Automate AWS account creation(1)
Theo Jung
Posted on September 2, 2023
Hello! All Developers!
Lately, I've been using cloud services like AWS and Azure a lot. In the organization I'm part of, we use AWS extensively. In this post, I'd like to discuss automation related to infrastructure and share how we recently implemented automated notifications for user creation using various AWS services.
I'll explain what prompted us to automate, and how we structured it, and hope that you'll fully understand by the end of this post.
*Before reading, having some knowledge of Terraform and AWS resources will make it easier to follow along.
Why Automation?
In our organization, we use AWS and Terraform to create AWS accounts for users in the form of emails and notify them via email or Slack.
Through this process, we identified two major issues that we wanted to address through automation.
The first issue is the significant communication cost. For each account created, we needed to generate messages with the relevant information and communicate individually with each user. As new users kept coming in, the cost of processing and communication became substantial.
The second issue is the lack of automation in the account information delivery process, which increases the likelihood of human errors. When console-generated passwords were delivered incorrectly, it often resulted in reset requests, requiring additional processing.
To address these two issues, we came up with the following steps:
When a user (User) requests account creation,
An administrator (Admin) uses Terraform to create User resources and,
Detects this to set the user's account password and send it via email.
Let's delve into the architecture we established following the above steps.
Architecture
In this process, we used a total of five AWS services:
- IAM (AWS Identity and Access Management)
- EventBridge (AWS EventBridge)
- SNS (AWS Simple Notification Service)
- Lambda (AWS Lambda)
- SES (AWS Simple Email Service)
The overall architecture is as shown in the diagram above.
Before delving into how this architecture operates, it's helpful to understand that when you create AWS resources with Terraform, it invokes the appropriate AWS API for the corresponding functionality.
Before this architecture can function, five conditions must be met:
The domain from which SES sends emails must be verified and in production request mode.
You should create topics and subscriptions in SNS.
Configure SNS subscriptions with Lambda as the target.
Set up an EventBridge rule to notify the SNS topic when the CreateUser API is called.
Once these four conditions are met, the architecture operates as follows:
When you use Terraform to create User resources, it triggers the AWS internal CreateUser API.
EventBridge detects the invocation of CreateUser and notifies the SNS target topic.
The SNS topic's subscription triggers Lambda, which operates internally by calling AWS APIs to randomly generate a password for the user account and create a login profile for the user.
After creating the account, Lambda sends an email to the user's email address via SES, containing the newly generated account information and password.
Through these five steps, we've automated the process of creating accounts and notifying users via email.
That concludes the explanation of the architecture. In the next post, I'll provide code implementations and further explanations.
Reference
Terraform AWS IAM User: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user
Serverless Resource: https://www.serverless.com/framework/docs/providers/aws/guide/resources
Serverless EventBridge: https://www.serverless.com/blog/eventbridge-use-cases-and-tutorial/
AWS EventBridge: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-sam.html
Send Mail using AWS SDK: https://docs.aws.amazon.com/ko_kr/ses/latest/dg/send-an-email-using-sdk-programmatically.html
Posted on September 2, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.