This repository demonstrates the setup of an AWS multi-account model with recommended Organization Units, via Infrastructure as Code (IAC) via Terraform and Terragrunt.
The ./accounts directory and files at the root of the repository show the core infrastructure setup.
The code in the ./setup-scripts directory is just to facilitate custom, automated setup of the accounts directories and required IAM resources if desired. This ./setup-scripts directory can be deleted if desired, and the infra setup will stand on its own with its own workflow, tests, etc.
AWS Organization Root
│
├── Management OU
│ └── Management Account (mbg-management)
│ └── Organization-wide IAM and account management
│
├── Security OU
│ └── Security Account (mbg-security)
│ └── Security tools, GuardDuty, audit logs
│
├── Infrastructure OU
│ ├── Backup Account (mbg-backup)
│ │ └── Centralized backup and disaster recovery
│ ├── Development Account (mbg-infrastructure-development)
│ │ └── Shared development infrastructure
│ ├── Staging Account (mbg-infrastructure-staging)
│ │ └── Pre-production infrastructure validation
│ └── Production Account (mbg-infrastructure-production)
│ └── Production infrastructure and shared services
│
├── Workloads OU
│ ├── Development Account (mbg-workloads-development)
│ │ └── Development environment workloads
│ ├── Staging Account (mbg-workloads-staging)
│ │ └── Pre-production workload validation
│ └── Production Account (mbg-workloads-production)
│ └── Production workloads and applications
│
└── Sandbox OU
└── Sandbox Account (mbg-sandbox)
└── Isolated environment for testing and exploration
This structure follows AWS best practices by separating accounts by their unique purposes, to isolate potential impact of security events. The infrastructure setup also employs role-based access control (RBAC) for cross-account login and resource management via IAC.
- Benefits of Using Multiple AWS Accounts
- Benefits of Using Organizational Units
- Best Practices for a Multi-Account Environment
- Organizing Your AWS Environment Using Multiple Accounts
- Design Principles for Your Multi-Account Strategy
- Recommended OUs and Accounts
- AWS Well-Architected Framework
If you wish, you can use the setup scripts in this repository to create your own, custom AWS multi-account infrastructure. To do so, carefully follow all steps in the setup-scripts README.
There are basic unit tests that validate the structure and configuration of the AWS multi-account infrastructure setup, without requiring actual AWS credentials or resources.
- Python 3.10 or later
- Hatch - For environment management
- All other deps are the
requirements.lockfile.
A Makefile is available for easier local development, most of which just uses Hatch scripts from the pyproject.yaml file.
You can choose to use the makefile commands, or you can use the Hatch script commands directly that are noted in the Makefile.
# Create and activate a virtual Hatch environment
make env
# Install the required dependencies
make install
# Run tests
make test
# Run linting
make lintThis setup should not incur costs to use. AWS does not charge you for creating Organizational Units or accounts. Rather, you incur charges based on resources used within accounts.
The setup scripts will create an S3 bucket and IAM roles, which should fall within the free-tier level.
This project is licensed under the MIT License - see the LICENSE file for details.
