AWS Podcast Episode #745 Summary

Title: Accelerating Cloud Migration: How Occidental Petroleum Transformed with Terraform and AFT
Release Date: November 10, 2025
Host: Simon Elisha
Guests:

Brian Moore (Cloud Architect, Occidental Petroleum)
Chris Spitzenberger (Sr. Solutions Architect, AWS)

Overview of the Episode

This episode explores Occidental Petroleum's (“Oxy”) ambitious cloud migration journey, focusing on their use of Terraform and AWS Account Factory for Terraform (AFT) to automate, standardize, and accelerate their AWS adoption at scale. Host Simon Elisha, along with Oxy’s Brian Moore and AWS’s Chris Spitzenberger, delve into the technical strategies, lessons learned, and organizational culture shifts required for such a digital transformation, particularly in a global enterprise context.

Key Discussion Points & Insights

1. Oxy’s Global Cloud Transformation Mandate

Oxy is a multinational oil, gas, and chemicals company with broad operations (Oman, Algeria, South America, etc.).
Global digital transformation became a necessity due to the complexity and scale of worldwide operations.

“The need for digital transformation around the globe really drove the need for us to move into the cloud.” — Brian Moore [01:14]
Initial cloud efforts were on Azure but shifted to AWS for enterprise-wide adoption.
Their architecture, such as industry-leading data mesh, required management and automation of hundreds of AWS accounts.

2. Choosing Terraform and AWS Account Factory for Terraform (AFT)

Oxy’s core philosophy: automation and “infrastructure as code” wherever possible.
Chose Terraform for its ubiquity and maturity:

“With Terraform, it's sort of the key to the city in the cloud. ... Lessons have been learned in the past of, let's not go down [building in-house solutions] again. Let's go with the gold standard.” — Brian Moore [04:28]
Importance of not reinventing the wheel — leveraging vendor-maintained frameworks ensures feature updates and support.
AFT (Account Factory for Terraform) bridges Terraform automation with AWS Control Tower for scalable account provisioning and baseline setups (including networking, resource config).

3. Implementation Details & Technical Highlights

AFT’s lifecycle hooks support deep customization per account-type (public, sandbox, production), allowing account provisioning to include precise networking, connections to services like HashiCorp Vault, and more.
Code generation and Terraform modularity were used to accelerate set-up and facilitate rapid changes.
Centralization & Standardization:
- Network and security architectures (VPCs, subnets, firewalls) were standardized using Terraform modules and AFT.
- Dynamic IP address management via AWS IPAM, eliminating manual management and spreadsheet tracking.
- Integration with Palo Alto Panorama automated firewall provisioning and policy based on account tags.
“We actually set up an integration with Palo Alto Panorama...dynamically set up that entire VPC into our network inspection process, which is a pretty cool integration.” — Chris Spitzenberger [12:58]

4. Speed, Efficiency & Impact

From weeks to hours: teams could request and receive fully provisioned AWS accounts swiftly—even 10 accounts at a time.
The shift eliminated organizational bottlenecks:

“It kind of moves the bottleneck elsewhere, but at least it's not us.” — Brian Moore [10:31]
Architecture evolution: Centralizing VPC endpoints to save costs, quickly rolling out new patterns across 150+ accounts.

5. Lessons Learned & Common Pitfalls

Risks of “ClickOps”: Ensuring critical resources are not modified manually outside of Terraform control.

“Someone was in the Panorama console doing Click Ops...now Terraform...just completely broke any connection.” — Brian Moore [14:04]
Enforcing controls: Using resource tags (e.g., “managed by AFT”) and Service Control Policies (SCP) to block unauthorized changes.
Keeping pace with cloud/tool evolution: Adapting to new features in the AWS Terraform Provider, sometimes even pre-adoption of new releases.

6. Cultural Shift: Driving Adoption Across the Enterprise

Combination of high-level education (lunch & learns; presentations) and hands-on mentoring (“pair programming”).
The importance of demonstrating value and making engineers’ work easier for sustainable adoption:

“If you can show people that it makes their jobs easier and faster, you're gonna get adoption. If it's just seen as more complicated, then you're not gonna get adoption.” — Simon Elisha [18:34]
The journey included setbacks, skepticism, and the need for perseverance and systematic upskilling.

