The AWS Organization is initialized, managed, and synced using org-formation-cli.
AWS SSO MUST be selected for authentication over hard coded credentials for ease of maintenance and security. Developers can SSO in to sandbox environments.
Register a domain name through Route 53 in AWS master organization. In this
case, nekosgate.com
was used. Delete the hostedZone in master account as org
formation will create one.
After running ./bin/sync.sh
get the name servers for the hosted zone in master
account and use them to update the Registered domain's nameservers in Route 53.
-
Login to the AWS Management Console. Go to Org Formations and create an Org.
-
Use an existing IAM user with adequately permissions or create an Administrator IAM user. Set user or Administrator
aws_access_key_id
andaws_secret_access_key
credentials in ~/.aws/credentials if missing. -
Initialize the organization using a user with adequate permission or the Administrator profile recently added. This pulls changes for the AWS Organization to the Org template file.
org-formation init organization.yml --profile=Administrator --region us-east-2
-
Edit the desired YAML files within this directory making the desired change. Org Formation does not delete accounts. Accounts must be deleted from within AWS.
-
Update the Organization resources using a user with adequate permissions.
org-formation update organization.yml --profile=Administrator
For ACM cert verification it is important to have email setup for the domain as to verify the domain. AWS WorkMail or other can be used for this purpose. This allows for the wild card certs to be verified.
org-formation --help
- AWS Control Tower serves a similar purposes. However AWS Control Tower for CDK is currently a RFC. Org Formation was selected for managing user accounts as it is a mature project.
- Org Unit Best Practices.
- Generating an Organization.