accounts.yaml in Quickstart #23
-
Hi Folks, Is there a way to have an account be used for multiple stages? I'm early on in working through the reference architecture. I am now at the stage "Prepare Account Deployment" and I am taking heed of the warning, "If you aren't confident about the email configuration, account names, or anything else, now is the time to make changes or ask for help." :) The existing account structure in the accounts.yaml will not work for us. What we want to do is create an OU for each of our customers and then have two accounts for each customer/OU. One would be for "prod" and the other account would be for all their lower environments which can include some, or all of the following: dev, test, staging. In the reference architecture example, there is an OU for "plat" and then a separate account (with an associated stage) for each stage. Questions:
Would something like this work to replace the plat entries in the accounts.yaml?
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 7 replies
-
No there is not a way with the Terraform variables inputs for However, I consider this a benefit. When working with highly privileged components, especially the With that said, I think you may be missing a key piece. We try to align any single stage to a single account. A stage and an account are 1:1. So you wouldn't have a |
Beta Was this translation helpful? Give feedback.
-
@GervaisdeM-SpryPoint here's how you can accomplish what you want to do: Solution
OutcomeI tested this locally, and got this: test:
components:
terraform:
account:
atmos_component: account
atmos_manifest: deploy/test
atmos_stack: test
atmos_stack_file: deploy/test
backend: {}
backend_type: ""
command: terraform
component: account
env: {}
inheritance: []
metadata: {}
overrides: {}
providers: {}
remote_state_backend: {}
remote_state_backend_type: ""
settings: {}
stack: test
vars:
account_email_format: aws+cplive-%s@cloudposse.com
account_iam_user_access_to_billing: DENY
aws_service_access_principals:
- cloudtrail.amazonaws.com
- guardduty.amazonaws.com
- ipam.amazonaws.com
- ram.amazonaws.com
- securityhub.amazonaws.com
- servicequotas.amazonaws.com
- sso.amazonaws.com
- auditmanager.amazonaws.com
- config.amazonaws.com
- config-multiaccountsetup.amazonaws.com
- malware-protection.guardduty.amazonaws.com
enabled: true
enabled_policy_types:
- SERVICE_CONTROL_POLICY
- TAG_POLICY
organization_config:
accounts: []
organization:
service_control_policies:
- DenyEC2InstancesWithoutEncryptionInTransit
organizational_units:
- accounts:
- name: core-analytics
stage: analytics
tags:
eks: false
tenant: core
- name: core-artifacts
stage: artifacts
tags:
eks: false
tenant: core
- name: core-audit
stage: audit
tags:
eks: false
tenant: core
- name: core-auto
stage: auto
tags:
eks: true
tenant: core
- name: core-corp
stage: corp
tags:
eks: true
tenant: core
- name: core-dns
stage: dns
tags:
eks: false
tenant: core
- name: core-identity
stage: identity
tags:
eks: false
tenant: core
- name: core-marketplace
stage: marketplace
tags:
eks: false
tenant: core
- name: core-network
stage: network
tags:
eks: false
tenant: core
- name: core-public
stage: public
tags:
eks: false
tenant: core
- name: core-security
stage: security
tags:
eks: false
tenant: core
name: core
service_control_policies:
- DenyLeavingOrganization
- accounts:
- name: acme-dev
stage: dev
tags:
eks: true
tenant: acme
- name: acme-sandbox
stage: sandbox
tags:
eks: true
tenant: acme
- name: acme-staging
stage: staging
tags:
eks: true
tenant: acme
- name: acme-prod
stage: prod
tags:
eks: true
tenant: acme
name: acme
service_control_policies:
- DenyLeavingOrganization
- accounts:
- name: foo-dev
stage: dev
tags:
eks: true
tenant: foo
- name: foo-sandbox
stage: sandbox
tags:
eks: true
tenant: foo
- name: foo-staging
stage: staging
tags:
eks: true
tenant: foo
- name: foo-prod
stage: prod
tags:
eks: true
tenant: foo
name: foo
service_control_policies:
- DenyLeavingOrganization
- accounts:
- name: bar-dev
stage: dev
tags:
eks: true
tenant: bar
- name: bar-sandbox
stage: sandbox
tags:
eks: true
tenant: bar
- name: bar-staging
stage: staging
tags:
eks: true
tenant: bar
- name: bar-prod
stage: prod
tags:
eks: true
tenant: bar
name: bar
service_control_policies:
- DenyLeavingOrganization
root_account:
name: core-root
stage: root
tags:
eks: false
organization_enabled: true
service_control_policies_config_paths: []
stage: test
workspace: test |
Beta Was this translation helpful? Give feedback.
-
Thanks for all the input. I love your template @osterman and I see how I might even extend it so that I can only create an account for stages that certain customers have (as not all of them have all stages). My concern and reason for my question is with the amount of customers and stages that we have today, I will have to create hundreds of accounts. We plan to grow aggressively and will end up creating many, many more. I was also considering some cost savings... For example, all non-prod could share a database (Aurora Serverless) or ecs (Fargate) cluster. |
Beta Was this translation helpful? Give feedback.
@GervaisdeM-SpryPoint here's how you can accomplish what you want to do:
Solution
catalog/account.yaml
tocatalog/account.yaml.tmpl
account.yaml.tmpl
like this: