Build Your Foundation
To build a reliable infrastructure, we must start with a solid foundation. Our reference architecture is designed with best practices and consistent conventions to ensure it is well-architected from the ground up. As part of this process, you’ll make critical design decisions that will shape your infrastructure. Next, you’ll initialize your infrastructure repository and then begin by provisioning your AWS Organizations, accounts, networks, DNS, and fine-grained IAM roles and policies. Once your foundation is complete, you’ll be ready to build a platform to deliver your applications.
1 Set up your project
- Create a GitHub repository to host your infrastructure toolchain and configurations.
- Configure repository settings, enable branch protection, and add collaborators.
- Then import the Cloud Posse reference architecture and prepare the Geodesic toolbox image to get ready to provision your infrastructure.
2 Provision New AWS Organization and Accounts
- Review how Cloud Posse designs and manages AWS Account architectures using Atmos and Terraform, aligning with the AWS Well-Architected Framework.
- Begin by provisioning the Terraform state backend, which is essential before provisioning and managing infrastructure with Terraform.
- Then proceed to organize the accounts into Organizational Units (OUs), apply Service Control Policies (SCPs), and configure account-level settings.
3 Rollout Identity & Authentication
Learn how Cloud Posse sets up fine-grained access control for an entire organization using IAM roles, AWS SAML, and AWS IAM Identity Center (SSO). It addresses the challenges of using various login methods and tools and introduces a solution involving Teams and Team Roles to manage access across multiple AWS accounts. This approach ensures precise control, easy role switching, and compatibility with different identity providers. Additionally, we provide a solution optimized for cross-account Terraform access, programmatic access for GitHub OIDC, and a user-friendly login experience with AWS Identity Center (AWS SSO), using tools like Leapp to facilitate seamless authentication and access management.
Get Started4 Deploy VPCs & DNS
Finally, understand Cloud Posse’s approach to designing robust and scalable Network and DNS architectures on AWS, with a focus on symmetry, account-level isolation, security, and reusability. We cover essential topics such as account isolation, connecting multiple accounts together using Transit Gateways, deploying AWS Client VPN for remote network access by developers, and differentiating between DNS service discovery and branded vanity domains used by customers. The solution includes reusable network building blocks, ensuring consistent deployment of VPCs and subnets, accommodating multi-region global networks, and addressing special network design considerations depending on whether you'll use ECS or EKS.
Get StartedWhen you're done with your foundation, our attention will shift to how you set up your platform to deliver your apps.