Skip to content
Cloudly Engineer logo

The Cloudly Engineer

Enough talk, let's build!

  • Home
  • About Me
  • All Posts
  • Downloads
  • Register
  • Password Reset
Search

Tag: aws multi-account

Create new AWS accounts with Organizations and Terraform

AWS Organizations

It’s important to understand what AWS Organizations service is in order to create new AWS accounts with Terraform. Even if you don’t want to create new AWS accounts with Terraform and instead create them manually, knowing AWS organizations features will help you to be a top notch cloud engineer! The introduction video of what AWS Organizations is the best place to start.

What is AWS Organizations introduction by AWS.

Besides the rich functionality it provides, the next best thing about is that it’s 100% free! Here’s an official link to the AWS documentation. Be sure to read the AWS Organizations best practices too.

AWS Organizations is not enabled by default. Once we create the resource via Terraform it will be enabled.

AWS Organizations default state
AWS Organizations default state

AWS Organizations Permissions

At minimum and possibly more you will need the following IAM permissions. Remember this needs to be on your master account. Here’s the architecture I’m following.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageOrganizations",
      "Effect": "Allow",
      "Action": [
        "organizations:CreateOrganization",
        "organizations:EnableAWSServiceAccess",
        "organizations:DisableAWSServiceAccess",
        "organizations:DescribeOrganization",
        "organizations:ListRoots",
        "organizations:ListAccounts",
        "organizations:ListAWSServiceAccessForOrganization"
      ],
      "Resource": "*"
    }
  ]
}

AWS Organizations Terraform Code

If you have not used Terraform before I would encourage you to start at Terraform and Terragrunt introduction. Otherwise continue. Remember this needs to be applied on your master account.

# Provides a resource to create an AWS organization.
resource "aws_organizations_organization" "this" {

  # List of AWS service principal names for which 
  # you want to enable integration with your organization
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "ALL"
}

After applying just the code above we have enabled AWS Organizations… and it’s requesting an email confirmation. Be sure to check your inbox and confirm within 24 hours.

AWS Organizations enabled
AWS Organizations enabled

Only after we confirmed the email address we can now invite existing AWS accounts to join our organization or create new ones!

Import an existing AWS Organizations

If you have already created/enabled AWS Organizations with the AWS CLI or through the console you do have the option to import and manage with Terraform going forward.

# If you using Terraform only
terraform import aws_organizations_organization.my_org o-1234567

# If you use Terragrunt
terragrunt import aws_organizations_organization.my_org o-1234567

Create new AWS account

The Terraform code below will create a new member aka AWS account in the organization.

resource "aws_organizations_account" "dev" {
  # A friendly name for the member account
  name  = "cloudly-engineer-dev"
  email = "somethingdev@gmail.com"

  # Enables IAM users to access account billing information 
  # if they have the required permissions
  iam_user_access_to_billing = "ALLOW"

  tags = {
    Name  = "cloudly-engineer-dev"
    Owner = "Waleed"
    Role  = "development"
  }
}

After applying this Terraform code you will see a new account member in the AWS Organizations. Sadly, you will not get a set of credentials automatically.

Getting the new AWS Accounts password

Since this account was created from AWS Organizations you have to navigate to the AWS console to sign in as the root account. Then enter your new accounts email address and then select Forgot Password. Then enter the captcha code and you will receive an email on setting a new password for your new AWS account. Ensure to setup MFA after logging in to secure your account login.

Code structure

Here’s the way I structured my code for this project. I use Terragrunt on top of Terraform. Master is my only account/environment in this project.

aws/
   org
    ├── README.md
    ├── main.tf
    ├── master
    │   ├── inputs.yml
    │   ├── terragrunt.hcl
    │   └── vars.tf
    └── terragrunt.hcl
# main.tf
provider "aws" {
  region  = var.aws_region
  profile = var.aws_cli_profile
}

terraform {
  backend "s3" {}
}

# Provides a resource to create an AWS organization.
resource "aws_organizations_organization" "this" {

  # List of AWS service principal names for which 
  # you want to enable integration with your organization
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "ALL"
}

resource "aws_organizations_account" "dev" {
  # A friendly name for the member account
  name  = "cloudly-engineer-dev"
  email = "somedev@gmail.com"

  # Enables IAM users to access account billing information 
  # if they have the required permissions
  iam_user_access_to_billing = "ALLOW"

  tags = {
    Name  = "cloudly-engineer-dev"
    Owner = "Waleed"
    Role  = "development"
  }
}

That’s it for now. In future posts I’ll continue to cover more of AWS Organizations by creating OU’s, Service policies and more so be sure to subscribe!

TOP 13 CLOUD ENGINEER POSITION INTERVIEW QUESTIONS AND ANSWERSBe prepared for you interview!
John
Smith
johnsmith@example.com

November 16, 2020November 16, 2020

Waleed S.Leave a comment

Best AWS Multi-Account Architecture

Reading time: 4 minutes

Intro

Okay, you got me! This is not the only one but one of the best AWS Multi-Account architecture in my years of professional experience. This is not a one size fits all solutions but it should cover majority of medium to large enterprises account organization in AWS.

