Bootstrap config sets
Typically, you use a CI/CD pipeline to deploy stacks to your organization accounts. That usually means creating an IAM role for the CI/CD tool to assume and then use to perform the deployment. Of course, as a best practice, the deployment role should have only the minimum set of permissions.
The next question is how you create that deployment role in the first place. Takomo's approach to this problem is to divide config sets into two categories: standard and bootstrap.
The standard config sets are the ones you would deploy using the deployment role with a minimum set of permissions. The bootstrap config sets are, like the name implies, for bootstrapping resources needed to deploy the standard config sets, e.g., creating the deployment role. Deploying the bootstrap config sets should be a lightweight operation that you can run from your personal laptop with full admin permissions secured with MFA, or using some other automated but more restricted and secure option.
In the previous page we learned about standard config sets. This page explains how to use bootstrap config sets.

Differences to standard config sets

The only difference between the standard and bootstrap config sets is how you attach them to organizational units and accounts, and how you specify the IAM role Takomo assumes during the deployment.

Attaching bootstrap config sets

You attach bootstrap config sets to organizational units and accounts the same way you would attach standard config sets. Only the property name is different. For bootstrap config sets, you use the bootstrapConfigSets property.

Example

Let's define a bootstrap config set named deployment-role and attach it to the Root organizational unit:
organization.yml
1
accountCreation:
2
defaults:
3
iamUserAccessToBilling: true
4
roleName: MyAccountAdminRole
5
constraints:
6
namePattern: "^my-account-[a-z0-9-]+quot;
7
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
8
9
masterAccountId: "098765432100"
10
11
organizationAdminRoleName: MyOrganizationAdminRole
12
accountAdminRoleName: MyAccountAdminRole
13
14
serviceControlPolicies:
15
restrict-by-regions:
16
description: Restrict regions
17
FullAWSAccess:
18
description: AWS managed default policy
19
awsManaged: true
20
21
backupPolicies:
22
MyBackups:
23
description: Backup policy
24
25
organizationalUnits:
26
Root:
27
serviceControlPolicies: FullAWSAccess
28
accounts:
29
- "098765432100"
30
configSets: common
31
32
# Attach the deployment-role bootstrap config set
33
# to this organizational unit.
34
bootstrapConfigSets: deployment-role
35
Root/Workloads:
36
serviceControlPolicies: restrict-by-regions
37
accountAdminRoleName: AnotherAdminRole
38
Root/Workloads/Dev: {}
39
Root/Workloads/Test: {}
40
Root/Workloads/Prod:
41
accounts:
42
- id: "876754648373"
43
name: MyAccount
45
description: This is a production account
46
configSets:
47
- networking
48
Root/Sandbox:
49
accounts:
50
- id: "123456789012"
51
accountAdminRoleName: AccountSpecificRole
52
backupPolicies:
53
- MyBackups
54
- "448873940474"
Copied!

Account bootstrap role

When you deploy bootstrap config sets to your accounts, Takomo assumes an IAM role from each account and uses it to execute the deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, but you can change the role by providing a different role name in accountBootstrapRoleName property. This property can be used at the top-level of organization configuration, in organizational units, and in accounts.
The credentials used to run the bootstrap command must have permissions to assume the account bootstrap role from each account.

Example

This is how you specify the account bootstrap role.
organization.yml
1
accountCreation:
2
defaults:
3
iamUserAccessToBilling: true
4
roleName: MyAccountAdminRole
5
constraints:
6
namePattern: "^my-account-[a-z0-9-]+quot;
7
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
8
9
masterAccountId: "098765432100"
10
11
organizationAdminRoleName: MyOrganizationAdminRole
12
accountAdminRoleName: MyAccountAdminRole
13
14
# Set account bootstrap role at the top-level
15
accountBootstrapRoleName: MyBootstrapRole
16
17
serviceControlPolicies:
18
restrict-by-regions:
19
description: Restrict regions
20
FullAWSAccess:
21
description: AWS managed default policy
22
awsManaged: true
23
24
backupPolicies:
25
MyBackups:
26
description: Backup policy
27
28
organizationalUnits:
29
Root:
30
serviceControlPolicies: FullAWSAccess
31
accounts:
32
- "098765432100"
33
configSets: common
34
bootstrapConfigSets: deployment-role
35
Root/Workloads:
36
serviceControlPolicies: restrict-by-regions
37
accountAdminRoleName: AnotherAdminRole
38
39
# Set account bootstrap role to OU
40
accountBootstrapRoleName: AnotherBootstrapRole
41
Root/Workloads/Dev: {}
42
Root/Workloads/Test: {}
43
Root/Workloads/Prod:
44
accounts:
45
- id: "876754648373"
46
name: MyAccount
48
description: This is a production account
49
configSets:
50
- networking
51
Root/Sandbox:
52
accounts:
53
- id: "123456789012"
54
accountAdminRoleName: AccountSpecificRole
55
56
# Set account bootstrap role to account
57
accountBootstrapRoleName: AccountBootstrapRole
58
backupPolicies:
59
- MyBackups
60
- "448873940474"
Copied!
Last modified 3mo ago