Why
Manual account provisioning produces inconsistent results: tags are forgotten, budget alerts are missing, non-production environments run 24/7 without controls, naming conventions are violated. By the time Finance asks who owns a cost spike, nobody knows. Automated provisioning via IaC eliminates human error, ensures every account is created identically with all required baselines, and reduces provisioning time from days to minutes.
What
Build an account-vending IaC pipeline that, upon approval of an intake request, automatically provisions a new account/subscription/project with: mandatory tags, naming convention, budget alerts, non-prod cost controls (shutdown schedules), policies (tagging enforcement, region restrictions), and CMDB registration.
How
Define the Account Baseline
Document what every new account must include at provisioning time:
| Baseline Component | What It Configures |
|---|---|
| Naming | Account/sub/project name following convention |
| Tags / Labels | All mandatory tags (cost-centre, BU, app, env, owner) |
| Budget alert | Per-account budget with 50%, 80%, 100% thresholds |
| Tagging enforcement policy | Deny policy for missing mandatory tags |
| Region restriction | Restrict to approved regions only |
| Non-prod controls | Shutdown schedule for dev/stg (save ~65% compute) |
| Networking | Peering/transit to hub VPC (if applicable) |
| Logging | Centralised log forwarding to security account |
| CMDB registration | Auto-create CI in ServiceNow / Backstage |
Build the Account Vending Pipeline
AWS — Control Tower Account Factory or Account Factory for Terraform (AFT):
The pipeline is triggered by an approved ITSM ticket (links to S2-01 Intake Process). AFT reads the request metadata (app name, BU, environment, owner) and provisions an account with all baselines.
Azure — Subscription Vending (Bicep/Terraform):
Use the ALZ Subscription Vending module. Input: subscription name, MG placement, tags, budget, policies. The module creates the subscription, places it in the correct MG, applies policies, and configures budget alerts.
GCP — Project Factory (Terraform):
Use the CFT Project Factory module. Input: project name, folder placement, labels, billing account, budget. The module creates the project, places it in the folder hierarchy, applies org policies, and sets up billing budget alerts.
Add Non-Prod Cost Controls
Non-production environments running 24/7 represent ~65% potential waste on compute resources. Embed shutdown/start schedules into the provisioning baseline:
| Provider | Tool | Mechanism |
|---|---|---|
| AWS | EventBridge + Lambda (or Instance Scheduler) | Tag auto-shutdown: true → Lambda stops instances at 19:00, starts at 07:00 |
| Azure | Azure Automation (Start/Stop VMs) | Runbook targets tagged VMs on schedule |
| GCP | Cloud Scheduler + Cloud Functions | Function stops/starts instances by label |
Apply shutdown schedules by default to all dev and sbx environments. stg environments get optional opt-in. prod is never auto-stopped.
Test and Roll Out Progressively
- Provision 2–3 pilot accounts using the pipeline
- Validate all baselines are correctly applied
- Confirm CMDB registration, budget alerts, and tag enforcement
- Run a parallel test: provision one account manually vs pipeline — compare completeness
- Roll out to all new account requests
Deliverable Checklist
- Account baseline documented (tags, budget, policies, networking, logging)
- Account vending IaC pipeline operational per provider
- Non-prod shutdown schedules embedded in provisioning
- CMDB auto-registration confirmed
- Budget alerts confirmed to fire at thresholds
- Tag enforcement policies active on new accounts
- Pilot accounts validated
- All new account requests routed through pipeline