Deploy CloudTrail and Account Budgets
Now that all the accounts have been deployed, we need to finalize the setup of the accounts. This includes deploying CloudTrail and optionally account budgets. These foundational components will be necessary to move forward with the rest of the deployment.
| Steps | Actions |
|---|---|
| Deploy baseline components | atmos workflow deploy -f baseline |
| Deploy account budgets | Create Slack Webhook and atmos workflow deploy -f accounts |
1 Deploy CloudTrail��
Deploy CloudTrail and the the CloudTrail bucket:
- Commands
- Atmos Workflow
deploy/cloudtrail workflow in the examples/snippets/stacks/workflows/baseline.yaml file:- No commands found
Too many commands? Consider using the Atmos workflow! 🚀
Run the following from your Geodesic shell using the Atmos workflow:
atmos workflow deploy/cloudtrail -f baseline
2 (Optional) Deploy Account Budgets
Budgets are an optional feature that can be enabled with the account-settings component for the Organization as a whole or for individual accounts. Budgets do not restrict spending but provide visibility into spending and can be used to set alerts when spending exceeds a certain threshold. We recommend using a dedicated Slack channel for these alerts, which we will set up with a webhook.
- Create a Slack Webhook. Take note of the Webhook URL and the final name of the Slack channel. The Slack channel is case-sensitive and needs to match the name of the channel exactly as the name appears in owning Slack server (not the name if changed as a shared channel).
- Update the
account-settingscomponent with the Slack Webhook URL and the Slack channel name.# stacks/catalog/account-settings.yaml
components:
terraform:
account-settings:
vars:
budgets_enabled: true
budgets_notifications_enabled: true
budgets_slack_webhook_url: https://url.slack.com/abcd/1234
budgets_slack_username: AWS Budgets
budgets_slack_channel: aws-budgets-notifications - To enable budgets for the entire organization, update
account-settingsin the same account as the Organization root account, typicallycore-root. This budget will include the total spending of all accounts in the Organization.# stacks/orgs/acme/core/root/global-region/baseline.yaml
import:
- catalog/account-settings
components:
terraform:
account-settings:
vars:
# Budgets in `root` apply to the Organization as a whole
budgets:
- name: Total AWS Organization Cost per Month
budget_type: COST
limit_amount: 10000
limit_unit: USD
time_unit: MONTHLY
notification:
- comparison_operator: GREATER_THAN
notification_type: FORECASTED
threshold_type: PERCENTAGE
threshold: 80
subscribers:
- slack
- comparison_operator: GREATER_THAN
notification_type: FORECASTED
threshold_type: PERCENTAGE
threshold: 100
subscribers:
- slack
- comparison_operator: GREATER_THAN
notification_type: ACTUAL
threshold_type: PERCENTAGE
threshold: 100
subscribers:
- slack - To enable budgets for individual accounts, update
account-settingsin the account you want to enable budgets for or as the default setting for allaccount-settingscomponents to apply to every account. This budget will include the spending of the given account only.# stacks/catalog/account-settings.yaml
components:
terraform:
account-settings:
vars:
...
budgets:
- name: 1000-total-monthly
budget_type: COST
limit_amount: "1000"
limit_unit: USD
time_unit: MONTHLY
- name: s3-3GB-limit-monthly
budget_type: USAGE
limit_amount: "3"
limit_unit: GB
time_unit: MONTHLY - Finally, reapply
account-settingsin any changed account to apply the new settings- Commands
- Atmos Workflow
deploy/account-settings:These are the commands included in thedeploy/account-settingsworkflow in theexamples/snippets/stacks/workflows/accounts.yamlfile:- No commands found
Too many commands? Consider using the Atmos workflow! 🚀
Run the following from your Geodesic shell using the Atmos workflow:
atmos workflow deploy/account-settings -f accounts