Eventbrite's Multi-AWS Account Strategy Using AWS Terraform Landing Zone - HashiConf Digital 2020
Introduction
- Speakers: Maddie and Luca from Site Reliability Engineering team at Eventbrite
- Objective: Discuss the use of AWS Terraform Landing Zone at Eventbrite for a multi-AWS account strategy
- Goals: Provide an understanding of the accelerator, its potential benefits, and the work involved in implementation
Eventbrite's Journey
- Started as a small startup with 30 engineers -> grew to 300+ engineers across multiple time zones
- Transitioned from a monolithic architecture to microservices for better deployment, ownership, and reliability
- The need for clear ownership, efficient development, and reliable systems led to adopting a multi-AWS account strategy
Multi-AWS Account Strategy Requirements
- Governance
- High walls of isolation between domains
- SRE ownership for networking and shared infrastructure components
- Security policies enforcement across accounts
- Security Control & Compliance
- Control services and actions via policies
- Automation
- Fully automated creation of domains
- Infrastructure as code (IaC) for AWS and third-party integrations
Choosing AWS Terraform Landing Zone (TLZ)
- Evaluated AWS Control Tower (manual configuration limitations & lack of Okta integration)
- Evaluated AWS Landing Zone (mature but limited, AWS-centric, uses CloudFormation)
- AWS Terraform Landing Zone (TLZ): Codifies security/compliance best practices and provides automation pattern
Components of TLZ
- Automation Code
- Baselining of application AWS accounts and core accounts (logging, security, shared services, networking)
- Account Vending Machine (AVM)
- Automates account creation and setup using DynamoDB and Lambda functions
- Terraform Enterprise or Cloud
- Key for automation and infrastructure management by developers
Implementation & Adaptation
- Forked early version of TLZ; two engineers worked full-time for three months
- Key adaptations for TLZ:
- Terraform-based account request via pull requests
- Building required automation steps (interacting with third-party providers)
- Core network configuration (event-driven architecture)
- Shared services (e.g., Terraform Enterprise, VCS provider)
- Unified baselines for accounts to avoid drift
Developer's Journey in Requesting an Account
- Create a pull request for account request
- SRE approves and merges PR
- Terraform plan and apply initiated
- Account vending process triggered
- New AWS account and infrastructure ready for use with necessary integrations
Security & Compliance
- Default baseline includes security guardrails and auditing
- Networking resources adapted to internal models
- Centralized access management using Terraform Enterprise
- Compliance via SCPs, IAM policies, and Sentinel policies
- Dynamic baseline changes applied uniformly across accounts
The Golden Path
- Predefined architectural and technological guidelines
- Flexible yet consistent technology stack
- Policies enforced at multiple levels (SCPs, IAM, Sentinel)
Key Takeaways
- Worthwhile Investment: Despite the effort, TLZ enabled Eventbriteās multi-AWS account strategy effectively
- Customization Essential: TLZ is not plug-and-play; requires significant adaptation
- Autonomy with Constraints: Ensures teams have flexibility while maintaining control and consistency
Conclusion
- Implementation of AWS Terraform Landing Zone is a strategic choice for scaling and managing multiple AWS accounts
- Adopting TLZ significantly improved Eventbriteās infrastructure management and development processes
Thank you for attending HashiConf Digital 2020!
Additional Resources