Notable Quotes & Memorable Moments

On automation and reusing proven solutions:

"Let's not go down that road again. Let's go with the gold standard. Let's go with what we know works, what we're going to support from AWS." — Brian Moore [04:28]
On Terraform’s flexibility with AFT:

“It's a skill that we know, but it's a general framework to run any code that we want. And AFT has lots of different hooks...” — Brian Moore [06:17]
On the productivity change:

“We could turn around very quickly...just copy pasting some terraform configuration code...very rapid turnaround.” — Brian Moore [08:40]
On standard networking and security:

“When you're stamping out these accounts...you wouldn't have to worry about...overlapping ciders. No more spreadsheets.” — Chris Spitzenberger [12:08]
On pitfalls of out-of-band manual changes:

“Make sure everyone knows that it's managed by Terraform...we're actually looking at some way in Panorama to define a policy...you can't touch this.” — Brian Moore [15:11]
On cultural buy-in:

“Unless you learn to do it yourself, you're never going to take ownership of it.” — Brian Moore [17:13]

Timestamps for Important Segments

[01:14] — Introduction to Oxy and their digital transformation context
[04:28] — Why Oxy standardized on Terraform and AFT
[06:17] — How AFT enables flexible baseline provisioning
[08:40] — End-user impact: fast, automated account creation
[10:11] — Bottlenecks eliminated and process optimization
[12:08] — Technical deep dive: networking automation, IPAM, Palo Alto Panorama integration
[14:04] — Cultural/operational challenge: “ClickOps” and locking down resources
[15:40] — Lessons learned and process adjustments (tags, permissions boundaries)
[17:13] — Driving organization-wide adoption through hands-on support
[19:01] — The inevitability and importance of automation at scale

Summary

Occidental Petroleum’s transformation is a textbook case of scaling cloud adoption using proven infrastructure-as-code philosophies. By standardizing on Terraform and AWS’s Account Factory for Terraform, they automated account provisioning, enforced security and networking best practices, and fostered a DevOps culture throughout the organization. Their experience highlights not just the technical benefits but the essential organizational learning and change management needed to maintain pace, security, and repeatability in a modern cloud-native enterprise.

AWS Podcast Episode #745 Summary

Title: Accelerating Cloud Migration: How Occidental Petroleum Transformed with Terraform and AFT
Release Date: November 10, 2025
Host: Simon Elisha
Guests:

Brian Moore (Cloud Architect, Occidental Petroleum)
Chris Spitzenberger (Sr. Solutions Architect, AWS)

Overview of the Episode

Key Discussion Points & Insights

1. Oxy’s Global Cloud Transformation Mandate

Oxy is a multinational oil, gas, and chemicals company with broad operations (Oman, Algeria, South America, etc.).
Global digital transformation became a necessity due to the complexity and scale of worldwide operations.

“The need for digital transformation around the globe really drove the need for us to move into the cloud.” — Brian Moore [01:14]
Initial cloud efforts were on Azure but shifted to AWS for enterprise-wide adoption.
Their architecture, such as industry-leading data mesh, required management and automation of hundreds of AWS accounts.

2. Choosing Terraform and AWS Account Factory for Terraform (AFT)

Oxy’s core philosophy: automation and “infrastructure as code” wherever possible.
Chose Terraform for its ubiquity and maturity:

“With Terraform, it's sort of the key to the city in the cloud. ... Lessons have been learned in the past of, let's not go down [building in-house solutions] again. Let's go with the gold standard.” — Brian Moore [04:28]
Importance of not reinventing the wheel — leveraging vendor-maintained frameworks ensures feature updates and support.
AFT (Account Factory for Terraform) bridges Terraform automation with AWS Control Tower for scalable account provisioning and baseline setups (including networking, resource config).

3. Implementation Details & Technical Highlights

AFT’s lifecycle hooks support deep customization per account-type (public, sandbox, production), allowing account provisioning to include precise networking, connections to services like HashiCorp Vault, and more.
Code generation and Terraform modularity were used to accelerate set-up and facilitate rapid changes.
Centralization & Standardization:
- Network and security architectures (VPCs, subnets, firewalls) were standardized using Terraform modules and AFT.
- Dynamic IP address management via AWS IPAM, eliminating manual management and spreadsheet tracking.
- Integration with Palo Alto Panorama automated firewall provisioning and policy based on account tags.
“We actually set up an integration with Palo Alto Panorama...dynamically set up that entire VPC into our network inspection process, which is a pretty cool integration.” — Chris Spitzenberger [12:58]

4. Speed, Efficiency & Impact

From weeks to hours: teams could request and receive fully provisioned AWS accounts swiftly—even 10 accounts at a time.
The shift eliminated organizational bottlenecks:

“It kind of moves the bottleneck elsewhere, but at least it's not us.” — Brian Moore [10:31]
Architecture evolution: Centralizing VPC endpoints to save costs, quickly rolling out new patterns across 150+ accounts.

