After doing this over and over across different companies, I decided to write my own code for deploying a basic landing zone while I was between jobs. This template will work over an existing Amazon Organisations ID and its management account to deploy the following:
- Transit Gateway
- Terraform state buckets being replicated to the Backup Account.
- Go to the file
general.tfvars
in the root directory and fill the default options for all deployments. - Look into the
/accounts
directory and delete the accounts that are not needed.- Remember to update the general
Makefile
removing the accounts references there too.
- Remember to update the general
- Search across all the files for
TO_FILL
, it will point to parts of the files you probably need to pay attention to. - On the management account, deploy the content of the
clz-tfstate
directory, this will create the first bucket that will contain the CLZ terraform state. All the other components' deployments will use S3 to store their TF states.
-
Execute script to create required files for new account from template.
./create_account.sh <ACCOUNT_NAME>
This will create all the terraform file to create default configuration.
-
Commit and merge/apply the Management account directory only.
-
Once the Management account directory has been applied, add the new account number to the table below then commit the new account directory and create CI build step. Then merge/apply.
-
Manual Steps to ensure account is secure:
A. Create a strong password on the account. Using the email and forgot password link. Generate a random min 16 character password, upper and lower alphanumeric plus special.
B. Login with new credentials.
C. Go to "My security credentials" and get the root AWS account yubikey and configure MFA, using U2F security key.
D. Set security questions using security response 1, 2 & 3. Set them to random generated docker names. This can be done here: https://gist.github.com/YumaInaura/0c8de43e3342db53059584661d0b491e#example-use-names-generator-directly
E. Unsubscribe email from marketing lists.
This table is very useful to keep track of the existing AWS accounts.
Name | IAM Alias | Number | Purpose | DNS Prefix | Notes | |
---|---|---|---|---|---|---|
management | my-company-management | 012345678900 | [email protected] | Management Account organisation billing account | ||
backup | my-company-backup | 012345678900 | [email protected] | Storage backup account contains all replicated buckets incase of disaster or compromise of main accounts | ||
network | my-company-network | 012345678900 | [email protected] | Contains all shared networking components, Transit Gateway, main Route53 domain, etc... | ||
audit | my-company-audit | 012345678900 | [email protected] | Centralised Cloudtrail and Cloudwatch logs | ||
shared_services_live | my-company-shared-services-live | 012345678900 | [email protected] | Shared Services Live production account | live.services | |
shared_services_non_live | my-company-shared-services-non-live | 012345678900 | [email protected] | Shared Services Non-Live development, test, pre-prod account | nonlive.services | |
project-a_live | my-company-project-a-live | 012345678900 | [email protected] | Project A Live production account | live.project-a | |
project-a_non_live | my-company-project-a-non-live | 012345678900 | [email protected] | Project A Non-Live development, test, pre-prod account | nonlive.project-a | |
project-b_live | my-company-project-b-live | 012345678900 | [email protected] | Project B Live production account | live.project-b | |
project-b_non_live | my-company-project-b-non-live | 012345678900 | [email protected] | Project B Non-Live development, test, pre-prod account | nonlive.project-b | |
sandbox | my-company-sandbox | 012345678900 | [email protected] | Sandbox experimentation account | sandbox |
Name | IAM Alias | Number | Purpose | Notes | |
---|---|---|---|---|---|