Before getting started

For small organizations or small dev/test having a single AWS account will most likely do just fine. Before you get started take a minute to read this https://cloudly.engineer/2019/wait-dont-create-your-aws-account-yet/aws/.

You’ll have to think about the size of your team (people), timeline, budgets and team experience. At the same time I would always recommend creating at least 3-4 accounts maximum; assuming your have 3 environments (dev, test, and production). The fourth account would just be the payer account, which is your master account. This fourth AWS account will also host your AWS organizations services. Do enable the standard IAM account settings, enable CloudTrail logs and other basic security services. Do not run any other services on this account!

AWS Multi-Account architecture

Here’s what the diagram for this architecture could look like.

Why Multiple AWS accounts?

  • Cost separation for budgets and reporting purpose
    • Can easily consolidate billing!
  • Bypass AWS services hard quota limitations
  • Security
  • Error tolerance or blast radius problems
  • Governance/different set permissions
  • Different teams and contracts
  • Code pipeline and much more.

Account Permissions

AWS’s organizations come with another key component besides a consolidated payment; it’s Service Control Policies (SCP). SCP’s are just service only permissions for accounts. It’s not user permissions at all. You can block or explicitly enable services from the master account to its child or to any child account directly. Or even block certain regions or certain EC2 (Elastic Cloud Compute) instances types. Everyone should block those high performance compute (HPC) instances before getting started! Otherwise an accidental use of HPC instances can cost you thousands in just few hours.

User Permissions

The easiest way to manage your users at the beginning is to create your accounts in any single account. In the model above, I would create them in prod or possibly a fifth security account. Create your users, groups, permissions, MFA, etc in that account. Then create roles in the other accounts, and using role switching. I believe the AWS docs is missing a lot of key components to making role switching as secure as possible so I’ll be writing about this in detail in the future; subscribe to the emails to get notified.

Billing View

The master account will host all your billing information. The breakdown of costs per account and much more. Do set your billing alerts here only! As of the time of this writing I wouldn’t recommend using the Amazon CloudWatch billing alert. I recommend using AWS budgets feature only! Why? Because the billing metrics value is different than the AWS budgets. The AWS budgets is the total cost while the CloudWatch metric is only the AWS services; it’s missing any AWS Marketplace charges.

Management

I do have to warn you that multi-account does come with more responsibilities to keep all resources such as IAM permissions, roles, security groups, etc. all synced. I’ll be writing about how to do this easily and for free in the future.

Subscribe! I’ll be posting how to create accounts with the AWS CLI and managing all accounts with python!

John
Smith
johnsmith@example.com

As always if you see any errors, mistakes, have suggestions or questions please comment below. Don’t forget to like, share, and subscribe for more! 🙂

August 5, 2019August 27, 2019

Waleed S.1 Comment

Recent Posts

  • AWS Service Control Policies with Terraform January 16, 2021
  • AWS CloudShell December 15, 2020
  • Intro to Terragrunt and Terraform November 27, 2020
  • Create new AWS accounts with Organizations and Terraform November 16, 2020
  • Create an EC2 IAM role with Terraform October 26, 2020
  • AWS IAM groups and policies – Terraform September 1, 2020
  • AWS KMS Customer Managed CMK with Terraform August 26, 2020
  • AWS Key management service (KMS) – Part 1 May 21, 2020
  • AWS Account settings with Terraform and terragrunt Part 2 May 19, 2020
  • AWS Account settings with Terraform and terragrunt May 12, 2020
  • AWS Access Keys setup and Best Practices March 16, 2020
  • Setup infrastructure as code environment February 25, 2020
  • Tips on passing the AWS Certified Solutions Architect – Professional January 23, 2020
  • How to pass the AWS Certified Security – Speciality January 6, 2020
  • AWS Cloud account initial configuration December 12, 2019

Want to learn more and stay up to date?

John
Smith
johnsmith@example.com

Categories

  • Aws
  • Certifications
  • Cloud Engineer
  • Google Cloud
  • Google Firebase
  • Planning
  • Training

Tags

announcement api keys app asymmetric automation aws aws access keys aws accounts aws account settings aws billing aws email marketing aws mfa aws multi-account aws organizations aws sign up azure best practice certification certifications certified cheat sheets cli cloud cloud accounts cloud computing cloud engineer interview questions cloud governance cloudshell cloud storage cmk cmks dns ebs ec2-iam-role encryption exam firebase firebase realtime database firebase storage free tier google google cloud GovCloud sign up guide IaC iam iam-groups iam-policies install ios JavaScript jobs keys kms mfa troubleshoot naming organize permissions realtime database root mfa route 53 routing policies s3 security security questions security rules service control policies setup swift symmetric terraform terraform-modules terragrunt tips tools training web white-papers

Search

Donate a Coffee!

Donate

Sign up for newsletters

John
Smith
johnsmith@example.com
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Follow me on Twitter

My Tweets
Cloudly Engineer logo
New PostsGuide to become a great cloud engineer
John
Smith
johnsmith@example.com