BI商业智能>> organizations-infra>> 返回
项目作者: Sage-Bionetworks-IT

项目描述 :
Sage AWS Organizations
高级语言: Jinja
项目地址: git://github.com/Sage-Bionetworks-IT/organizations-infra.git
创建时间: 2018-05-21T17:22:44Z
项目社区:https://github.com/Sage-Bionetworks-IT/organizations-infra
开源协议:Apache License 2.0
下载


Overview

Install, configure and manage the AWS organizations management account
and all its member accounts.

We use a combination of org-formation and sceptre to deploy AWS cloud resources
using cloudformation.

Deployments

We boostrapped
our AWS management account before deployments can happen.

Directory Organization

This repo manages AWS resources with two different cloudformation deployment tools,
Org-formation and Sceptre. In general the files for each tool are arranged
in the corresponding subdirectories in this repo. The files in the sceptre folder are
there to support legacy deployments, before we starting using org-formation.

Deployment of future resources should be done with org-formation and the corresponding
files should be added to the org-formation folder. There are two exceptions to this
general rule:

  • sceptre/aws-opendata and sceptre/strides-ampad-worflows deploy to AWS accounts that
    are not part of the Sage organization therefore cannot be deployed with org-formation.
  • sceptre/scipool is for the Sage service catalog. This can be a stand alone repo
    however we’ve decided to move it into this repo to make CI/CD deployments easier.

org-formation

Deploy resources to master and all member accounts

  • install nodejs
  • cd org-formation
  • run ‘npm install’
  • run npx org-formation process-tasks --profile master-profile --verbose --print-stack organization-tasks.yaml

Note: master-profile is a profile that can assume the account’s organizations-admin role

Refer to Org-Formation Overview for a summary of what org-formation deploys.

sceptre

Install your machine and then and then run:

  • create a python 3.x virtualenv
  • run pip install sceptre sceptre-ssm-resolver sceptre-date-resolver sceptre-file-resolver
  • cd sceptre/folder (i.e. sceptre/sandbox)
  • uncomment # profile: {{ var.profile | default("default") }} in config/configs.yaml
  • run sceptre --var "profile=member-profile" --var "region=us-east-1" launch prod/my-template.yaml

Note: member-profile is a profile that can assume the member account’s OrganizationAccountAccessRole role

Run in a docker container:

  1. docker run --rm --name sceptre -v /path/to/src/organizations-infra/sceptre/scipool:/project \
  2. -v $HOME/.aws:/root/.aws/:ro sceptreorg/sceptre \
  3. --var "region=us-east-1" launch -y prod/my-template.yaml

Automation

We have setup Github actions to automate
deployments to the AWS management and all member accounts. The deployment runs on every merge to the master branch.

Org-formation manages deployments to specific accounts using
organization Bindings

Sceptre manages deployments to specific accounts with designated config folders (i.e. config/dev or config/prod).

Contributions

Contributions are welcome.

Requirements:

  • Install pre-commit app
  • Clone this repo
  • Run pre-commit install to install the git hook.

Testing

As a pre-deployment step we syntatically validate our sceptre and
cloudformation yaml files with pre-commit.

Please install pre-commit, once installed the file validations will
automatically run on every commit. Alternatively you can manually
execute the validations by running pre-commit run --all-files.
Please install pre-commit, once installed the file validations will
automatically run on every commit.

To debug jinja template processing in sceptre, go the the corresponding
sceptre/* directory and run e.g. sceptre generate develop.

Issues

Secrets

  • We use the AWS SSM
    to store secrets for this project. Sceptre retrieves the secrets using
    a sceptre ssm resolver
    and passes them to the cloudformation stack on deployment.