Skip to content

AWS Account Creation using Asible and TerraformΒΆ

cd terraform-aws/account/management/aws-account-creation

ansible-playbook playbook.yaml

cd terraform-aws/account/management/sso

terraform init
terraform plan
terraform apply
  • Root|Management-Account aws-admin: account/management/aws-account-creation
  • Create alias of [email protected] to setup new AWS Accounts: xxx_dev@, xxx_test@, ...
AWS Account Creation IaC using Asible and Terraform
β”œβ”€β”€β”€account
β”‚   β”œβ”€β”€β”€ `management`
β”‚   β”‚   β”œβ”€β”€β”€ `aws-account-creation`
β”‚   β”‚   β”‚   β”œβ”€β”€β”€codebuild-infrastructure
β”‚   β”‚   β”‚   β”‚   └───target-account-role-for-codebuild
β”‚   β”‚   β”‚   └───roles
β”‚   β”‚   β”‚       β”œβ”€β”€β”€ `aws-account-create`
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€defaults
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€handlers
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€meta
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€ `tasks`
β”‚   β”‚   β”‚       β”‚   β”‚   β”œβ”€β”€β”€ `main.yaml`
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€tests
β”‚   β”‚   β”‚       β”‚   └───vars
β”‚   β”‚   β”‚       β”œβ”€β”€β”€creating-vpc-infra
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€defaults
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€handlers
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€meta
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€tasks
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€templates
β”‚   β”‚   β”‚       β”‚   β”‚   └───vpc-infra
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€tests
β”‚   β”‚   β”‚       β”‚   └───vars
β”‚   β”‚   β”‚       β”œβ”€β”€β”€deploying-aws-config
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€defaults
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€handlers
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€meta
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€ `tasks`
β”‚   β”‚   β”‚       β”‚   β”‚   β”œβ”€β”€β”€ `main.yaml`
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€tests
β”‚   β”‚   β”‚       β”‚   └───vars
β”‚   β”‚   β”‚       β”œβ”€β”€β”€deploying-aws-patching
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€defaults
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€handlers
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€meta
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€ `tasks`
β”‚   β”‚   β”‚       β”‚   β”‚   β”œβ”€β”€β”€ `main.yaml`
β”‚   β”‚   β”‚       β”‚   β”œβ”€β”€β”€tests
β”‚   β”‚   β”‚       β”‚   └───vars
β”‚   β”‚   β”‚       └───notify-cyber
β”‚   β”‚   β”‚           β”œβ”€β”€β”€defaults
β”‚   β”‚   β”‚           β”œβ”€β”€β”€handlers
β”‚   β”‚   β”‚           β”œβ”€β”€β”€meta
β”‚   β”‚   β”‚           β”œβ”€β”€β”€tasks
β”‚   β”‚   β”‚           β”œβ”€β”€β”€tests
β”‚   β”‚   β”‚           └───vars
β”‚   β”‚   β”œβ”€β”€β”€org-iam-password-policy
β”‚   β”‚   β”œβ”€β”€β”€organization
β”‚   β”‚   β”‚   └───resource-explorer-stacksets
β”‚   β”‚   β”œβ”€β”€β”€policy
β”‚   β”‚   └───sso
β”œβ”€β”€β”€global

1. AWS Account CreationΒΆ

AWS Account Creation: playbook.yaml Asible-Playbook
- hosts: localhost
  gather_facts: False ## No need to gather facts as the tasks only interact with AWS services
  vars:
    ## IAM Role that will be used to create new AWS accounts (admin permissions required)
    AdminAccountRole: aws-admin.Cloudandplatformteam-Admin
    ## New AWS Account to be created in AWS Organizations: refer to `account/management/organization/main.tf`
    NewAccountName: bluecurrent-nz-soa-poc
    ## AWS Organizational Unit (OU) where the new account will reside (structure for policies and governance)
    OrgOUid: ou_nz_applications_sandbox
    ## Environment (Prod, Dev, Test, etc.) β€” this helps in tagging and managing resources for different environments
    ENV: Prod

    ## Primary contacts for the AWS account for accountability and notification purposes
    AccountOwner: [email protected]
    ProductOwner: [email protected]
    TechnicalLead: [email protected]
    ## Purpose of the AWS account, useful for tagging and auditing resources
    PurposeofAccount: Deploy Version 10g of the Oracle SOA Suite
    ## Metadata for tracking resources across the business
    OrganizationalUnit: ou-shared-services-prod
    BusinessUnit: Metering
    WBS: Bluecurrent

    ## Below This Line is for VPC Building
    ## Network details for the VPC to be created in the new account
    # vpccidrblock: 10.20.10.0/24
    vpccidrblock: 10.25.160.0/20  ## CIDR block for the new VPC, ensure it doesn't overlap with existing CIDRs
    tgwaccountid: "052716177451"  ## Account ID that owns the Transit-Gateway to attach to
    transitgatewayid: tgw-0f306f47f8f4f8771  ## Transit Gateway ID to be used for VPC attachments
    CostGroup: Placeholder  ## Placeholder for FinOps tracking, could be dynamically assigned

    ## DO NOT EDIT below this comment
    ## These variables will be populated dynamically based on task outputs
    NewAccountNumber: "{{ account_id.stdout }}" ## New AWS Account Number from creation tasks
    #NewAccountNumber: "440388833294"
    tgwattachid: "{{ tgwattach_id.stdout }}"    ## Transit Gateway Attachment ID for the VPC
    vpc_id: "{{ newvpc_id.stdout }}"            ## ID of the newly created VPC in the new AWS account

  tasks:
    ## Task list should be populated by the roles. Individual tasks could be added here for specific configurations
    ## (e.g., tagging, logging, or security baseline configurations).

  roles:
  ## Role to create a new AWS account in AWS Organizations
  - aws-account-create
  ## Configures AWS Config rules and compliance for the new account
  - deploying-aws-config
  ## Sets up AWS patching (e.g., using Systems Manager Patch Manager) for the EC2 instances in the new account
  - deploying-aws-patching
  ## (Optional) Role to create the necessary VPC infrastructure
  # - creating-vpc-infra
  ## (Optional) Role to notify the cybersecurity team about the new account for security review
  # - notify-cyber

2. Remove Accounts from AWS Centralized PatchingΒΆ

  • sre-aws-patching or sre-aws-patching-metering