Action Items

To get a head start on your infrastructure as code journey, we recommend completing the following action items while you wait on Cloud Posse to deliver your configurations. These steps will help you set up your environment and prepare for the provisioning process.

1 Prepare a New AWS Organization (root account)

We recommend that you start with a new AWS Organization (e.g. a new payer account). As part of the provisioning process, you will be terraforming your entire organization, creating 12-plus accounts, and building everything from the ground up. You will be configuring SSO, fine-grained IAM roles, and more, all with Terraform. We recommend a net-new Organization, so you do not jeopardize any of your current production operations.

Create a new AWS root account and add the root credentials to 1Password.

2 Create GitHub Repository

Create a new repository in your GitHub organization that you will use as your Infrastructure as Code repository.

3 AWS IAM Identity Center (AWS SSO)

In order connect your chosen IdP to AWS IAM Identity Center (AWS SSO), we will to configure your provider and create a metadata file. Please follow the relevant linked guide and follow the steps for the Identity Provider.

• GSuite
• Office 365
• JumpCloud
• Other AWS supported IdPs: Azure AD, CyberArk, Okta, OneLogin, Ping Identity

caution

• GSuite does not automatically sync Users and Groups with AWS Identity Center without additional configuration! If using GSuite as an IdP, considering deploying the ssosync tool.
• The official AWS documentation for setting up JumpCloud with AWS IAM Identity Center is not accurate. Instead, please refer to the JumpCloud official documentation

4 Configure AWS SAML (Optional)

If deploying AWS SAML as an alternative to AWS SSO, you will need a separate configuration and metadata file. Again, please refer to the relevant linked guide.

• GSuite: Follow Steps 1 through 7. This document refers to Appstream, but the process will be the same for AWS.
• Office 365
• JumpCloud
• Okta

5 Purchase Domains (Optional)

If you plan to use the core-dns account to register domains, make sure to add a credit card directly to that individual account. When the account is ready, please add a credit card to the core-dns account following the AWS documentation.

GitHub Actions

Self Hosted Github Runners on EKS

If you are deploying the Actions Runner Controller solution for Self-Hosted Github Runners, please generate the required secrets following the GitHub Action Runner Controller setup docs.

Self Hosted Github Runners with Philips Labs (ECS)

If you have chosen ECS as a platform, we recommend deploying Philips Labs GitHub Action Runners. Please read through the Philips Labs GitHub Action Runners Setup Requirements.

In particular, you will need a new GitHub App including a Private Key, an App ID, and an App Installation ID. We recommend that you store these secrets in 1Password.

Atmos Component Updater Requirements

The Atmos component updater GitHub Action will automatically suggest pull requests in your new repository, when new versions of Atmos components are available.

If you plan to leverage it, you will need to create and install a GitHub App and allow GitHub Actions to create and approve pull requests within your GitHub Organization. For more on the Atmos Component Updater, see atmos.tools.

1 Create and install a GitHub App for Atmos

1. Create a new GitHub App
2. Name this new app whatever you prefer. For example, Atmos Component Updater.
3. List a Homepage URL of your choosing. This is required by GitHub, but you can use any URL. For example use our documentation page: https://atmos.tools/integrations/github-actions/component-updater/
4. (Optional) Add an icon for your new app (example provided below)
5. Assign only the following Repository permissions:

   + Contents: Read and write
   + Pull Requests: Read and write
   + Metadata: Read-only
6. Generate a new private key following the GitHub documentation.
7. Save both the App ID and the new private key in 1Password

Feel free to download and use our Atmos icon with your GitHub App!

2 Allow GitHub Actions to create and approve pull requests

1. Go to https://github.com/organizations/YOUR_ORG/settings/actions
2. Check "Allow GitHub Actions to create and approve pull requests"

3 Create atmos GitHub Environment

We recommend creating a new GitHub environment for Atmos. With environments, the Atmos Component Updater workflow will be required to follow any branch protection rules before running or accessing the environment's secrets. Plus, GitHub natively organizes these Deployments separately in the GitHub UI.

1. Open "Settings" for your repository
2. Navigate to "Environments"
3. Select "New environment"
4. Name the new environment, "atmos".
5. In the drop-down next to "Deployment branches and tags", select "Protected branches only"
6. In "Environment secrets", create the two required secrets for App ID and App Private Key created above and in 1Password. This will be accessed from GitHub Actions with secrets.ATMOS_APP_ID and secrets.ATMOS_PRIVATE_KEY respectively.

Optional Integrations

The reference architecture supports multiple integrations. Depending on your requirements, you may need a few subscriptions set up. Please subscribe only to the services you plan to use!

Spacelift

If deploying Spacelift, you will need a Spacelift subscription. Please see How to Sign Up for Spacelift. This document answers many common questions and describes the signup process step-by-step.

Datadog

Sign up for Datadog following the How to Sign Up for Datadog? documentation.

OpsGenie

Sign up for OpsGenie following the How to Sign Up for OpsGenie? documentation.