Install, configure and manage the AWS organizations management account and all its member accounts.
We use a combination of org-formation and sceptre to deploy AWS cloud resources using cloudformation.
We boostrapped our AWS management account before deployments can happen.
This repo manages AWS resources with two different cloudformation deployment tools,
Org-formation and Sceptre. In general the files for each tool are arranged
in the corresponding subdirectories in this repo. The files in the sceptre folder are
there to support legacy deployments, before we starting using org-formation.
Deployment of future resources should be done with org-formation and the corresponding
files should be added to the org-formation folder. There are two exceptions to this
general rule:
sceptre/aws-opendataandsceptre/strides-ampad-worflowsdeploy to AWS accounts that are not part of the Sage organization therefore cannot be deployed with org-formation.sceptre/scipoolis for the Sage service catalog. This can be a stand alone repo however we've decided to move it into this repo to make CI/CD deployments easier.
Deploy resources to master and all member accounts
- install nodejs
- cd org-formation
- run 'npm install'
- run
npx org-formation process-tasks --profile master-profile --verbose --print-stack organization-tasks.yaml
Note: master-profile is a profile that can assume the account's organizations-admin role
Refer to Org-Formation Overview for a summary of what org-formation deploys.
- create a python 3.x virtualenv
- run
pip install sceptre sceptre-ssm-resolver sceptre-date-resolver sceptre-file-resolver - cd sceptre/folder (i.e. sceptre/sandbox)
- uncomment
# profile: {{ var.profile | default("default") }}in config/configs.yaml - run
sceptre --var "profile=member-profile" --var "region=us-east-1" launch prod/my-template.yaml
Note: member-profile is a profile that can assume the member account's OrganizationAccountAccessRole role
docker run --rm --name sceptre -v /path/to/src/organizations-infra/sceptre/scipool:/project \
-v $HOME/.aws:/root/.aws/:ro sceptreorg/sceptre \
--var "region=us-east-1" launch -y prod/my-template.yaml
We have setup Github actions to automate deployments to the AWS management and all member accounts. The deployment runs on every merge to the master branch.
Org-formation manages deployments to specific accounts using organization Bindings
Sceptre manages deployments to specific accounts with designated config folders (i.e. config/dev or config/prod).
Contributions are welcome.
Requirements:
- Install pre-commit app
- Clone this repo
- Run
pre-commit installto install the git hook.
As a pre-deployment step we syntatically validate our sceptre and cloudformation yaml files with pre-commit.
Please install pre-commit, once installed the file validations will
automatically run on every commit. Alternatively you can manually
execute the validations by running pre-commit run --all-files.
Please install pre-commit, once installed the file validations will
automatically run on every commit.
To debug jinja template processing in sceptre, go the the corresponding
sceptre/* directory and run e.g. sceptre generate develop.
- We use the AWS SSM to store secrets for this project. Sceptre retrieves the secrets using a sceptre ssm resolver and passes them to the cloudformation stack on deployment.