Orchestrate the Security and Shared accounts ¶

Deploy the Security account's layers ¶

The next account to orchestrate is the security account.

This account is intended for centralized user management via a IAM roles based cross organization authentication approach. This means that most of the users for your organization will be defined in this account and those users will access the different accounts through this one.

First, place yourself in the security directory.

cd security

Terraform backend layer ¶

Move into the us-east-1/base-tf-backend directory and run:

leverage terraform init --skip-validation
leverage terraform apply

Now, to push the local .tfstate to the bucket, uncomment the backend section for the terraform configuration in security/base-tf-backend/config.tf

  backend "s3" {
    key = "security/tf-backend/terraform.tfstate"
  }

And run again:

leverage terraform init

When prompted, answer yes.

Now you can safely remove the terraform.tfstate and terraform.tfstate.backup files created during the apply step.

Identities layer ¶

Now, move into the global/base-identities directory, and run:

leverage terraform init

Copy the files fo this accounts' users into the keys subdirectoy. For this guide's case we need the keys files for natasha.romanoff, kit.walker, edward.stark and john.wick.

To prevent Terraform from erroring out you need to import the role OrganizationAccountAccessRole that was already created in the management's account identities layer before deploying this layer.

leverage terraform import module.iam_assumable_role_oaar.aws_iam_role.this[0] OrganizationAccountAccessRole
leverage terraform apply

zsh globbing

Zsh users may need to prepend noglob to the import command for it to be recognized correctly, as an alternative, square brackets can be escaped as \[\]

Security layer ¶

The last layer for the security account is the security layer. Move into the us-east-1/security-base directory and run:

leverage terraform init
leverage terraform apply

Deploy the Shared account's layers ¶

The last account in this deployment is the shared account.

The account's objective is managing infrastructure for shared services and resources like directory services, DNS, VPN, monitoring tools or centralized logging solutions.

Place yourself in the shared directory.

cd shared

Terraform backend layer ¶

Move into the us-east-1/base-tf-backend directory and run:

leverage terraform init --skip-validation
leverage terraform apply

Now, to push the local .tfstate to the bucket, uncomment the backend section for the terraform configuration in shared/base-tf-backend/config.tf

  backend "s3" {
    key = "shared/tf-backend/terraform.tfstate"
  }

And run a second time:

leverage terraform init

When prompted, answer yes.

Now you can safely remove the terraform.tfstate and terraform.tfstate.backup files created during the apply step.

Identities layer ¶

Now move into the global/base-identities directory and run:

leverage terraform init

You also need to import the role OrganizationAccountAccessRole in this layer.

leverage terraform import module.iam_assumable_role_oaar.aws_iam_role.this[0] OrganizationAccountAccessRole
leverage terraform apply

zsh globbing

Zsh users may need to prepend noglob to the import command for it to be recognized correctly, as an alternative, square brackets can be escaped as \[\]

Security layer ¶

Next, move into the us-east-1/security-base directory:

leverage terraform init
leverage terraform apply

Network layer ¶

The last layer for the shared account is the network layer, so move into the us-east-1/base-network directory and run:

leverage terraform init
leverage terraform apply

Next steps ¶

You have now a fully deployed landing zone configuration for the Leverage Reference Architecture for AWS, with its three accounts management, security and shared ready to be used.

Next, you are going to tackle de last steps configuring the credentials for a user to interact with your Leverage project securely.