Skip to main content

Deploying AWS Accounts

This step-by-step process outlines how to deploy AWS accounts using Taskfile workflows and ClickOps steps. This Automated Cold Start Implementation covers necessary preparations, such as configuring the AWS Organization, increasing account quotas, and verifying account configurations. The guide details the deployment processes and post-deployment configurations, including setting up account settings, enabling AWS RAM for Organizations, and performing certain manual configurations via ClickOps.

#StepsActions
1Deploy AWS Organizationtask workflow deploy/organization -f accounts
2Prepare accounts creationClick Ops
3Deploy accountstask workflow deploy/accounts -f accounts
4Deploy accounts settingstask workflow deploy/account-settings -f accounts
5Finalize account setupClick Ops

1 Prepare Account Deployment

Review the "account" configuration in the stack catalog. This is the hardest part to change/fix once the accounts are provisioned. If you aren't confident about the email configuration, account names, or anything else, now is the time to make changes or ask for help.

Terraform Infrastructure Automation for Enterprise Corporation

  • This guide outlines an End-to-end Terraform Infrastructure Automation framework designed for Enterprise Corporations (Security, Compliance, and Governance). The structure leverages Taskfiles and Terraform modules to enforce security, compliance, governance, and scalability while supporting compliance frameworks such as NIST, ISO 27001, and SOC 2.

  • The configuration targets the Core-Root Management Account for managing AWS Organizations and AWS IAM Identity Center (SSO), and Service Control Policies (SCP).

The end-to-end Terraform Infrastructure Automation for Enterprise Corporation (Security, Compliance, and Governance) should double-check the following:

  • 1. AWS Management Account
  • 2. Organizations, Identity-Center (SSO), and Service Control Policies (SCPs)
    • Check that groups.yml and users.yml in terraform-aws/account/management/identity-center-users-and-groups has the values you expect, especially account email format
  • 3. Initialize Environment Variables (.env): 
    AWS_REGION=ap-southeast-2
    AWS_PROFILE=core-root-admin
    AWS_ACCOUNT_ID=1234567890
    ENVIRONMENT=dev
    STACK=management
    BACKEND_BUCKET=terraform-state-backend
ComponentPurposeDetails
Core-Root Management AccountCentralized billing and governance for AWS Organization.➕ Create/manage AWS accounts. ➕ Set up SCPs. ➕ Manage centralized CloudTrail logs.
AWS OrganizationsHierarchical account structure for enterprise governance.➕ Enforces guardrails using SCPs. ➕ Centralized management of accounts and policies.
AWS IAM Identity Center (SSO)Unified identity management across AWS accounts.➕ Enforces user and group-based access policies. ➕ Integration with SAML/IdP.
Taskfiles with TerraformAutomated workflows for infrastructure as code (IaC).➕ Handles environment-specific provisioning. ➕ Simplifies CI/CD pipelines.
Security & ComplianceImplements SCPs and IAM Policies for least privilege.➕ Continuous security scans with TFLint and Tfsec. ➕ Drift detection with Driftctl.

2 Deploy the AWS Organization:

These are the commands included in the deploy/organization workflow in the examples/snippets/stacks/workflows/accounts.yaml file:
    No commands found
Too many commands? Consider using the Semaphore workflow! 🚀

3 Configure Root Account as Organization

Before performing the "Deploy Accounts" step, the root account needs to be configured as an AWS Organization.

This process also enables AWS RAM for Organizations via a CLI command, which is required for connecting the Organization.

4 Raise Account Limits

To deploy all accounts, we need to request an increase of the Account Quota from AWS support, which requires an AWS Organization to be created first.

From the root account (not super-admin-user), increase the account quota to 20+ for the DevOps Accelerator reference architecture, or more depending on your business use-case

5 Deploy Accounts

Important:

With the addition of support for dynamic Terraform roles, our baseline cold start refarch layer now depends on/requires that we have aws-teams and aws-team-roles stacks configured. This is because account-map uses those stacks to determine which IAM role to assume when performing Terraform in the account, and almost every other component uses account-map (indirectly) to chose the role to assume. However, these components do not need to be deployed yet.

Again verify the "account" configuration in stacks/catalog/account.yaml. In the next step, we will create and configure all accounts in the AWS Organization using the configuration in that stack file.

Once confident, begin the accounts deployment:

These are the commands included in the deploy/accounts workflow in the examples/snippets/stacks/workflows/accounts.yaml file:
    No commands found
Too many commands? Consider using the Semaphore workflow! 🚀

These deployments will create all AWS member accounts and store relevant account metadata as "mappings" in the Terraform outputs of the account-map component. Rather than querying this account component each time we need an Account ID or role, we provision a static component account-map.

Important:

Always run task terraform apply account-map -s core-gbl-root after provisioning accounts.

Once you've created the accounts, you'll need to provision the baseline configuration within the accounts themselves. Run the following:

These are the commands included in the deploy/account-settings workflow in the examples/snippets/stacks/workflows/accounts.yaml file:
    No commands found
Too many commands? Consider using the Semaphore workflow! 🚀

The workflows will kick off several sequential Terraform runs to provision all the AWS member account settings for member accounts in the Organization.

6 ClickOps to Complete Account Setup

For each new account, you will need to perform some manual configurations via ClickOps. These configurations include setting up the root account credentials, enabling MFA, and unsubscribing the account's email address from all marketing emails.

  1. Reset the root user password:

    1. Perform a password reset by attempting to log in to the AWS console as a "root user" using that account's email address

    2. Click the "Forgot password?" link

    3. You will receive a password reset link via email, which should be forwarded to the shared Slack channel for automated messages. Click the link

    4. Enter a new password

      Tip:

      Use 1Password to create a password 26-38 characters long, including at least 3 of each class of character: lower case, uppercase, digit, and symbol

    5. Save the email address and generated password as web login credentials in 1Password

    6. Finally, record the account number in a separate field of the 1Password item, and save it. This is optional but recommended.

  2. Configure MFA:

    1. Log in to the AWS console using the new password
    2. Choose "My Security Credentials" from the account dropdown menu
    3. Set up Multi-Factor Authentication (MFA) to use a Virtual MFA device
    4. Save the MFA TOTP key in 1Password with 1Password's "One-Time Password" field
    5. Enter the generated MFA codes in AWS to verify the MFA device
    6. Save the Virtual MFA ARN in the same 1Password entry. We will need this to set up the MFA device for super-admin-user in Leapp

  3. Enable any necessary optional regions

  4. Optional, but highly recommended - unsubscribe the account's email address from all marketing emails

    1. Go to AWS Marketing Preferences
    2. Click "Unsubscribe from Email"
    3. Enter the account's email address
    4. Check "Unsubscribe from all AWS marketing emails"

For more details, review the detailed "AWS Cold Start" documentation.