management (CAM) automates the creation of new subscription (member) accounts in AWS using Terraform templates. This KB article includes a Terraform template that you can upload to GitHub and integrate with either Terraform environment for deployment. Supported Terraform Environments: Terraform CloudTerraform Enterprise Here's how it works: Onboarding: The AWS administrator shares their credentials (access key and secret key) with the Terraform administrator.Terraform Environment Setup: The Terraform administrator sets up a Terraform organization and Git repository according to the instructions provided later in this document.CAM Workflow Automation: The CAM workflow automation leverages a PAD/Playbook. This playbook integrates with Terraform by passing the necessary attributes for account creation and references to the Git code containing the Terraform configuration.Terraform and AWS Integration: Terraform interacts with AWS to perform the account creation process. Most of this process is asynchronous and typically takes a few minutes to complete.Account ID Storage: Once the account creation process is complete, the generated account ID is stored within the CAM request table. Terraform Template awsaccount.tf terraform { required_providers { aws = { source = "hashicorp/aws" version = "~>5.0" } } } provider "aws" { region = var.region } resource "aws_organizations_account" "account" { email = var.root_email name = var.account_name tags = var.tags parent_id = var.parent_id close_on_deletion=var.close_delete create_govcloud=var.gov_cloud } resource "aws_budgets_budget" "cost" { name = join("-", ["SN-CAM-Monthly-Budget", aws_organizations_account.account.id]) count = var.monthly_budget > 0 ? 1 : 0 budget_type = "COST" limit_amount = var.monthly_budget limit_unit = "USD" time_unit = "MONTHLY" cost_filter { name = "LinkedAccount" values = [ aws_organizations_account.account.id ] } notification { comparison_operator = "GREATER_THAN" threshold = 100 threshold_type = "PERCENTAGE" notification_type = "FORECASTED" subscriber_email_addresses = [var.root_email, var.notification_email] } notification { comparison_operator = "GREATER_THAN" threshold = 85 threshold_type = "PERCENTAGE" notification_type = "ACTUAL" subscriber_email_addresses = [var.root_email, var.notification_email] } notification { comparison_operator = "GREATER_THAN" threshold = 100 threshold_type = "PERCENTAGE" notification_type = "ACTUAL" subscriber_email_addresses = [var.root_email, var.notification_email] } } variables.tf variable "region" { type = string default = "us-east-1" } variable "account_name" { type = string description = "(Required) Account Name" } variable "root_email" { type = string description = "(Required) Account Email" } variable tags{ type = map(string) description = "(Required) Tags for the resource" } variable "close_delete" { type = bool description = "Close Account on deletion" default = true } variable "gov_cloud" { type = bool description = "Gov Cloud Account" default = false } variable "parent_id" { type = string description = "(Required) Account Parent Organizational Unit" } variable monthly_budget { type = number default = 0 } variable notification_email { type = string description = "Additional email where Budget Notifications are to be sent" } You can also fork https://github.com/muralimreddy/cam-create-aws-account-IL2/. Required Role: Terraform Administrator Attributes required for this setup: AWS Access KeyAWS Secret Key Procedure: 1. Git Repository Setup To manage your Terraform templates, follow these steps: Create a Dedicated Repository: Begin by creating a new Git repository specifically for storing your Terraform configuration files.Copy and Push Files: Copy the Terraform configuration files you'll be using for account creation into this newly created Git repository. Then, push these files to a remote repository (e.g., GitHub, GitLab).Record the Location: Once the template is successfully stored in Git, make sure to record its location or URL for future reference (eg. mygitaccount/cam-create-aws-account). Using the Template: This Terraform template will be referenced by both Terraform Cloud and your ServiceNow instance to automate the subscription account creation process. Note: Don’t modify the template as the variables are closely connected to the application. 