Follow the below directory structure:
repo:
├── 0-bootstrap
│ ├── bootstrap.sh
│ ├── bootstrap
│ ├── cicd
│ │ ├── inventories
│ │ └── modules
│ │ └── cicd
│ │ └── templates
│ └── tf-prerequisites
├── 1-org
| ├── aws-secure-baseline
│ │ ├── alarm-baseline
│ │ ├── iam-ebs-secure-baselines
│ │ └── s3-baseline
│ ├── billing
│ ├── cloudtrail
│ ├── cloudwatch-s3-exporters
│ │ ├── Dev
│ │ ├── Prod
│ │ └── Staging
│ ├── config
│ ├── detective
│ ├── guardduty
│ ├── infra-cicd
│ ├── kms
│ ├── macie
│ ├── logging-buckets
│ ├── permission-sets
│ ├── rego-s3-sync
│ ├── securityhub
│ ├── shared-service
├── 2-network
│ ├── dns-hub
│ │ ├── dns-securtiylogging
│ │ ├── firewall
│ │ ├── route53resolver
│ │ ├── transit-gateway
│ │ └── vpc
│ └── network-hub
│ ├── firewall
│ ├── high-trust
│ ├── transit-gateway
│ └── vpc
├── 3-env
│ ├── dev
│ │ ├── transit-gateway
│ │ └── vpc
│ ├── prod
│ │ ├── transit-gateway
│ │ └── vpc
│ └── staging
│ ├── transit-gateway
│ └── vpc
├── img
├── permissionset-compliance
│ ├── report
│ └── validation
├── rego
│ └── rules
├── terraform
│ ├── modules
│ └── scp-stored
├── Dockerfile
├── apply.sh
├── destroy.sh
├── destroy-all.sh
├── global-lz-state-backend.conf
├── lzconfig.yaml
├── plan.sh
├── prebuild.sh
├── regula-prebuild.sh
├── regula-spec.yaml
├── regula.sh
├── terraform-exec.sh
└── terraform-spec.yaml
To run the commands described in this document, you need to have the following installed:
- AWS CLI v2.8.2
- Terraform v1.4.5
- git v2.38.1
- AWS Account that will be used as a Management Account
- Setup of AWS SSO by any supported Identity Provider
- Setup of AWS Organization (this will be done automatically while setting up SSO)
- Deployer should be a part of the admin permission set for the Management account.
- Complete authentication with aws credentials i.e. AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
- Go to the AWS access portal URL
- Select Management account
- Click on the Command line or programmatic access.
- Copy the environment variable and paste it on AWS CLI to get authenticated.
- Increase the limit to create AWS account API calls. This landing zone deployment requires at least 18 accounts including the management account.
- There are a few steps that require manual approval and the deployer should be approving them appropriately.
For more information about the permissions that are required, and the resources that are created, see the organization bootstrap module documentation.
Follow the steps to fork or clone the landing zone GITHUB repo on your local machine:
- Create a personal access token (PAT) on GitHub. Goto GitHub profile > Settings > Developer Settings > Personal Access Tokens > Generate New Token.
- Set username and generated PAT in your machine.
- Clone the repo:
git clone https://github.com/ollionorg/aws-landing-zone.git
- Ensure the configuration parameters inside the file lzconfig.yaml are properly set and commit the changes to the repository.
- Update the global-lz-state-backend.conf with the backend s3 bucket, Region, and DynamoDB Table.
Authenticate the shell with AWS IAM credentials belonging to the administrator user of the management account and trigger the script 0-bootstrap/bootstrap.sh
The script will do Terraform apply in 0-bootstrap/tf-prerequisites directory first which will create an S3 bucket and DynamoDB table which will be used by Terraform to store the state and state locking mechanism respectively in the management account.
Afterward, the 0-bootstrap/bootstrap directory will get triggered which will create an Organization Unit as well as an AWS Account called LZ CICD. This newly created account will hold our CICD automation stack.
Subsequently, 0-bootstrap/cicd will get triggered which will create a CICD automation stack in the LZ CICD Account.
In the wake of best practices, we will not be maintaining keys or passwords or anything sensitive for authentication to the GitHub repo.
The user has to manually execute the below steps for the authentication part:
-
Go into the newly created LZ CICDweb console
-
Go into AWS CodePipeline
-
Search for Connections in the Settings
-
Approve the connection as shown on the screen that will transition to the Available state from the Pending one.
Note
Approval needs to happen on the GitHub side
After approval, the connection status becomes Available
After Step 3 is successful, we have to go to AWS Console and manually trigger the pipeline as shown below.
- Go into the LZ CICD web console
- Go into AWS CodePipeline
- Click on our aws-lz-dev CodePipeline
- Click on Release Changes[The Deployment of the Landing Zone will Start]
In order to know what is happening with our pipeline in real-time, we can view logs of the same in AWS CodePipeline UI.
The pipeline will run in the following sequence:
- Log terraform plan to the CodePipeline
- Wait for manual approval of authorized approvers only (the notification for approval can be sent to Email or AWS SNS, but the example below shows approval from AWS CodePipeline GUI without any notification to the user being sent)
- Approve the pipeline. There are a total of 6 Manual approvals in the entire pipeline:
- ApprovalOrgHierarchy (Stage OrgPrerequisites)
- ApprovalLoggingBuckets (Stage OrgPrerequisites)
- ApprovalVPC (Stage OrgPrerequisites)
- ApprovalDNSResolver (Stage OrgPrerequisites)
- ApprovalWorkloadVPC (Stage OrgPrerequisites)
- ORGMAINApproval (Stage OrgMain)
Describe the problem clearly and send an email to [email protected].