|
| 1 | +# Howto: Provision AWS Accounts |
| 2 | + |
| 3 | +This document describes how to provision AWS accounts within the Helpful Engineering organization. This procedure |
| 4 | +will focus on the accounts for a project, but should apply fairly generally. |
| 5 | + |
| 6 | +Ironically, Control Tower does not have good automation support. This procedure will be performed in the AWS console. |
| 7 | + |
| 8 | +## Steps |
| 9 | + |
| 10 | +### Preparation |
| 11 | + |
| 12 | +Prepare to provision the account by |
| 13 | + |
| 14 | +* determining the 'official' name of the project, its Helpful Engineering Slack channel, and the project leaders' Slack |
| 15 | +handles |
| 16 | +* asking the project team leads and DevOps team liaison whether the project has network dependencies that require a VPC |
| 17 | +* logging into the AWS SSO portal and verify you can use the `AWSAdministratorAccess` role of the `he-master` account; |
| 18 | +if you do not have this role, request assistance in the `#skill-software-devops` slack channel |
| 19 | + |
| 20 | +### Provision |
| 21 | + |
| 22 | +Log in to the `he-master` account with the `AWSAdministratorAccess` role. |
| 23 | + |
| 24 | +Navigate to the [Control Tower console](https://us-east-2.console.aws.amazon.com/controltower/home?region=us-east-2). |
| 25 | + |
| 26 | +Switch to the `us-east-2` region if you are not already there. Note: Control Tower and the underlying Service Catalog |
| 27 | +and CloudFormation services and account management resources are region-specific. The necessary Service Catalog |
| 28 | +resources will not be found outside of `us-east-2`. |
| 29 | + |
| 30 | +Select the 'Account Factory' option in Control Tower's left-hand navigation. |
| 31 | + |
| 32 | +If the project requires a VPC, you will need to edit the factory's network configuration. Click 'Edit.' |
| 33 | + |
| 34 | +First, increase the VPC address range's second octet by 1. For example `172.17.0.0/16` should be |
| 35 | +incremented to `172.18.0.0/16`. The intended result is to provision non-overlapping /16-sized VPCs for each account. |
| 36 | + |
| 37 | +Second, select one and only one region to deploy the VPC into. Prefer the following regions: |
| 38 | + |
| 39 | +* North America: US East Ohio (`us-east-2`) |
| 40 | +* Europe: EU Ireland (`eu-west-1`) |
| 41 | +* Asia: Asia Pacific Sydney (`ap-southeast-2`) |
| 42 | + |
| 43 | +Now, save the configuration. |
| 44 | + |
| 45 | +Construct the AWS account name from one of the following forms, all lower case: |
| 46 | + |
| 47 | +* project delivery account: `he-project-<project name>-<env name>`. For example, the account for the |
| 48 | +'Monitoring O2' project's development environment is: `he-project-monitoring-o2-dev` |
| 49 | +* another use case: `he-<usecase>`. For example the sandbox's name is `he-sandbox2` |
| 50 | + |
| 51 | +Back at the 'Account Factory' screen, click 'Quick Account Provisioning'. |
| 52 | + |
| 53 | +Configure the account's root user email to the devops team email address plus the AWS account name: `devops+he-project-<project name>-<env name>@qualimente.com` |
| 54 | + |
| 55 | +Configure the display name to the AWS account with `<project name>-<env name>`. |
| 56 | + |
| 57 | +Set the AWS SSO user name to first name 'Admin', last name '`<project name>`' |
| 58 | + |
| 59 | +Select the 'Project Delivery' OU for a project delivery account, Custom otherwise. |
| 60 | + |
| 61 | +Click 'Create Account'. |
| 62 | + |
| 63 | +WAIT. |
| 64 | + |
| 65 | +Wait until the account creation is done before trying to provision another account. Control Tower can only provision |
| 66 | +one account at a time and concurrent executions will fail. |
| 67 | + |
| 68 | +Consider getting a beverage or taking a nap because account provisioning takes 20-40 minutes with Control Tower. |
| 69 | + |
| 70 | +All done? Let's see! |
| 71 | + |
| 72 | +Navigate to the 'Accounts' section and check for a 'Ready' State for the newly provisioned account. |
| 73 | + |
| 74 | +### Provision Team Access to the Account |
| 75 | + |
| 76 | +Navigate to the [AWS SSO console](https://us-east-2.console.aws.amazon.com/singlesignon/home?region=us-east-2#/dashboard). |
| 77 | + |
| 78 | +Switch to the `us-east-2` region if you are not already there because AWS SSO is region-specific. |
| 79 | + |
| 80 | +Create `he-<project name>-admins` and `he-<project name>-developer` groups in SSO if they do not already exist. Assign |
| 81 | +the DevOps liaison and project leaders to the admins group. Assign all project team members that need access to the |
| 82 | +developer group. |
| 83 | + |
| 84 | +### Communicate |
| 85 | + |
| 86 | +Jump into the project team's slack channel and tell the project leaders the accounts have been created. |
| 87 | + |
| 88 | +Tell the project team how to login via AWS SSO. |
| 89 | + |
0 commit comments