Orchestrate the Management account ¶
Finally we reach the point in which you'll get to actually create the infrastructure in our AWS environment.
Some accounts and layers rely on other accounts/layers being already deployed, creating dependencies between each other and establishing an order in which all layers should be deployed. We will go through these dependency chains in order.
Basic Landing Zone AWS Expenses
By default this AWS Reference Architecture configuration should not incur in any costs.
The management account is used to configure and access all AWS Organizations managed accounts, also, billing and financial decisions are enforced though this account.
Deploy the Management account's layers ¶
To begin, place yourself in the management
account directory.
cd management
Terraform backend layer ¶
Move into the us-east-1/base-tf-backend
directory and run:
leverage terraform init --skip-validation
leverage terraform apply
All apply
commands will prompt for confirmation, answer yes
when this happens.
More information on terraform init
and terraform apply
Now, the infrastructure for the Terraform state management is created. The next step is to push the local .tfstate
to the bucket. To do this, uncomment the backend
section for the terraform
configuration in management/base-tf-backend/config.tf
backend "s3" {
key = "management/tf-backend/terraform.tfstate"
}
And run once more:
leverage terraform init
When prompted, answer yes
. Now you can safely remove the terraform.tfstate
and terraform.tfstate.backup
files created during the apply
step.
Terraform backend
More information regarding what is the Terraform backend and Terraform state management:
Identities layer ¶
The definition for the identities layer is located within the global
directory. Move into the global/base-identities
directory and run:
leverage terraform init
To securely manage the users credentials, all members of the organization that are bound to interact with the AWS environment, and are therefore listed in the project.yaml
configuration file, should create GPG keys of their own. Then, they should export them and share their public key files with whoever is in charge of the project infrastructure in order to be able to create their respective IAM users. In this guide's case, that person it is you.
Once you get hold of the keys files, copy them to the keys
subdirectory, respecting the user's configured name. For the management
account in this guide, we need the keys for kit.walker
and natasha.romanoff
.
Finally, run:
leverage terraform apply
Organizations layer ¶
Next, in the same fashion as in the previous layer, move into the global/organizations
directory and run:
leverage terraform init
leverage terraform apply
The AWS account that you created manually is the management
account itself, so to prevent Terraform from trying to create it and error out, this account definition is commented by default in the code. Now you need to make the Terraform state aware of the link between the two. To do that, uncomment the management
organizations account resource in accounts.tf
resource "aws_organizations_account" "management" {
name = "${var.project_long}-management"
email = local.management_account.email
}
Grab the management account id that previously was automatically filled in for us in the project.yaml
file
...
organization:
accounts:
- name: management
email: myexample-aws@example.com
id: '000123456789'
...
And run:
leverage terraform import aws_organizations_account.management 000123456789
More information on terraform import
Security layer ¶
The last layer for the management
account is the security layer and its definition is located in us-east-1
. So, move into the us-east-1/security-base
directory and run:
leverage terraform init
leverage terraform apply
Update the bootstrap credentials ¶
Now that the management
account has been deployed, and more specifically, all Organizations accounts have been created (in the organizations layer) you need to update the credentials for the bootstrap process before proceeding to deploy any of the remaining accounts.
This will fetch the organizations structure from the AWS environment and create individual profiles associated with each account for the AWS CLI to use. So, run:
leverage credentials configure --type BOOTSTRAP --skip-access-keys-setup
/home/user/.aws/me/config
INFO Updating project's Terraform common configuration.
INFO Loading configuration file.
INFO Loading project environment configuration file.
INFO Loading Terraform common configuration.
INFO Configuring assumable roles.
INFO Fetching organization accounts.
INFO Backing up account profiles file.
INFO Configuring profile me-management-oaar
INFO Configuring profile me-security-oaar
INFO Configuring profile me-shared-oaar
INFO Account profiles configured in:
More information on credentials configure
Next steps ¶
You have successfully orchestrated the management
account for your project and configured the credentials for the following steps.
Next, you will orchestrate the remaining accounts, security
and shared
.