This terraform project initialises a account to become the root account of an AWS Organisation.
The following steps are required initalise the master account and terraforms first run. Best practice is to create a tfvars file to supply the variables. The *.tfvars.example file can be renamed to *.tfvars and updated with the appropriate variables.
The .gitignore is setup to ignore any .tfvars variable files as they could contain sensitive information.
-
Create a AWS account to be the master account and then run the CloudFormation script in
init/terraform-init.yaml. The CloudFormation script creates the following resources:- Terraform User and Credentials
-
Setup the AWS profile using
aws configure --profile terraform-master. The outputs of the CloudFormation script should be used when prompted. -
Run
terraform init "-var-file=master.tfvars" -
Run
terraform plan "-var-file=master.tfvars"ensure the appropriate resources are being created. Especially the KMS key and S3 bucket. -
Run
terraform apply "-var-file=master.tfvars" -
Update the
master.tfvarsfile with the outputs from theterraform applystage. -
Add the following backend configuration to the top of
main.tf.
terraform {
backend "s3" {
key = "common/master"
encrypt = true
}
}
-
Run
terraform init "-backend-config=backend.tfvars"again and select yes to migrate the state. -
As the root user login and enable the
DenyCloudTrailModificationspolicy.
- Navigate to AWS Organizations
- Click on the
Organize accountstab - On the right hand side under
RootclickEnablefor Service control policies - Click on the
Policiestab - Select the
ProtectAccountspolicy - Select
Accountsfrom the right hand side - Click
Attachfor all of the accounts listed
Once the state has been stored in S3, users have to run the following command if they are setting up their local environment or if you ever set or change modules or backend configuration for Terraform.
terraform init "-backend-config=backend.tfvars"
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_default_region | The AWS Region to create resources | string | - | yes |
| domain_name | The domain name which will be used as the suffix for s3 buckets and email addresses | string | - | yes |
| master_account_id | The account id which will be the root organisation | string | - | yes |
| account_prefix | The prefix to use for account aliases | string | - | yes |
| profile | A profile in ~/.aws/credentials which is used for terraform | string | default |
no |
| tags | A map of tags to add to all resources | map | {} |
no |
| Name | Description |
|---|---|
| cloudtrail_bucket_id | The name of the cloudtrail bucket where all trails will be centralised |
| default_kms_key_arn | The KMS Key id which can be used by all users and AWS services |
| development_account_alias | The alias of the development account |
| development_account_id | The development account id |
| development_cloudtrail_log_name | The name of the cloudtrail log for the development account |
| master_account_alias | The alias of the root account |
| master_account_id | The root account id |
| master_cloudtrail_log_name | The name of the cloudtrail log for the master account |
| operations_account_alias | The alias of the operations account |
| operations_account_id | The operation account id |
| operations_cloudtrail_log_name | The name of the cloudtrail log for the operations account |
| production_account_alias | The alias of the production account |
| production_account_id | The production account id |
| production_cloudtrail_log_name | The name of the cloudtrail log for the production account |
| terraform_access_key_id | The Terraform User Access Key ID |
| terraform_bucket_id | The name of the terraform state bucket |
| terraform_dynamodb_table_name | The name of the terraform dynamodb table |
| terraform_kms_key_arn | The KMS Key id used by terraform to encrypt the s3 bucket at rest |
| terraform_secret_access_key | The Terraform User Secret Access Key |