Skip to content

Orchestrate the Management account

Finally we reach the point in which you'll get to actually create the infrastructure in our AWS environment.

Some accounts and layers rely on other accounts/layers being already deployed, creating dependencies between each other and establishing an order in which all layers should be deployed. We will go through these dependency chains in order.

Basic Landing Zone AWS Expenses

By default this AWS Reference Architecture configuration should not incur in any costs.

The management account is used to configure and access all AWS Organizations managed accounts, also, billing and financial decisions are enforced though this account.

Deploy the Management account's layers

To begin, place yourself in the management account directory.

cd management

Terraform backend layer

Move into the us-east-1/base-tf-backend directory and run:

leverage terraform init --skip-validation
leverage terraform apply

All apply commands will prompt for confirmation, answer yes when this happens.

More information on terraform init and terraform apply

Now, the infrastructure for the Terraform state management is created. The next step is to push the local .tfstate to the bucket. To do this, uncomment the backend section for the terraform configuration in management/base-tf-backend/config.tf

  backend "s3" {
    key = "management/tf-backend/terraform.tfstate"
  }

And run once more:

leverage terraform init

When prompted, answer yes. Now you can safely remove the terraform.tfstate and terraform.tfstate.backup files created during the apply step.

Terraform backend

More information regarding what is the Terraform backend and Terraform state management:

Identities layer

The definition for the identities layer is located within the global directory. Move into the global/base-identities directory and run:

leverage terraform init

To securely manage the users credentials, all members of the organization that are bound to interact with the AWS environment, and are therefore listed in the project.yaml configuration file, should create GPG keys of their own. Then, they should export them and share their public key files with whoever is in charge of the project infrastructure in order to be able to create their respective IAM users. In this guide's case, that person it is you.

📚 How to create and manage GPG keys

Once you get hold of the keys files, copy them to the keys subdirectory, respecting the user's configured name. For the management account in this guide, we need the keys for kit.walker and natasha.romanoff.

Finally, run:

leverage terraform apply

Organizations layer

Next, in the same fashion as in the previous layer, move into the global/organizations directory and run:

leverage terraform init
leverage terraform apply

The AWS account that you created manually is the management account itself, so to prevent Terraform from trying to create it and error out, this account definition is commented by default in the code. Now you need to make the Terraform state aware of the link between the two. To do that, uncomment the management organizations account resource in accounts.tf

resource "aws_organizations_account" "management" {
  name  = "${var.project_long}-management"
  email = local.management_account.email
}

Grab the management account id that previously was automatically filled in for us in the project.yaml file

...
organization:
  accounts:
    - name: management
      email: myexample-aws@example.com
      id: '000123456789'
...

And run:

leverage terraform import aws_organizations_account.management 000123456789

More information on terraform import

Security layer

The last layer for the management account is the security layer and its definition is located in us-east-1. So, move into the us-east-1/security-base directory and run:

leverage terraform init
leverage terraform apply

Update the bootstrap credentials

Now that the management account has been deployed, and more specifically, all Organizations accounts have been created (in the organizations layer) you need to update the credentials for the bootstrap process before proceeding to deploy any of the remaining accounts.

This will fetch the organizations structure from the AWS environment and create individual profiles associated with each account for the AWS CLI to use. So, run:

leverage credentials configure --type BOOTSTRAP --skip-access-keys-setup

[09:08:44.762] INFO     Loading configuration file.
[09:08:44.785] INFO     Loading project environment configuration file.
[09:08:44.791] INFO     Loading Terraform common configuration.
[09:08:53.247] INFO     Configuring assumable roles.
[09:08:53.248] INFO     Fetching organization accounts.
[09:08:55.193] INFO     Backing up account profiles file.
[09:08:55.761] INFO             Configuring profile me-management-oaar
[09:08:59.977] INFO             Configuring profile me-security-oaar
[09:09:04.081] INFO             Configuring profile me-shared-oaar
[09:09:08.305] INFO     Account profiles configured in: /home/user/.aws/me/config
[09:09:08.307] INFO     Updating project's Terraform common configuration.

More information on credentials configure

Next steps

You have successfully orchestrated the management account for your project and configured the credentials for the following steps.

Next, you will orchestrate the remaining accounts, security and shared.