LazyStack
Steps 4) Create AWS Organization
- Prerequisites: AWS Management Account Setup Complete
- Estimated Time: 5 minutes
- Estimated Cost: none
- Perform this step on the Management Workstation.
In this step we will use the LazyStackSMF.ps1 script to create an AWS Organization, AWS Organizational Units, and AWS Tutorial System Accounts with CI/CD pipelines.
This step also creates AWS CLI Profiles for the AWS Accounts created in the Organization. These profiles allow the management workstation to perform administrative operations each of the AWS accounts in the organization.
Configuration Steps
- Open a PowerShell terminal.
- CD into the LayStackSettings folder.
- Issue the following command:
You will be prompted for the following:..\LazyStackSMF\LzConfigure.ps1- OrgCode
- AWS Management Account Profile
- AWS Region
- GitHub Organization Name
- GitHub PetStore repository
- GitHub LazyStackSMF repository
- Email address for Tutorial System Test AWS Account
- Email address for Tutorial System Production AWS Account
Common Issue - Payer ID (Don't panic!)
There is an occasional problem with setting the CodeBuild Personal Access Token for CodeBuild projects during the creation of System accounts. This seems to be caused by some "timing" issue on the AWS side of things. When LazyStack encounters this issue, it retries the ImportSourceCredentials step. You might see the following under the
"- Updating AWS CodeBuild GitHub Credentials" step:... - Updating AWS CodeBuild GitHub Credentials Retrying ImportSourceCredentials due to 'Payer ID' issue. Retrying ImportSourceCredentials due to 'Payer ID' issue. Retry Successful ...What to do if the script fails?
We have written the script to be fault tolerant. If you get an error, you should receive a meaningful error message and the script will stop. You can then address the underlying issue and re-run the script, it will pick up where it left off. If you get an error when running the script, it is most likely going to be because of one of the following issues:
- AWS Management Account doesn't have appropriate permissions. This can happen when you are using an existing account instead of creating one from scratch using the the setup instructions in SMF Step 3.
- Maximum number of accounts exceeded. By default, AWS sets a maximum number of accounts for a new organization at 4. You may request additional accounts. If you are using LazyStack SMF to create a new AWS organization from scratch, you should not see this issue during the initial Setup.
- Non-unique email address. Every AWS Account must have a unique email address. If you supply an email address that has already been used (in the last 90 days) for an AWS account, the account creation process will fail. Re-run the script and provide a unique email address for each AWS Account.
For more details on how this script works, visit the LazyStackSMF Script User Guide section.
Here is an example of running the script:LzConfigure.ps1 V1.0.0 Use this script to setup and manage your LazyStackSMF Organization Creating new SMF settings file: Please enter OrgCode: LzStk Enter AWS CLI Managment Account (default: LzStkMgmt): Enter AWS Region (us-east-1): Enter your GitHub Management Acct Name: LzStkAdmin Enter your GitHub Organization Name: LzStk Tutorial Repo (default: https://github.com/LzStk/Petstore.git): LazyStack Util Repo (default: https://github.com/LzStk/LazyStackSmfUtil.git): OrgCode: LzStk AWS Management Account: LzStkMgmt Checking AWS Configuration - No AWS Organization Found for the LzStkMgmt account. - We need to create one to continue installation. Create AWS Organization? (Y/n): y - AWS Organization Created for the LzStkMgmt account. - AWS OrgUnits - Creating OrgUnit DevOU - Creating OrgUnit TestOU - Creating OrgUnit ProdOU - Systems - System: Tut (Tutorial System) - Accounts - Account: LzStkTutTest Note: An email address can only be associated with one AWS Account. Enter unique email for Test System Account: LzStkTutTest@LzStk.net - Creating System Account: LzStkTutTest - Checking for successful account creation. TryCount=1 - LzStkTutTest account creation successful. AccountId: 541943406928 - Moving LzStkTutTest account to Test Organizational Unit - Adding or Updating LzStkTutTestAccessRole profile and associating it with the LzStkMgmt profile. - Creating Administrators group in the LzStkTutTest account. - Adding AdministratorAccess Policy to Administrators group - Creating IAM User LzStkTutTestIAM in LzStkTutTest account. - Writing the IAM User Credentials into LzStkTutTestIAM_credentials.txt - Adding IAM User LzStkTutTestIAM to the LzStkTutTest Account Administrators group. - Updating AWS CodeBuild GitHub Credentials - Account: LzStkTutProd Note: An email address can only be associated with one AWS Account. Enter unique email for Prod System Account: LzStkTutProd@LzStk.net - Creating System Account: LzStkTutProd - Checking for successful account creation. TryCount=1 - LzStkTutProd account creation successful. AccountId: 630416782635 - Moving LzStkTutProd account to Prod Organizational Unit - Adding or Updating LzStkTutProdAccessRole profile and associating it with the LzStkMgmt profile. - Creating Administrators group in the LzStkTutProd account. - Adding AdministratorAccess Policy to Administrators group - Creating IAM User LzStkTutProdIAM in LzStkTutProd account. - Writing the IAM User Credentials into LzStkTutProdIAM_credentials.txt - Adding IAM User LzStkTutProdIAM to the LzStkTutProd Account Administrators group. - Updating AWS CodeBuild GitHub Credentials Deploy Pipelines? (Y/n): PipeLine Deployments - Pipeline: Test_PR_Create in Account Test ... - Pipeline: Test_PR_Merge in Account Test ... - Pipeline: Prod_PR_Merge in Account Prod
Step Summary
In this step we created our AWS Organization, AWS Organizational Units, and AWS Tutorial System Accounts with CI/CD pipelines.