Typically, you use a CI/CD pipeline to deploy stacks to your organization accounts. That usually means creating an IAM role for the CI/CD tool to assume and then use to perform the deployment. Of course, as a best practice, the deployment role should have only the minimum set of permissions.
The next question is how you create that deployment role in the first place. Takomo's approach to this problem is to divide config sets into two categories: standard and bootstrap.
The standard config sets are the ones you would deploy using the deployment role with a minimum set of permissions. The bootstrap config sets are, like the name implies, for bootstrapping resources needed to deploy the standard config sets, e.g., creating the deployment role. Deploying the bootstrap config sets should be a lightweight operation that you can run from your personal laptop with full admin permissions secured with MFA, or using some other automated but more restricted and secure option.
In the we learned about standard config sets. This page explains how to use bootstrap config sets.
Differences to standard config sets
The only difference between the standard and bootstrap config sets is how you attach them to organizational units and accounts, and how you specify the IAM role Takomo assumes during the deployment.
Attaching bootstrap config sets
You attach bootstrap config sets to organizational units and accounts the same way you would attach standard config sets. Only the property name is different. For bootstrap config sets, you use the bootstrapConfigSets property.
Example
Let's define a bootstrap config set named deployment-role and attach it to the Root organizational unit:
organization.yml
accountCreation:
defaults:
iamUserAccessToBilling: true
roleName: MyAccountAdminRole
constraints:
namePattern: "^my-account-[a-z0-9-]+$"
emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"
masterAccountId: "098765432100"
organizationAdminRoleName: MyOrganizationAdminRole
accountAdminRoleName: MyAccountAdminRole
serviceControlPolicies:
restrict-by-regions:
description: Restrict regions
FullAWSAccess:
description: AWS managed default policy
awsManaged: true
backupPolicies:
MyBackups:
description: Backup policy
organizationalUnits:
Root:
serviceControlPolicies: FullAWSAccess
accounts:
- "098765432100"
configSets: common
# Attach the deployment-role bootstrap config set
# to this organizational unit.
bootstrapConfigSets: deployment-role
Root/Workloads:
serviceControlPolicies: restrict-by-regions
accountAdminRoleName: AnotherAdminRole
Root/Workloads/Dev: {}
Root/Workloads/Test: {}
Root/Workloads/Prod:
accounts:
- id: "876754648373"
name: MyAccount
email: account@example.com
description: This is a production account
configSets:
- networking
Root/Sandbox:
accounts:
- id: "123456789012"
accountAdminRoleName: AccountSpecificRole
backupPolicies:
- MyBackups
- "448873940474"
Account bootstrap role
When you deploy bootstrap config sets to your accounts, Takomo assumes an IAM role from each account and uses it to execute the deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, but you can change the role by providing a different role name in accountBootstrapRoleName property. This property can be used at the top-level of organization configuration, in organizational units, and in accounts.
The credentials used to run the bootstrap command must have permissions to assume the account bootstrap role from each account.
Example
This is how you specify the account bootstrap role.
organization.yml
accountCreation:
defaults:
iamUserAccessToBilling: true
roleName: MyAccountAdminRole
constraints:
namePattern: "^my-account-[a-z0-9-]+$"
emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"
masterAccountId: "098765432100"
organizationAdminRoleName: MyOrganizationAdminRole
accountAdminRoleName: MyAccountAdminRole
# Set account bootstrap role at the top-level
accountBootstrapRoleName: MyBootstrapRole
serviceControlPolicies:
restrict-by-regions:
description: Restrict regions
FullAWSAccess:
description: AWS managed default policy
awsManaged: true
backupPolicies:
MyBackups:
description: Backup policy
organizationalUnits:
Root:
serviceControlPolicies: FullAWSAccess
accounts:
- "098765432100"
configSets: common
bootstrapConfigSets: deployment-role
Root/Workloads:
serviceControlPolicies: restrict-by-regions
accountAdminRoleName: AnotherAdminRole
# Set account bootstrap role to OU
accountBootstrapRoleName: AnotherBootstrapRole
Root/Workloads/Dev: {}
Root/Workloads/Test: {}
Root/Workloads/Prod:
accounts:
- id: "876754648373"
name: MyAccount
email: account@example.com
description: This is a production account
configSets:
- networking
Root/Sandbox:
accounts:
- id: "123456789012"
accountAdminRoleName: AccountSpecificRole
# Set account bootstrap role to account
accountBootstrapRoleName: AccountBootstrapRole
backupPolicies:
- MyBackups
- "448873940474"