Olivr/terraform-aws-organization-account

!!!!! THIS IS A WORK IN PROGRESS, DO NOT USE !!!!! Create an organization on AWS with support for one repo per sub-account from GitHub templates

Setup Organization

This terraform script lets you prepare an organization before setting up the environments

Features

• Pure Terraform script (no third-party wrapper/CLI)
• Setup an organization and one AWS account per environment
• Setup each environment to use its own GitHub repository and its Terraform Cloud workspace

Pre-requisites

• Terraform CLI
• AWS access key. It is highly recommended to create a new AWS account
• GitHub organization
• GitHub personal token with the following permissions: repo, admin:org, admin:repo_hook, admin:org_hook, delete_repo, workflow. It is highly recommended to create a new GitHub account such as <Your Organization>-bot. This user should have at least member access to the organization above
• Terraform Cloud personal token

Important notes

• AWS does not support programmatic deletion of accounts. This means that if you use this project to create the account structure, terraform is not able to completely destroy it.
• AWS can rate limit account creation. This might mean you'll need to retry the provisioning (just re-run terraform apply). This could take from a few seconds to a few days at AWS discretion.

Usage

1. Clone this repo.

2. You can specify a variable file or just continue below and answer the Terraform prompts for variables.

3. Initialize Terraform wuth terraform init

4. Run Terraform with terraform apply

5. Once complete, run the terraform init command again to push the current state to Terraform Cloud (This script generates the backend configuration for you)

If there are any errors due to timeouts or other weird stuff, try to run again terraform apply

AWS Sub-accounts

Account	Description
master*	Master account used to manage the organizational account structure and billing
identity	Contains all users and policies
audit	Contains all logs
shared-resources	Contains resources that are shared across other accounts such as AMI's, repositories, etc.
staging	Staging environment
production	Production environment
testing	Automated testing environment

The root user of the master account should not be used anymore, it is recommended to delete the access key you created to run this script and enable 2FA on this account. If you have admin stuff to do, use the admin user created by this script. Being an IAM user, it can switch roles and access all the accounts above as an admin.

Variables file

Here is an example terraform.tfvars file

/**
 * General variables
 */

// Default PGP Key to decrypt passwords, in most cases this will be a key configured on your current machine
pgp_key = "keybase:romainbarissat"

/**
 * AWS Variables
 */

aws_profile                        = "acme" // This profile was initiated when I installed the AWS Cli
aws_default_region                 = "us-east-1"
aws_org_name                       = "acme"
aws_account_audit_email            = "audit@acme.com"
aws_account_identity_email         = "identity@acme.com"
aws_account_shared-resources_email = "shared-resources@acme.com"
aws_account_testing_email          = "testing@acme.com"
aws_account_staging_email          = "staging@acme.com"
aws_account_production_email       = "production@acme.com"


/**
 * Terraform Cloud Variables
 */

tfe_token     = "xxxyyyzzz.atlasv1.xxxyyyzzz"
tfe_org_name  = "acme" // This script will create it
tfe_org_email = "acme@acme.com"


/**
 * Github Variables
 */

github_token        = "xxxyyyzzz" // acme-bot
github_organization = "acme" // This should be created already

Further reading

This setup follows AWS best practices and here is a very good read about a reference architecture by Gruntwork