docs/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml at 3702c661d5f49b00d9809203d832d43eb86901b4 · cloudposse/docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Accounts Layer Workflows
#
# These workflows are used for the quickstart setup of the accounts layer.
# They automate the deployment of AWS Organization, accounts, and baseline
# infrastructure including Terraform state backend, CloudTrail, and ECR.
#
# Documentation: https://docs.cloudposse.com/layers/accounts/
#
# Usage:
#   atmos workflow all -f quickstart/foundation/accounts
#   atmos workflow deploy/accounts -f quickstart/foundation/accounts
#
# Available workflows:
#   - all: Deploy complete accounts layer
#   - vendor: Pull required components
#   - init/tfstate: Initialize Terraform state backend (first-time only)
#   - deploy/tfstate: Deploy Terraform state backend
#   - deploy/organization: Create AWS Organization
#   - deploy/accounts: Provision AWS accounts
#   - deploy/aws-account-settings: Configure account settings
#   - deploy/cloudtrail: Enable CloudTrail logging
#   - deploy/ecr: Deploy ECR registry
#
workflows:
  all:
    description: Deploy complete accounts layer
    steps:
      - command: workflow vendor -f quickstart/foundation/accounts
      - command: workflow init/tfstate -f quickstart/foundation/accounts
      - command: workflow deploy/tfstate -f quickstart/foundation/accounts
      - command: workflow deploy/organization -f quickstart/foundation/accounts
      - command: workflow deploy/organizational-units -f quickstart/foundation/accounts
      - command: workflow deploy/accounts -f quickstart/foundation/accounts
      - command: workflow deploy/scps -f quickstart/foundation/accounts
      - command: workflow deploy/aws-account-settings -f quickstart/foundation/accounts
      - command: workflow deploy/budgets -f quickstart/foundation/accounts
      - command: workflow deploy/cloudtrail -f quickstart/foundation/accounts
      - command: workflow deploy/ecr -f quickstart/foundation/accounts

  vendor:
    description: Vendor accounts layer components.
    steps:
      - command: vendor pull --component aws-organization
      - command: vendor pull --component aws-organizational-unit
      - command: vendor pull --component aws-account
      - command: vendor pull --component aws-scp
      - command: vendor pull --component aws-budget
      - command: vendor pull --component account-quotas
      - command: vendor pull --component aws-account-settings
      - command: vendor pull --component cloudtrail
      - command: vendor pull --component cloudtrail-bucket
      - command: vendor pull --component ecr
      - command: vendor pull --component tfstate-backend

  init/tfstate:
    description: Provision Terraform State Backend for initial deployment.
    steps:
      - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --auto-generate-backend-file=false
      - command: until aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done
        type: shell
      - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --init-run-reconfigure=false

  deploy/tfstate:
    description: Deploy Terraform State Backend.
    steps:
      - command: terraform deploy tfstate-backend --stack core-use1-root

  deploy/organization:
    description: |
      Deploy the AWS Organization. This is required before finishing the root account requirements.
    steps:
      - command: terraform deploy aws-organization -s core-gbl-root
      - command: aws ram enable-sharing-with-aws-organization
        type: shell

  deploy/organizational-units:
    description: Deploy Organizational Units
    steps:
      - command: terraform deploy aws-organizational-unit/core -s core-gbl-root
      - command: terraform deploy aws-organizational-unit/plat -s core-gbl-root

  deploy/accounts:
    description: Deploys all AWS Organization accounts
    steps:
      - command: terraform deploy aws-account/core-artifacts -s core-gbl-root
      - command: terraform deploy aws-account/core-audit -s core-gbl-root
      - command: terraform deploy aws-account/core-auto -s core-gbl-root
      - command: terraform deploy aws-account/core-network -s core-gbl-root
      - command: terraform deploy aws-account/core-security -s core-gbl-root
      - command: terraform deploy aws-account/plat-dev -s core-gbl-root
      - command: terraform deploy aws-account/plat-sandbox -s core-gbl-root
      - command: terraform deploy aws-account/plat-staging -s core-gbl-root
      - command: terraform deploy aws-account/plat-prod -s core-gbl-root

  deploy/scps:
    description: Deploy Service Control Policies
    steps:
      - command: terraform deploy aws-scp/deny-leaving-organization -s core-gbl-root

  deploy/aws-account-settings:
    description: Apply AWS Account settings for best practices.
    steps:
      - command: terraform deploy aws-account-settings -s core-gbl-artifacts
      - command: terraform deploy aws-account-settings -s core-gbl-audit
      - command: terraform deploy aws-account-settings -s core-gbl-auto
      - command: terraform deploy aws-account-settings -s core-gbl-network
      - command: terraform deploy aws-account-settings -s core-gbl-root
      - command: terraform deploy aws-account-settings -s core-gbl-security
      - command: terraform deploy aws-account-settings -s plat-gbl-dev
      - command: terraform deploy aws-account-settings -s plat-gbl-prod
      - command: terraform deploy aws-account-settings -s plat-gbl-sandbox
      - command: terraform deploy aws-account-settings -s plat-gbl-staging

  deploy/budgets:
    description: Deploy budgets to all accounts
    steps:
      - command: terraform deploy aws-budget -s core-gbl-root
      - command: terraform deploy aws-budget -s core-gbl-artifacts
      - command: terraform deploy aws-budget -s core-gbl-audit
      - command: terraform deploy aws-budget -s core-gbl-auto
      - command: terraform deploy aws-budget -s core-gbl-network
      - command: terraform deploy aws-budget -s core-gbl-security
      - command: terraform deploy aws-budget -s plat-gbl-dev
      - command: terraform deploy aws-budget -s plat-gbl-sandbox
      - command: terraform deploy aws-budget -s plat-gbl-staging
      - command: terraform deploy aws-budget -s plat-gbl-prod

  deploy/cloudtrail:
    description: Start AWS Cloudtrail in audit and root accounts to track changes across the org.
    steps:
      - command: terraform deploy cloudtrail-bucket -s core-use1-audit
      - command: terraform deploy cloudtrail -s core-gbl-root

  deploy/ecr:
    description: Deploy ECR in the artifacts account to use as our container registry
    steps:
      - command: terraform deploy ecr -s core-use1-artifacts