Action Items
Cloud Posse will need a few subscriptions set up from you in order to deploy your infrastructure. Some of these may not apply to all engagements, but please start setting up the relevant subscriptions now.
Getting Started
Before we can get started, here's the minimum information we need from you.
1 1Password
Cloud Posse will use 1Password to share secrets your team. You do not need to use 1Password internally, but Cloud Posse will need to use 1Password to transfer secrets. You can either create your own 1Password Vault and add Cloud Posse as members or request that Cloud Posse create a temporary vault (free for you). However, if Cloud Posse creates that vault for you, only three users can be added at a time.
We cannot create AWS accounts until we have access to 1Password.
2 Slack
We should already be using Slack for a shared general channel between Cloud Posse and your team. However, we will need an additional channel for AWS notifications and to access AWS account setup emails. We'll also use this channel for AWS budget alerts.
- Create a new Slack channel for AWS notifications, for example
#aws-notifications
- Invite Cloud Posse
- Set Up AWS Email Notifications with your chosen email address for each account. If you are using plus-addressing, you will only need to connect the primary email address.
- Create a Slack Webhook for that same channel. This is required to enable Budget alerts in Slack. Please share the Webhook URL and the final name of the Slack channel with Cloud Posse.
3 Create New AWS Root Account (a.k.a. "Payer Account")
We will be launching a new AWS Organization from a single root account. Cloud Posse will be terraforming your entire organization, creating 12-plus accounts, and doing everything from the ground up. We're responsible for configuring SSO, fine-grained IAM roles, and more. We'll need a net-new Organization, so we cannot jeopardize any of your current operations.
Please create a new AWS root account and add the root credentials to 1Password. Cloud Posse will take it from there.
4 Share GitHub Repository for Infrastructure as Code
Please create a new repository in your GitHub organization and grant the Cloud Posse team access. We will need GitHub access to create your Infrastructure as Code repository.
5 AWS IAM Identity Center (AWS SSO)
In order connect your chosen IdP to AWS IAM Identity Center (AWS SSO), we will to configure your provider and create a metadata file. Please follow the relevant linked guide and follow the steps for the Identity Provider. All steps in AWS will be handled by Cloud Posse.
Please also provision a single test user in your IdP for Cloud Posse to use for testing and add those user credentials to 1Password.
- GSuite does not automatically sync Users and Groups with AWS Identity Center without additional configuration! If using GSuite as an IdP, considering deploying the ssosync tool.
- The official AWS documentation for setting up JumpCloud with AWS IAM Identity Center is not accurate. Instead, please refer to the JumpCloud official documentation
6 AWS SAML (Optional)
If deploying AWS SAML as an alternative to AWS SSO, we will need a separate configuration and metadata file. Again, please refer to the relevant linked guide.
Please see the following guide and follow the steps to export metadata for your Identity Provider integration. All steps in AWS will be handled by Cloud Posse.
GitHub Self-Hosted Runners
Self-Hosted Github Runners on EKS
If you are deploying the Actions Runner Controller solution for Self-Hosted Github Runners, please generate the required secrets following the GitHub Action Runner Controller setup docs.
Feel free to store these secrets in 1Password if you do not have AWS access yet. Cloud Posse can complete the setup from there.
Self-Hosted Github Runners with Philips Labs (ECS)
If you have chosen ECS as a platform, we recommend deploying Philips Labs GitHub Action Runners. Please read through the Philips Labs GitHub Action Runners Setup Requirements.
In particular, we will need a new GitHub App including a Private Key, an App ID, and an App Installation ID. Please store these secrets in 1Password.
Atmos Component Updater Requirements
Cloud Posse will deploy a GitHub Action that will automatically suggest pull requests in your new repository. To do so, we need to create and install a GitHub App and allow GitHub Actions to create and approve pull requests within your GitHub Organization. For more on the Atmos Component Updater, see atmos.tools.
1 Create and install a GitHub App for Atmos
- Create a new GitHub App
- Name this new app whatever you prefer. For example,
Atmos Component Updater
. - List a Homepage URL of your choosing. This is required by GitHub, but you can use any URL. For example use our documentation page:
https://atmos.tools/integrations/github-actions/component-updater/
- (Optional) Add an icon for your new app (example provided below)
- Assign only the following Repository permissions:
+ Contents: Read and write
+ Pull Requests: Read and write
+ Metadata: Read-only - Generate a new private key following the GitHub documentation.
- Share both the App ID and the new private key with Cloud Posse in 1Password
Feel free to download and use our Atmos icon with your GitHub App!
2 Allow GitHub Actions to create and approve pull requests
- Go to
https://github.com/organizations/YOUR_ORG/settings/actions
- Check "Allow GitHub Actions to create and approve pull requests"
3 Create atmos
GitHub Environment
If you grant Cloud Posse admin
in your new infrastructure repository, we will do this for you.
We recommend creating a new GitHub environment for Atmos. With environments, the Atmos Component Updater workflow will be required to follow any branch protection rules before running or accessing the environment's secrets. Plus, GitHub natively organizes these Deployments separately in the GitHub UI.
- Open "Settings" for your repository
- Navigate to "Environments"
- Select "New environment"
- Name the new environment, "atmos".
- In the drop-down next to "Deployment branches and tags", select "Protected branches only"
- In "Environment secrets", create the two required secrets for App ID and App Private Key created above and in 1Password. We will pull these secrets from GitHub Actions with
secrets.ATMOS_APP_ID
andsecrets.ATMOS_PRIVATE_KEY
respectively.
Requirements for Purchasing Domains
If we plan to use the core-dns
account to register domains, we will need to add a credit card directly to that individual account. When the account is ready, please add a credit card to the core-dns
account following the AWS documentation.
Additional Integrations
Confirm if you plan to deploy any of the following integrations. If so, we will need access to these services. If you haven't already signed up for these services, please soon.
1 Spacelift Access
If deploying Spacelift, we will need a Spacelift subscription. Please see How to Sign Up for Spacelift. This document answers many common questions and describes the signup process step-by-step.
Cloud Posse will need "admin" access for Spacelift to deploy all resources.
2 Datadog Access
Sign up for Datadog following the How to Sign Up for Datadog? documentation.
Cloud Posse will need "admin" access for Datadog as well to complete the Datadog setup.
3 OpsGenie Access
Sign up for OpsGenie following the How to Sign Up for OpsGenie? documentation.
Release Engineering
If your engagement with Cloud Posse includes Release Engineering, we will also need some more things.
1 Sign up GitHub Enterprise (Optional)
GitHub Enterprise is required to support native approval gates on deployments to environments.
2 Configure GitHub Settings
If we are deploying release engineering as part of the engagement, we will need a few additional items from your team.
- Enable GitHub Actions for your GitHub Organization.
- Allow access via fine-grained personal access tokens for your GitHub Organization.
- Create an empty
example-app
private repository in your Organization. We'll deploy an example for release engineering here.
3 PATs for ECS with ecspresso
-
Create one fine-grained PAT with the following permission. Please see Creating a fine-grained personal access token
This PAT needs read access to your
infrastructure
repository:Repository
+ Contents: Read-only
+ Metadata: Read-only -
Save the new fine-grained PAT as a GitHub environment secret in the new
example-app
private repository in your Organization.
4 PATs for EKS with ArgoCD
ArgoCD requires a number of PATs. Please see How to set up Authorization for ArgoCD with GitHub PATs