2. Terraform Cloud (TFC)/Enterprise (TFE) Setup 2.1 Create Terraform Org Prerequisites: A Terraform Cloud account or Terraform Enterprise is available. Access to create organizations within your Terraform account (administrative privileges may be required) Procedure: Navigate to the Terraform Cloud (https://app.terraform.io/session) or Terraform Enterprise website (https://<TFE_SERVER_URL>/api/v1) and log in using your account credentials.Once logged in, click on your username or organization name in the top right corner of the dashboard. From the dropdown menu, select "Organizations".On the "Organizations" page, click the blue button labeled "Create Organization".A modal window will appear for creating a new organization and enter unique org name and other details listed in the formOnce you've filled out the details, carefully review the information for accuracy. If everything looks correct, click the "Create Organization" button at the bottom of the modal window. Confirmation and Management: Terraform Cloud will process your request and create the new organization. You'll receive confirmation within the platform.You can now manage your organization settings, add members, and configure workspaces within your newly created organization. Additional Notes: For more information refer to official documentation Terraform Cloud: https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/organizationsTerraform Enterprise: https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/organizations By following these steps, you can successfully create a Terraform organization within your Terraform Cloud account, enabling you to manage your Terraform configurations and workflows more effectively. 2.2 Saving AWS Credentials in Terraform Procedure: In Terraform Org you created in previous section, navigate to Settings > Variable set > Create variable set.A variable set is a collection of variables shareable across multiple workspaces.Provide a descriptive name like AWS credentials.Variable set Cope: Select Apply globally.Create two variable sets within the Variables section as follows: Key: AWS_ACCESS_KEY_ID and Value: <AWS access key>Key: AWS_SECRET_ACCESS_KEY and Value: <AWS secret key> Note: Select as Sensitive to mask the credentials from visibility to unauthorized personnel with Terraform access. Additional Notes: For a more in-depth guide on creating variable sets, please refer to the following resource:https://developer.hashicorp.com/terraform/tutorials/cloud-get-started/cloud-create-variable-set# 3. Integrate Terraform Cloud with Git Integrating your Git configuration with Terraform is a crucial step to link your workspaces with source code repositories.This enables version control for your Terraform configurations, ensuring you can track changes and revert to previous versions if necessary. Here is the step for Terraform Cloud to integrate with GitHub.com In a web browser, navigate to https://github.com and log in to your account. Keep this window open.Return to your Terraform console. Select the Terraform Organization you created earlier.Navigate to Settings > Providers and click Add VCS Provider.Select GitHub and then choose Github.com (custom).Click Register a new OAuth Application. This will open a new tab in your browser directed to GitHub.com. This will also pre-populates the callback URL as shown below. Click Register application. Then, copy the Client ID displayed on the following page.Click Generate a new client secret and copy the generated Client Secret.Go back to your Terraform console window.Paste the copied Client ID and Client Secret into the corresponding fields on the Terraform VCS Provider configuration form. Click on Connect and Continue.In the next page, click on the Authorize button to grant Terraform access to your GitHub account.Following these steps will establish a connection between your Terraform and your GitHub.com account, allowing you to manage Terraform configurations within your Git repository.Take note of the OAuth Token ID to share it with ServiceNow admin at the end of this process. The specific configuration steps will vary depending on your Terraform version and the type of source code repository you're using. Refer to the official documentation for detailed instructions:https://developer.hashicorp.com/terraform/cloud-docs/vcs. 4. Generate Terraform API Key Token Navigate to the Signed in as icon in the top left of the Terraform console window and click on Account settings > Tokens.Click Create an API Token and set the expiration policy in accordance with your company's security standards. Copy the generated token and store it in a notepad; subsequently, share it with the ServiceNow admin for registration in the ServiceNow instance. Output of this setup: VCS Identifier (Step 1)Terraform Org Name (Step 2.1)Terraform OAuth Token ID (Step 3)Terraform API Key Token (Step 4)Terraform URL (Step 2.1) Back to main KB - Cloud Account Management (CAM) - Setup (KB1641505)