deployment-runbook
sidebar_position: 1 title: Deployment Runbook description: IAM Identity Center progressive deployment runbook with HITL gates and break-glass procedures tags: [identity-center, deployment, runbook, HITL]
IAM Identity Center — Deployment Runbook
Pre-Deployment Checklist
- AWS Organizations enabled with 3+ member accounts
- IAM Identity Center enabled in us-east-1 (delegated admin if applicable)
- Terraform >= 1.11.0 installed
- AWS provider >= 6.28, < 7.0
- S3 backend configured with native locking (ADR-006)
- HITL approval for production deployment
Deployment Order (Progressive Rollout)
Phase 1: Sandbox (48h soak)
terraform init
terraform plan -out=sandbox.tfplan
terraform apply sandbox.tfplan # HITL reviews plan output
Phase 2: Security Account
Deploy SecurityAudit + ReadOnly permission sets first. Verify CloudTrail logging.
Phase 3: Management Account
Deploy Administrator (break-glass only) + ReadOnly. Verify group membership is empty for break-glass.
Phase 4: Workload Accounts (one at a time)
Deploy PowerUser + ReadOnly per workload account. Verify ABAC attribute propagation.
Rollback Procedure
terraform plan -destroy -target=aws_ssoadmin_account_assignment.account_assignment
terraform apply # HITL confirms destroy plan
RTO: 10-15 minutes per account.
Break-Glass Procedure (ADR-020)
- Add user to
LZBreakGlassgroup via AWS Console - User signs in via SSO portal (1H session max)
- Post-incident: remove user from group within 24H
- File incident report with CloudTrail evidence
HITL Gates�
| Gate | Description |
|---|---|
| H1 | Review and approve terraform plan output |
| H2 | Verify break-glass group is empty post-deploy |
| H3 | Validate ABAC attribute propagation |
| H4 | Sign-off on CloudTrail logging verification |