Deploying AWS Accounts

This step-by-step process outlines how to deploy AWS accounts using atmos workflows and ClickOps steps. It covers necessary preparations, such as configuring the AWS Organization, increasing account quotas, and verifying account configurations. The guide details the deployment processes and post-deployment configurations, including setting up account settings, enabling AWS RAM for Organizations, and performing certain manual configurations via ClickOps.

Steps	Actions
Deploy AWS Organization	atmos workflow deploy/organization -f accounts
Prepare accounts creation	Click Ops
Deploy accounts	atmos workflow deploy/accounts -f accounts
Deploy accounts settings	atmos workflow deploy/account-settings -f accounts
Finalize account setup	Click Ops

1 Prepare Account Deployment

Review the "account" configuration in the stack catalog. This is the hardest part to change/fix once the accounts are provisioned. If you aren't confident about the email configuration, account names, or anything else, now is the time to make changes or ask for help.

You should double-check the following:

1. Check that stacks/catalog/account.yaml has the values you expect, especially account email format
2. Run atmos describe component account -s core-gbl-root to inspect the final component configuration (e.g. after all the mixins have been imported)
3. Plan the run with atmos terraform plan account -s core-gbl-root

2 Deploy the AWS Organization:

Commands

deploy/organization:

These are the commands included in the deploy/organization workflow in the examples/snippets/stacks/workflows/accounts.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/organization -f accounts 

3 Confirm the Root Account is configured as an Organization

The previous step will create the AWS Organization and configure the core-root account as the "root" account. Take the time now to verify that the root account is configured as an AWS Organization. and that AWS RAM for Organizations is enabled, which is required for connecting the Organization.

4 Raise Account Limits

If you haven't already completed the Account Quota increase, now is the time to do so. To deploy all accounts, we need to request an increase of the Account Quota from AWS support, which requires an AWS Organization to be created first.

From the root account (not SuperAdmin), increase the account quota to 20+ for the Cloud Posse reference architecture, or more depending on your business use-case

5 Deploy Accounts

Important:

With the addition of support for dynamic Terraform roles, our baseline cold start refarch layer now depends on/requires that we have aws-teams and aws-team-roles stacks configured. This is because account-map uses those stacks to determine which IAM role to assume when performing Terraform in the account, and almost every other component uses account-map (indirectly) to chose the role to assume. However, these components do not need to be deployed yet.

Again verify the "account" configuration in stacks/catalog/account.yaml. In the next step, we will create and configure all accounts in the AWS Organization using the configuration in that stack file.

Once confident, begin the accounts deployment:

Commands

deploy/accounts:

These are the commands included in the deploy/accounts workflow in the examples/snippets/stacks/workflows/accounts.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/accounts -f accounts 

These deployments will create all AWS member accounts and store relevant account metadata as "mappings" in the Terraform outputs of the account-map component. Rather than querying this account component each time we need an Account ID or role, we provision a static component account-map.

Important:

Always run atmos terraform apply account-map -s core-gbl-root after provisioning accounts.

Once you've created the accounts, you'll need to provision the baseline configuration within the accounts themselves. Run the following:

Commands

deploy/account-settings:

These are the commands included in the deploy/account-settings workflow in the examples/snippets/stacks/workflows/accounts.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/account-settings -f accounts 

The workflows will kick off several sequential Terraform runs to provision all the AWS member account settings for member accounts in the Organization.

6 ClickOps to Complete Account Setup

For each new account, you will need to perform some manual configurations via ClickOps. These configurations include setting up the root account credentials, enabling MFA, and unsubscribing the account's email address from all marketing emails.

1. Reset the root user password:

   1. Perform a password reset by attempting to log in to the AWS console as a "root user" using that account's email address

   2. Click the "Forgot password?" link

   3. You will receive a password reset link via email, which should be forwarded to the shared Slack channel for automated messages. Click the link

   4. Enter a new password

      Tip:

      Use 1Password to create a password 26-38 characters long, including at least 3 of each class of character: lower case, uppercase, digit, and symbol

   5. Save the email address and generated password as web login credentials in 1Password

   6. Finally, record the account number in a separate field of the 1Password item, and save it. This is optional but recommended.

2. Configure MFA:

   1. Log in to the AWS console using the new password
   2. Choose "My Security Credentials" from the account dropdown menu
   3. Set up Multi-Factor Authentication (MFA) to use a Virtual MFA device
   4. Save the MFA TOTP key in 1Password with 1Password's "One-Time Password" field
   5. Enter the generated MFA codes in AWS to verify the MFA device
   6. Save the Virtual MFA ARN in the same 1Password entry. We will need this to set up the MFA device for SuperAdmin in Leapp

3. Enable any necessary optional regions

4. Optional, but highly recommended - unsubscribe the account's email address from all marketing emails

   1. Go to AWS Marketing Preferences
   2. Click "Unsubscribe from Email"
   3. Enter the account's email address
   4. Check "Unsubscribe from all AWS marketing emails"

For more details, review the detailed "AWS Cold Start" documentation.