top of page
Search

Unlock Advanced Templating in AWS Control Tower AFT

Updated: 2 hours ago

Introduction

An AWS Landing Zone is a well-architected multi-account environment for organizations. It’s scalable, secure and allows you to quickly provision AWS Accounts that are compliant with your company standards.


Creating and managing a landing zone at scale is a challenge that a lot of our customers need help with. This is where AWS Control Tower Account Factory for Terraform (AFT) can help.



AFT is an AWS solution that provides a way to provision and customize AWS Accounts with AWS Control Tower using Terraform in a GitOps model at a large scale. You can check our blog post for details on how AFT works under the hood.


AFT uses Jinja as a templating engine so that it can achieve reusability across all accounts. It’s used to pass configuration like regions, account IDs, IAM Roles for the providers and backend configuration to name a few.





Challenge


If we want to pass some account-specific configuration for an account, AFT has the notion of “custom_fields”. This is a module input for the account request that accepts an object whose key/value pairs are added as AWS SSM Parameters in the corresponding account.


The resulting SSM Parameters can then be consumed in the customization by reading them with a data source or via the AWS provided “custom_fields” Terraform module.


What if we want to have account account-specific parameter that’s available to Jinja so we can use it while templating? A valid scenario is to pass specific regions for each account so that we can iterate over them to create providers based on the custom field. 


Solution


This is where API helpers come in. The “pre-api-helpers.sh” shell script is executed in a step before Jinja templating takes place, so it’s in an appropriate place in the pipeline process, but how do we get the data, and how do we pass it to Jinja?


All account requests are stored in DynamoDB tables, including all of the custom fields, and if we inspect one of the vended account Code Pipelines, it contains one Code Build project for global customizations and one for account customizations. If we inspect either of the Code Build buildspec files, we will see how AWSCLI is used to read metadata for the account from DynamoDB and JQ for additional parsing.

We can adopt the same approach to read the account custom fields and save the result in a file which we can then import in the Jinja template files.


Pseudo code for pre-api-helpers.sh:

  • Pull the custom fields from the DynamoDB table for the account that we are going to customize.

  • Parse the response so that we consume only the custom fields that we need.

  • Save the result as a file with the appropriate Jinja syntax.

Pseudo code for use in Jinja templates:

  • Import the file that we created with the pre-API helper script.

  • Reference the variable as needed.


Conclusion


AFT allows us to pass configuration for each account that we can consume in Terraform by the use of custom fields. There are cases where we want to pass this account specific configuration to the templating engine. This can be achieved simply by using the pre-API helpers step. It allows us to build a more flexible Terraform configuration.


About Us

At Several Clouds, we live and breathe the public cloud. Our team is driven by a deep passion for DevOps culture and cloud-native practices, and we’re here to help organizations modernize legacy systems and migrate to the cloud — creating environments that are secure, scalable, and cost-efficient.

Our AWS-certified architects bring hands-on experience across the entire cloud journey — from building strong business cases and designing robust architectures to implementation and ongoing support through detailed playbooks and runbooks.

We support our customers in:

  • Cloud adoption and migrations

  • Cloud training and talent transformation

  • Building secure and compliant cloud environments

  • Implementing DevOps and DevSecOps practices

  • Cost optimization and FinOps

  • Generative AI, Machine Learning, and Big Data

  • Serverless and cloud-native development

Whether you’re just starting out or scaling your cloud footprint, we’re here to guide you every step of the way.

👉 Ready to accelerate your cloud journey? Let’s talk


bottom of page