Config sets

You use config sets to specify which CloudFormation stacks you want to deploy to your organization's member accounts.

Config set directory and files

Config sets are standard Takomo stack configurations‚ but instead of the stacks directory, you put them to subdirectories under the config-sets directory. The directory names become the names of the config sets, and you use them to refer to the config sets in the organization configuration file. You place your stack group and stack configuration files directly in the config set directory's root. Other Takomo directories such as the templates directory remains in the project's root.

Example

Here is an example with two config sets named common and network.

.
├─ templates                
├─ config-sets
│  ├─ common                # config set named 'common'
│  │  ├─ budgets.yml
│  │  └─ cloudtrail.yml
│  └─ network               # config set named 'network'
│     ├─ config.yml
│     └─ vpc.yml 
└─ organization
   └─ organization.yml

The common config set has two stacks: budgets.yml and cloudtrail.yml. The network config set has vpc.yml stack and a stack group configuration file config.yml.

Attaching config sets

You can attach config sets to organizational units or accounts. Organizational units and accounts inherit config sets from the organizational unit they belong to. They can add config sets of their own but can't remove the config sets they inherited. You attach config sets to organizational units and accounts by providing single config set name or a list of config set names in their configSets property.

Example

Let's continue the organization configuration we started in the previous chapters and see how to attach our config sets to accounts.

organization.yml
accountCreation:
  defaults:
    iamUserAccessToBilling: true
    roleName: MyAccountAdminRole  
  constraints:
    namePattern: "^my-account-[a-z0-9-]+$"
    emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"

masterAccountId: "098765432100"

organizationAdminRoleName: MyOrganizationAdminRole

serviceControlPolicies:
  restrict-by-regions:
    description: Restrict regions
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true
    
backupPolicies:
  MyBackups:
    description: Backup policy    
    
organizationalUnits:
  Root:
    serviceControlPolicies: FullAWSAccess
    accounts:
      - "098765432100"
    
    # Attach 'common' config set to this OU which
    # makes all OUs and accounts under this OU to
    # inherit it.   
    configSets: common  
  Root/Workloads:
    serviceControlPolicies: restrict-by-regions
  Root/Workloads/Dev: {}
  Root/Workloads/Test: {}
  Root/Workloads/Prod: 
    accounts:
      - id: "876754648373"
        name: MyAccount
        email: account@example.com
        description: This is a production account
        
        # Attach 'networking' config set diretly
        # to this account. 
        configSets: 
          - networking
  Root/Sandbox:
    accounts:
      - id: "123456789012"
        backupPolicies:
          - MyBackups
      - "448873940474"

We attached the common config set to the Root organizational unit which attaches it to all OUs and accounts that are located under the Root OU. We chose a different approach with the networking config set and attached it directly to account 876754648373.

Account admin role

When you deploy config sets to your accounts, Takomo assumes an IAM role from each account and uses it to execute the deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, but you can change the role by providing a different role name in accountAdminRoleName property. This property can be used at the top-level of organization configuration, in organizational units, and in accounts.

The credentials used to run the deploy command must have permissions to assume the account admin role from each account.

Example

This is how you specify the account admin role.

organization.yml
accountCreation:
  defaults:
    iamUserAccessToBilling: true
    roleName: MyAccountAdminRole  
  constraints:
    namePattern: "^my-account-[a-z0-9-]+$"
    emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"

masterAccountId: "098765432100"

organizationAdminRoleName: MyOrganizationAdminRole

# Define the account admin role at the top-level
accountAdminRoleName: MyAccountAdminRole

serviceControlPolicies:
  restrict-by-regions:
    description: Restrict regions
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true
    
backupPolicies:
  MyBackups:
    description: Backup policy    
    
organizationalUnits:
  Root:
    serviceControlPolicies: FullAWSAccess
    accounts:
      - "098765432100"
    configSets: common  
  Root/Workloads:
    serviceControlPolicies: restrict-by-regions
    
    # Set the account admin role for this 
    # organizational unit. Overrides the value
    # given at the top-level. All OUs and accounts
    # under this OU will inherit the account 
    # admin role name.  
    accountAdminRoleName: AnotherAdminRole
  Root/Workloads/Dev: {}
  Root/Workloads/Test: {}
  Root/Workloads/Prod: 
    accounts:
      - id: "876754648373"
        name: MyAccount
        email: account@example.com
        description: This is a production account
        configSets: 
          - networking
  Root/Sandbox:
    accounts:
      - id: "123456789012"
      
        # Define the account admin role only 
        # for this account.
        accountAdminRoleName: AccountSpecificRole
        backupPolicies:
          - MyBackups
      - "448873940474"

Last updated