Organization configuration
Command-line usage
Config sets
You use config sets to specify which CloudFormation stacks you want to deploy to your organization's member accounts.
Config set directory and files
Config sets are standard Takomo stack configurations‚ but instead of the stacks directory, you put them to subdirectories under the config-sets directory. The directory names become the names of the config sets, and you use them to refer to the config sets in the organization configuration file. You place your stack group and stack configuration files directly in the config set directory's root. Other Takomo directories such as the templates directory remains in the project's root.
Example
Here is an example with two config sets named common and network.
1
.
2
├─ templates
3
├─ config-sets
4
│ ├─ common # config set named 'common'
5
│ │ ├─ budgets.yml
6
│ │ └─ cloudtrail.yml
7
│ └─ network # config set named 'network'
8
│ ├─ config.yml
9
│ └─ vpc.yml
10
└─ organization
11
└─ organization.yml
Copied!
The common config set has two stacks: budgets.yml and cloudtrail.yml. The network config set has vpc.yml stack and a stack group configuration file config.yml.
Attaching config sets
You can attach config sets to organizational units or accounts. Organizational units and accounts inherit config sets from the organizational unit they belong to. They can add config sets of their own but can't remove the config sets they inherited. You attach config sets to organizational units and accounts by providing single config set name or a list of config set names in their
configSets property.Example
Let's continue the organization configuration we started in the previous chapters and see how to attach our config sets to accounts.
organization.yml
1
accountCreation:
2
defaults:
3
iamUserAccessToBilling: true
4
roleName: MyAccountAdminRole
5
constraints:
6
namePattern: "^my-account-[a-z0-9-]+quot;
7
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
8
​
9
masterAccountId: "098765432100"
10
​
11
organizationAdminRoleName: MyOrganizationAdminRole
12
​
13
serviceControlPolicies:
14
restrict-by-regions:
15
description: Restrict regions
16
FullAWSAccess:
17
description: AWS managed default policy
18
awsManaged: true
19
20
backupPolicies:
21
MyBackups:
22
description: Backup policy
23
24
organizationalUnits:
25
Root:
26
serviceControlPolicies: FullAWSAccess
27
accounts:
28
- "098765432100"
29
30
# Attach 'common' config set to this OU which
31
# makes all OUs and accounts under this OU to
32
# inherit it.
33
configSets: common
34
Root/Workloads:
35
serviceControlPolicies: restrict-by-regions
36
Root/Workloads/Dev: {}
37
Root/Workloads/Test: {}
38
Root/Workloads/Prod:
39
accounts:
40
- id: "876754648373"
41
name: MyAccount
42
email: [email protected]
43
description: This is a production account
44
45
# Attach 'networking' config set diretly
46
# to this account.
47
configSets:
48
- networking
49
Root/Sandbox:
50
accounts:
51
- id: "123456789012"
52
backupPolicies:
53
- MyBackups
54
- "448873940474"
Copied!
We attached the common config set to the Root organizational unit which attaches it to all OUs and accounts that are located under the Root OU. We chose a different approach with the networking config set and attached it directly to account 876754648373.
Account admin role
When you deploy config sets to your accounts, Takomo assumes an IAM role from each account and uses it to execute the deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, but you can change the role by providing a different role name in
accountAdminRoleName property. This property can be used at the top-level of organization configuration, in organizational units, and in accounts.The credentials used to run the deploy command must have permissions to assume the account admin role from each account.
Example
This is how you specify the account admin role.
organization.yml
1
accountCreation:
2
defaults:
3
iamUserAccessToBilling: true
4
roleName: MyAccountAdminRole
5
constraints:
6
namePattern: "^my-account-[a-z0-9-]+quot;
7
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
8
​
9
masterAccountId: "098765432100"
10
​
11
organizationAdminRoleName: MyOrganizationAdminRole
12
​
13
# Define the account admin role at the top-level
14
accountAdminRoleName: MyAccountAdminRole
15
​
16
serviceControlPolicies:
17
restrict-by-regions:
18
description: Restrict regions
19
FullAWSAccess:
20
description: AWS managed default policy
21
awsManaged: true
22
23
backupPolicies:
24
MyBackups:
25
description: Backup policy
26
27
organizationalUnits:
28
Root:
29
serviceControlPolicies: FullAWSAccess
30
accounts:
31
- "098765432100"
32
configSets: common
33
Root/Workloads:
34
serviceControlPolicies: restrict-by-regions
35
36
# Set the account admin role for this
37
# organizational unit. Overrides the value
38
# given at the top-level. All OUs and accounts
39
# under this OU will inherit the account
40
# admin role name.
41
accountAdminRoleName: AnotherAdminRole
42
Root/Workloads/Dev: {}
43
Root/Workloads/Test: {}
44
Root/Workloads/Prod:
45
accounts:
46
- id: "876754648373"
47
name: MyAccount
48
email: [email protected]
49
description: This is a production account
50
configSets:
51
- networking
52
Root/Sandbox:
53
accounts:
54
- id: "123456789012"
55
56
# Define the account admin role only
57
# for this account.
58
accountAdminRoleName: AccountSpecificRole
59
backupPolicies:
60
- MyBackups
61
- "448873940474"
Copied!
Last modified 7mo ago