5. Lessons Learned & Common Pitfalls

Risks of “ClickOps”: Ensuring critical resources are not modified manually outside of Terraform control.

“Someone was in the Panorama console doing Click Ops...now Terraform...just completely broke any connection.” — Brian Moore [14:04]
Enforcing controls: Using resource tags (e.g., “managed by AFT”) and Service Control Policies (SCP) to block unauthorized changes.
Keeping pace with cloud/tool evolution: Adapting to new features in the AWS Terraform Provider, sometimes even pre-adoption of new releases.

6. Cultural Shift: Driving Adoption Across the Enterprise

Combination of high-level education (lunch & learns; presentations) and hands-on mentoring (“pair programming”).
The importance of demonstrating value and making engineers’ work easier for sustainable adoption:

“If you can show people that it makes their jobs easier and faster, you're gonna get adoption. If it's just seen as more complicated, then you're not gonna get adoption.” — Simon Elisha [18:34]
The journey included setbacks, skepticism, and the need for perseverance and systematic upskilling.

Notable Quotes & Memorable Moments

On automation and reusing proven solutions:

"Let's not go down that road again. Let's go with the gold standard. Let's go with what we know works, what we're going to support from AWS." — Brian Moore [04:28]
On Terraform’s flexibility with AFT:

“It's a skill that we know, but it's a general framework to run any code that we want. And AFT has lots of different hooks...” — Brian Moore [06:17]
On the productivity change:

“We could turn around very quickly...just copy pasting some terraform configuration code...very rapid turnaround.” — Brian Moore [08:40]
On standard networking and security:

“When you're stamping out these accounts...you wouldn't have to worry about...overlapping ciders. No more spreadsheets.” — Chris Spitzenberger [12:08]
On pitfalls of out-of-band manual changes:

“Make sure everyone knows that it's managed by Terraform...we're actually looking at some way in Panorama to define a policy...you can't touch this.” — Brian Moore [15:11]
On cultural buy-in:

“Unless you learn to do it yourself, you're never going to take ownership of it.” — Brian Moore [17:13]

Timestamps for Important Segments

[01:14] — Introduction to Oxy and their digital transformation context
[04:28] — Why Oxy standardized on Terraform and AFT
[06:17] — How AFT enables flexible baseline provisioning
[08:40] — End-user impact: fast, automated account creation
[10:11] — Bottlenecks eliminated and process optimization
[12:08] — Technical deep dive: networking automation, IPAM, Palo Alto Panorama integration
[14:04] — Cultural/operational challenge: “ClickOps” and locking down resources
[15:40] — Lessons learned and process adjustments (tags, permissions boundaries)
[17:13] — Driving organization-wide adoption through hands-on support
[19:01] — The inevitability and importance of automation at scale

wavePod

#745: Accelerating Cloud Migration: How Occidental Petroleum Transformed with Terraform and AFT

Powered by Wave AI

Summary

AWS Podcast Episode #745 Summary

Overview of the Episode

Key Discussion Points & Insights

1. Oxy’s Global Cloud Transformation Mandate

2. Choosing Terraform and AWS Account Factory for Terraform (AFT)

3. Implementation Details & Technical Highlights

4. Speed, Efficiency & Impact

5. Lessons Learned & Common Pitfalls

6. Cultural Shift: Driving Adoption Across the Enterprise

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary

Summary

AWS Podcast Episode #745 Summary

Overview of the Episode

Key Discussion Points & Insights

1. Oxy’s Global Cloud Transformation Mandate

2. Choosing Terraform and AWS Account Factory for Terraform (AFT)

3. Implementation Details & Technical Highlights

4. Speed, Efficiency & Impact

5. Lessons Learned & Common Pitfalls

6. Cultural Shift: Driving Adoption Across the Enterprise

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary