Skip to main content
Sponsor @cloudposse

How to Create and Setup AWS Accounts

This guide covers the process of creating and setting up new AWS accounts. It includes detailed instructions for updating account catalogs, configuring stack settings, deploying necessary components, and managing AWS account profiles.

Problem

New accounts can be daunting to setup

Solution

PR 1 - Create account

Stack account catalog

See the stack/catalog/account*.yaml

If the new account is pca

Under the appropriate OU

          organizational_units:
            - name: mgmt
              accounts:

Add the following

                - name: pca
                  stage: pca
                  tags:
                    eks: false

Root stacks

This is an example. Please see another root stack as an example.

Global stacks/gbl/gbl-pca.yaml

import:
  - gbl/gbl-globals
  - catalog/iam-delegated-roles

vars:
  stage: pca

terraform:
  vars: {}

components:
  terraform:
    iam-delegated-roles:
      vars:
        exclude_roles: [ "helm" ]

Regional stacks/use2/use2-pca.yaml

import:
  - use2/use2-globals

vars:
  stage: pca

terraform:
  vars: {}

helmfile:
  vars: {}

components:
  terraform: {}

Tenant stacks (if applicable)

This is an example. Please see another root stack as an example.

stacks/mdev/gbl/mdg-pca.yaml

import:
- mdev/gbl/mdg-globals
- gbl/gbl-pca

stacks/mdev/use2/mde2-pca.yaml

import:
- mdev/mdev-globals
- use2/use2-pca
- catalog/private-ca

Submit PR and merge

It's good to commit and draft PR the changes because once the component has been applied, it's difficult to reverse.

Once the PR is reviewed, approved, and merged, continue.

Plan and Apply components

NOTE: Use plan and apply without -auto-approve. Please do not use deploy as it could be dangerous.

Components to deploy

  • components/terraform/account

  • components/terraform/account-map

  • components/terraform/account-settings

  • components/terraform/iam-delegated

  • There may be additional ones that are hidden away by stack imports

Prereq

## temporarily assume the root admin (only necessary when deploying root level components)
assume-role $NAMESPACE-$TENANT-gbl-root-admin

Setup account

# create new account
atmos terraform apply account --stack $TENANT-gbl-root

# update account map
atmos terraform apply account-map --stack $TENANT-gbl-root

# update new account's settings
atmos terraform apply account-settings --stack $TENANT-gbl-pca

# create assumable roles from identity account to new account
atmos terraform apply iam-delegated-roles --stack $TENANT-gbl-pca

Exit the root role

# exit from root role
exit

PR 2 - aws-accounts and profiles

aws-accounts

After the above commands are executed

rootfs/usr/local/bin/aws-accounts

Append each account section with its respective information

mdev_accounts=(
	# ...
	[pca]="snip"
	# ...
)
readonly profile_order=(
	# ...
	pca
	# ...
)

Regenerate profiles

Rebuild the container to update the script or use the rootfs/usr/local/bin/aws-accounts directly.

# regnerate cicd profiles
aws-accounts gen-cicd > rootfs/etc/aws-config/aws-config-cicd-$TENANT

# regenerate local saml profiles
aws-accounts gen-saml > /localhost/.aws/vygr/config-$TENANT

Commit and push files

Final commands

There may be additional components that are imported or hidden away by stack imports. Review the imports to see if there are more components to deploy.

References