ivan-silvio/tf-aws-luperca

Create and manage AWS Organization and also create member accounts

AWS Luperca

Objective:

• Be able to create multiple AWS accounts
• Create 2 fundational OUs (Security and Infrastructure)
• Create 2 fundational accounts (Security and Infrastructure)
• Delegate admin to the fundational accounts
• Do all the above in a automated way with Terraform and Github Actions

Notes:

1. The code here is my personal approch to this aws blog post
2. I've avoided a few things because to my lab env would be overkill/over-engineering, and I've never saw that kind of extreme segregation working so well
3. I've decided to use BU instead team because development team is more suitable to end, change name or merge team.
4. The Sevice Control Policies (SCP) svc_control_policies.tf must be reviewed.

The brief how:

Using AWS organizations and terraform

• You will need to change the email structure using 2 variables at variables.tf

variable "email_user" {
  description = "Used to generate the email for each account"
  default     = "yourEmailUser"
}

variable "email_domain" {
  description = "Used to generate the email for each account"
  default     = "yourEmailDomain.com"
}

• You need to add your business_unit name and the list of envs at variables.tf to create the accounts separated by env

exemple:

variable "business_unit" {
  description = "Name of the business unit and the needed environments"
  default = {
    frontend = ["prd", "dev"],
    backend  = ["prd", "dev"]
  }
}

• You may also wanna change the service policies, default tags and backend config, since I'm using values intended to my personal lab

How?

Using github actions and Terraform this repo can create:

• Organization
• Organization Unit (OU)
• Foudational OUs and Accounts
• New AWS Accounts under the created OU
• Sevice Control Policies (SCP)svc_control_policies.tf

In the Github actions, I'm using OpenID to authenticate at the AWS root account and passing the created role via secret with the name of GITHUBOIDC_AWSROLE secret var in the CI and CD files.

For remote state, I'm using Terraform cloud with the local exec configurated there so I can execute all terraform steps here in the Github, it's necessary to create a token at terraform cloud and in the CI/CD files pass that secret, here I've called TF_AWS_ROOT_LAB.

For Infracost you will also need a API key, toget the key you can check their docs: Get API key​, here I've called INFRACOST_API_KEY

For CI checks I'm using TFLint, Checkov, and Infracost.

Creating and pushing changes for a new branch will activate the CI workflow except if the changes are made in the **.md files.

When a pull request is open two comments will be added:

• The plan with what that code will change
• The Infracost check

When the PR is merged to the main branch the terraform will apply the changes described in the PR comment.

To create the accounts with minimal effort you will need to:

• Change the email structure using 2 variables at variables.tf

variable "email_user" {
  description = "Used to generate the email for each accout"
  default     = "yourEmailUser"
}

variable "email_domain" {
  description = "Used to generate the email for each accout"
  default     = "yourEmailDomain.com"
}

• You need to add your bussiness_unit name and the list of envs at variables.tf to create the accounts separated by env

exemple:

variable "business_unit" {
  description = "Name of the business unit and the needed environments"
  default = {
    frontend = ["prd", "dev"],
    backend  = ["prd", "dev"]
  }
}

The naming will be:

• For organization unit will be the key: frontend
• For the account will be key-listObject: frontend-prd

You may also wanna change the service policies, tags and backend config, since I'm using values intended to my personal lab

To access the account after creation you have two options:

• You can do a switch role in the AWS console using the role name defined at aws_org_acct.tf, create a role with less power and start your configs from there.
• The second option is to reset the root account password.

To remove an account is a bit more complicated:

If you remove the account from the list, the account will be immediately suspended, but if you try to remove the bu together with the account terraform will break because there is an object inside the OU

So a manual intervention is necessary and the change will need 2 PR

• First PR, remove the account
• Go to AWS Console or using AWS CLI move the suspended account to a "Suspended Accounts" OU (this code generates one under the name of Suspended Accounts)
• Then the second PR removing de OU

Last but not least:

1. There is a complicated limit for accounts that can be suspended via API, check the values at Quotas for AWS Organizations if this happens you can safely do the manual process, the terraform code will update the account status and OU in the next run to match the reality.
2. Of course, to avoid surprises with AWS billing the secret GITHUBOIDC_AWSROLE is not configurated 🤡

Why?

• Personal project.
• Learn more about the used tools.
• Share knowledge (that's why is public).

Want to help or test?

Read the contrib file :)

Extra Docs and ref:

• What hell is Luperca?
• Configuring OpenID Connect in Amazon Web Services
• Accessing and administering the member accounts in your organization
• AWS services that you can use with AWS Organizations
• Service control policies (SCPs)