Cloud Posse
accounts.yaml in Quickstart #23
-
|
Hi Folks, Is there a way to have an account be used for multiple stages? I'm early on in working through the reference architecture. I am now at the stage "Prepare Account Deployment" and I am taking heed of the warning, "If you aren't confident about the email configuration, account names, or anything else, now is the time to make changes or ask for help." :) The existing account structure in the accounts.yaml will not work for us. What we want to do is create an OU for each of our customers and then have two accounts for each customer/OU. One would be for "prod" and the other account would be for all their lower environments which can include some, or all of the following: dev, test, staging. In the reference architecture example, there is an OU for "plat" and then a separate account (with an associated stage) for each stage. Questions:
Would something like this work to replace the plat entries in the accounts.yaml? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 7 replies
-
|
No there is not a way with the Terraform variables inputs for However, I consider this a benefit. When working with highly privileged components, especially the With that said, I think you may be missing a key piece. We try to align any single stage to a single account. A stage and an account are 1:1. So you wouldn't have a |
Beta Was this translation helpful? Give feedback.
-
|
@milldr I think it's possible using YAML anchors. |
Beta Was this translation helpful? Give feedback.
-
|
I thought that as well, but each account needs the tenant and name defined. It may be possible. But it's over-complicating a sensitive configuration, so I stick by my argument |
Beta Was this translation helpful? Give feedback.
-
|
Nevermind, since the account names contain the OU, there's no way to use YAML anchors. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, so the other way may be to templatize the account config. Then pass the list of tenants in the context to the import. Then you can create a proper factory. |
Beta Was this translation helpful? Give feedback.
-
|
@GervaisdeM-SpryPoint here's how you can accomplish what you want to do: Solution
OutcomeI tested this locally, and got this: test:
components:
terraform:
account:
atmos_component: account
atmos_manifest: deploy/test
atmos_stack: test
atmos_stack_file: deploy/test
backend: {}
backend_type: ""
command: terraform
component: account
env: {}
inheritance: []
metadata: {}
overrides: {}
providers: {}
remote_state_backend: {}
remote_state_backend_type: ""
settings: {}
stack: test
vars:
account_email_format: aws+cplive-%[email protected]
account_iam_user_access_to_billing: DENY
aws_service_access_principals:
- cloudtrail.amazonaws.com
- guardduty.amazonaws.com
- ipam.amazonaws.com
- ram.amazonaws.com
- securityhub.amazonaws.com
- servicequotas.amazonaws.com
- sso.amazonaws.com
- auditmanager.amazonaws.com
- config.amazonaws.com
- config-multiaccountsetup.amazonaws.com
- malware-protection.guardduty.amazonaws.com
enabled: true
enabled_policy_types:
- SERVICE_CONTROL_POLICY
- TAG_POLICY
organization_config:
accounts: []
organization:
service_control_policies:
- DenyEC2InstancesWithoutEncryptionInTransit
organizational_units:
- accounts:
- name: core-analytics
stage: analytics
tags:
eks: false
tenant: core
- name: core-artifacts
stage: artifacts
tags:
eks: false
tenant: core
- name: core-audit
stage: audit
tags:
eks: false
tenant: core
- name: core-auto
stage: auto
tags:
eks: true
tenant: core
- name: core-corp
stage: corp
tags:
eks: true
tenant: core
- name: core-dns
stage: dns
tags:
eks: false
tenant: core
- name: core-identity
stage: identity
tags:
eks: false
tenant: core
- name: core-marketplace
stage: marketplace
tags:
eks: false
tenant: core
- name: core-network
stage: network
tags:
eks: false
tenant: core
- name: core-public
stage: public
tags:
eks: false
tenant: core
- name: core-security
stage: security
tags:
eks: false
tenant: core
name: core
service_control_policies:
- DenyLeavingOrganization
- accounts:
- name: acme-dev
stage: dev
tags:
eks: true
tenant: acme
- name: acme-sandbox
stage: sandbox
tags:
eks: true
tenant: acme
- name: acme-staging
stage: staging
tags:
eks: true
tenant: acme
- name: acme-prod
stage: prod
tags:
eks: true
tenant: acme
name: acme
service_control_policies:
- DenyLeavingOrganization
- accounts:
- name: foo-dev
stage: dev
tags:
eks: true
tenant: foo
- name: foo-sandbox
stage: sandbox
tags:
eks: true
tenant: foo
- name: foo-staging
stage: staging
tags:
eks: true
tenant: foo
- name: foo-prod
stage: prod
tags:
eks: true
tenant: foo
name: foo
service_control_policies:
- DenyLeavingOrganization
- accounts:
- name: bar-dev
stage: dev
tags:
eks: true
tenant: bar
- name: bar-sandbox
stage: sandbox
tags:
eks: true
tenant: bar
- name: bar-staging
stage: staging
tags:
eks: true
tenant: bar
- name: bar-prod
stage: prod
tags:
eks: true
tenant: bar
name: bar
service_control_policies:
- DenyLeavingOrganization
root_account:
name: core-root
stage: root
tags:
eks: false
organization_enabled: true
service_control_policies_config_paths: []
stage: test
workspace: test |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for all the input. I love your template @osterman and I see how I might even extend it so that I can only create an account for stages that certain customers have (as not all of them have all stages). My concern and reason for my question is with the amount of customers and stages that we have today, I will have to create hundreds of accounts. We plan to grow aggressively and will end up creating many, many more. I was also considering some cost savings... For example, all non-prod could share a database (Aurora Serverless) or ecs (Fargate) cluster. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, so there are tons of things that can be done to keep configurations DRY. Almost always, the concern is making them overly DRY. As you come across other specific challenges, share them here and we can some techniques on optimizing them. |
Beta Was this translation helpful? Give feedback.
-
How do you feel about my concern that I would end up creating about 400 accounts if I try to create 1 for every tenant-stage? |
Beta Was this translation helpful? Give feedback.
-
|
There's no technical limitation for this. You will need to talk to AWS about increasing your limits, if you do go down this route. The real risk could be financial. Does your revenue per tenant financially support a fully dedicated account (e.g. with VPC, NAT gateways, load balancers, etc) |
Beta Was this translation helpful? Give feedback.
@GervaisdeM-SpryPoint here's how you can accomplish what you want to do:
Solution
catalog/account.yamltocatalog/account.yaml.tmplaccount.yaml.tmpllike this: