Bootstrap config sets

Typically, you use a CI/CD pipeline to deploy stacks to your organization accounts. That usually means creating an IAM role for the CI/CD tool to assume and then use to perform the deployment. Of course, as a best practice, the deployment role should have only the minimum set of permissions.

The next question is how you create that deployment role in the first place. Takomo's approach to this problem is to divide config sets into two categories: standard and bootstrap.

The standard config sets are the ones you would deploy using the deployment role with a minimum set of permissions. The bootstrap config sets are, like the name implies, for bootstrapping resources needed to deploy the standard config sets, e.g., creating the deployment role. Deploying the bootstrap config sets should be a lightweight operation that you can run from your personal laptop with full admin permissions secured with MFA, or using some other automated but more restricted and secure option.

In the previous page we learned about standard config sets. This page explains how to use bootstrap config sets.

Differences to standard config sets

The only difference between the standard and bootstrap config sets is how you attach them to organizational units and accounts, and how you specify the IAM role Takomo assumes during the deployment.

Attaching bootstrap config sets

You attach bootstrap config sets to organizational units and accounts the same way you would attach standard config sets. Only the property name is different. For bootstrap config sets, you use the bootstrapConfigSets property.

Example

Let's define a bootstrap config set named deployment-role and attach it to the Root organizational unit:

organization.yml
accountCreation:
  defaults:
    iamUserAccessToBilling: true
    roleName: MyAccountAdminRole  
  constraints:
    namePattern: "^my-account-[a-z0-9-]+$"
    emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"

masterAccountId: "098765432100"

organizationAdminRoleName: MyOrganizationAdminRole
accountAdminRoleName: MyAccountAdminRole

serviceControlPolicies:
  restrict-by-regions:
    description: Restrict regions
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true
    
backupPolicies:
  MyBackups:
    description: Backup policy    
    
organizationalUnits:
  Root:
    serviceControlPolicies: FullAWSAccess
    accounts:
      - "098765432100"
    configSets: common
    
    # Attach the deployment-role bootstrap config set
    # to this organizational unit.
    bootstrapConfigSets: deployment-role 
  Root/Workloads:
    serviceControlPolicies: restrict-by-regions
    accountAdminRoleName: AnotherAdminRole
  Root/Workloads/Dev: {}
  Root/Workloads/Test: {}
  Root/Workloads/Prod: 
    accounts:
      - id: "876754648373"
        name: MyAccount
        email: account@example.com
        description: This is a production account
        configSets: 
          - networking
  Root/Sandbox:
    accounts:
      - id: "123456789012"
        accountAdminRoleName: AccountSpecificRole
        backupPolicies:
          - MyBackups
      - "448873940474"

Account bootstrap role

When you deploy bootstrap config sets to your accounts, Takomo assumes an IAM role from each account and uses it to execute the deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, but you can change the role by providing a different role name in accountBootstrapRoleName property. This property can be used at the top-level of organization configuration, in organizational units, and in accounts.

The credentials used to run the bootstrap command must have permissions to assume the account bootstrap role from each account.

Example

This is how you specify the account bootstrap role.

organization.yml
accountCreation:
  defaults:
    iamUserAccessToBilling: true
    roleName: MyAccountAdminRole  
  constraints:
    namePattern: "^my-account-[a-z0-9-]+$"
    emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"

masterAccountId: "098765432100"

organizationAdminRoleName: MyOrganizationAdminRole
accountAdminRoleName: MyAccountAdminRole

# Set account bootstrap role at the top-level
accountBootstrapRoleName: MyBootstrapRole
 
serviceControlPolicies:
  restrict-by-regions:
    description: Restrict regions
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true
    
backupPolicies:
  MyBackups:
    description: Backup policy    
    
organizationalUnits:
  Root:
    serviceControlPolicies: FullAWSAccess
    accounts:
      - "098765432100"
    configSets: common
    bootstrapConfigSets: deployment-role 
  Root/Workloads:
    serviceControlPolicies: restrict-by-regions
    accountAdminRoleName: AnotherAdminRole
    
    # Set account bootstrap role to OU
    accountBootstrapRoleName: AnotherBootstrapRole
  Root/Workloads/Dev: {}
  Root/Workloads/Test: {}
  Root/Workloads/Prod: 
    accounts:
      - id: "876754648373"
        name: MyAccount
        email: account@example.com
        description: This is a production account
        configSets: 
          - networking
  Root/Sandbox:
    accounts:
      - id: "123456789012"
        accountAdminRoleName: AccountSpecificRole
        
        # Set account bootstrap role to account
        accountBootstrapRoleName: AccountBootstrapRole
        backupPolicies:
          - MyBackups
      - "448873940474"

Last updated