Preparing Your AWS Organization

The Cold Start involves more manual steps than other layers. Read through the following steps and see the detailed documentation for edge cases.

In short, the steps are...

Steps	Actions
Install requirements
Build Geodesic	`make all`
Vendor components	`atmos workflow vendor -f baseline`
Configure root SuperAdmin	Click Ops

Cold Start

The set up process for the "baseline" or "account" layer is commonly referred to as the Cold Start.

Prerequisites

Start your Geodesic shell before continuing.

First, you'll need to perform some ClickOps to ensure things are set up before we use Terraform to manage AWS accounts.

From the root account:

Get Business Class Support
Enable business support in the root account (in order to expedite requests to raise the AWS member account limits)
Set up MFA on Root Account
Set up up the Virtual MFA device on the root account, following the instructions in the AWS documentation for enabling a virtual MFA device for an AWS account root user. Save the MFA TOTP key in 1Password by using 1Password's TOTP field and built-in screen scanner to scan the QR code presented on the web page.
Create the SuperAdmin IAM User
Create a SuperAdmin IAM User. Do not enable "console login", do set up MFA, and then create a single Access key. Create an API Credential for the SuperAdmin credentials in 1Password and store the Access Key ID, Secret Access Key, Assigned MFA device ARN, and TOTP key. This is the user we will use until AWS Team Roles (aws-team-roles component) are provisioned.
Enable IAM Access for Billing
For billing users, you need to enable IAM access. As the root user open up the account settings for AWS Billing, then scroll to the section "IAM user and role access to Billing information" and enable it.
Enable Regions (Optional)
The 17 original AWS regions are enabled by default. If you are using a region that is not enabled by default (such as Middle East/Bahrain), you need to take extra steps. For details, see the detailed documentation