Legacy Account Map
The account-map component has been deprecated. The reference architecture now uses Atmos Auth for authentication and Atmos Functions for dynamic values, eliminating the need for account-map entirely.
Why Deprecate Account Map?
The account-map component was originally designed to store AWS account metadata in Terraform state and provide dynamic lookups for account IDs, IAM roles, and other configuration. While functional, this approach had several limitations:
- Tight coupling — Components depended on
account-mapremote state, creating deployment dependencies - Greenfield only — The pattern assumed Cloud Posse deployed all accounts, making brownfield adoption difficult
- Slower operations — Every Terraform run required remote state lookups
- Complex bootstrapping — Cold start required careful ordering of component deployments
The New Approach
The refactored architecture replaces account-map with:
- Atmos stack variables — Account IDs and configuration stored directly in stack configuration (no remote state)
- Atmos Auth — Authentication handled before Terraform runs via
atmos auth login - Atmos Functions — Dynamic values resolved at plan time using
!terraform.outputand other functions - Simplified components — Components work in both greenfield and brownfield environments
This approach enables all Cloud Posse components to work in brownfield environments where accounts already exist.
Current Documentation
The accounts layer documentation has been updated for the new approach:
- Prepare AWS Organization — ClickOps setup before Terraform
- Initialize Terraform Backend — Set up the S3 state backend
- Deploy Accounts — Create AWS accounts and configure settings
- Setup CloudTrail — Enable organization-wide audit logging
Migrating from Account Map
If you have an existing deployment using the account-map component, see the migration guide:
See Also
- Atmos Auth — Authentication commands
- Atmos Functions — Dynamic value resolution
- Identity Layer — IAM Identity Center and access management