https://serverless-stack.com/ logo
Join Slack
Powered by
I am intrigued by an idea in the resources I've be...
# general
g
I am intrigued by an idea in the resources I've been looking through with regard to SST. The idea is that we should have multiple AWS accounts and put them under the umbrella of an AWS Organization for pooled billing purposes. Sounds good, but cumbersome. Is there some sort of script out there that would automate the process of creating the multiple accounts. Also, is there a "best practices" in terms of email/login names and such for all of these sub-accounts?
t
This is definitely a more advanced setup so unfortunately there's not too much youc an do to automated it
I actually do automate it using terraform
The pattern I use is 
aws+<account>@domain.com
And I throw away the password since I never need it
There's also 
org-formation
but that's pretty heavy
Copy code
resource "aws_organizations_account" "account" {
  provider = aws.master
  name     = "company-${var.account_name}"
  email    = "aws+${var.account_name}@company.com"
}
is all you need in terraform but then you nede to setup terraform
I'd suggest maybe manually creating them - it's not too annoying just generate a ranodm pw and throw it away
g
Thx. I am thinking one "sandbox" account per developer on my team. Your own playground to do your thing. Then, 3 accounts per project. If we have a project for Spacely Sprockets, we will have Spacely+Dev, Spacely+Stage, and Spacely+Prod. Sound about right?
t
Yeah I will say one account per developer has its benefits but can get hard to manage. I initially started that way but then moved to a single sandbox for all developers
Their resources are still seperated because sst prompts each of them for a unique stage name
and still allows for sharing of some resources where appropriate
g
Good tip, thx.
j
@thdxr It doesn’t sound hard to manage if the team just open a PR to the terraform repo each time they want to create an account. Tbf I am thinking of going back to Terraform for all DevSecOps.
t
well you need to manage SSO access manually because there's no api for that
it's not a crazy problem, I'd suggest starting with the middle step and then deciding if you want to isolate further
c
Just to add my 2c to this. AWS provides the control tower service for this. Takes care of setting up multiple accounts, guardrails, some good opinionated infra (like an audit and log archvie account), SSO. But I've had to fiddle with it through the console which I don't like - so its probably the most AWS option out there atm but its not great
Open in Slack
PreviousNext
Powered by