As a Cloud Operations administrator, you can use vRealize Automation Cloud Guardrails to create an Organizational Unit (OU) and a member account and deploy it in your environment. You can also add member accounts to existing OUs.

For example, you can bootstrap AWS and create an organization (org) and two primary organizational units (OUs).

  • The Core OU can include member accounts for security, logging archive, and shared services.
  • The Policy OU can include a baseline account and drive the policies for the org.

In this example, you bootstrap your AWS environment by creating an OU and a member account, and apply policies to the OU. To bootstrap AWS, you select one or more bootstrap template SLS files in the Cloud Guardrails template library, update them as needed and run them as Cloud Guardrails desired states. For example:

  • AWS Organizational Unit
  • AWS Member Account
  • Create AWS Landing Zone

After Cloud Guardrails provisions the OU and member account, you could create a landing zone such as a virtual private cloud (VPC) where you can deploy your workloads and applications. If you are working with Kubernetes clusters, using the templates that create the OU and member account are especially important for quick setup.

By using the Guardrails templates, you can quickly create your OU and your member account and deploy them to your environment. When you bootstrap AWS with the nested OUs and the member accounts, you must include specific metadata that includes Name, Type, Provider, Description, and Parameters.

For example:

META:
  name: AWS landing zone
  type: GUARDRAILS_BUNDLE
  provider: AWS
  description: Create nested OUs and member accounts with SCP polices.
  parameters:
    - root_org_name : Root Organization name
        type: String

The OU bootstrap template code resembles:

META:
  name: AWS Organizational Unit
  provider: AWS
  category: BOOTSTRAP
  description: An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.

{% set organization_unit_name = params.get('organization_unit_name') %}
{% set parent_org_id = params.get('parent_org_id') %}

{{organization_unit_name}}:
  META:
    name: Create organization unit
    parameters:
      organization_unit_name:
        uiElement: text
        name: Organization Unit
        description: An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.
      parent_org_id:
        uiElement: text
        name: Parent Org Id
        description: An organizational name is a group of AWS accounts or OUs within an organization.
  aws.organizations.organization_unit.present:
  - org_unit_name: {{organization_unit_name}}
  - parent_id: {{parent_org_id}}

The member account bootstrap template code resembles:

META:
  name: AWS Member Account
  provider: AWS
  category: BOOTSTRAP
  description: An account in Organizations is a standard AWS account that contains your AWS resources and the identities that can access those resources.

{% set member_account_name = params.get('member_account_name') %}
{% set member_account_email = params.get('member_account_email') %}
{% set member_account_role = params.get('member_account_role', 'OrganizationAccountAccessRole') %}
{% set parent_org_id = params.get('parent_org_id') %}

{{member_account_name}}:
  META:
    name: Create AWS member account
    description: An account in Organizations is a standard AWS account that contains your AWS resources and the identities that can access those resources.
    parameters:
      member_account_name:
        uiElement: text
        name: Account Name
        description: Name of member account.
      member_account_role:
        uiElement: text
        name: Role Name
        description: Provide some role to member account.
      member_account_email:
        uiElement: text
        name: Email
        description: Email id for creating member account.
      parent_org_id:
        uiElement: text
        name: Parent Org Id
        description: Id of the Organization or Organization Unit under which the account will be created.

  aws.organizations.account.present:
  - account_name: {{member_account_name}}
  - role_name: {{member_account_role}}
  - email: {{member_account_email}}
  - iam_user_access_to_billing: ALLOW
  - parent_id: {{parent_org_id}}

In the following example, you bootstrap AWS with the nested OUs and the member accounts and apply policies to the OU and the member account.

Prerequisites

Procedure

  1. Access the Cloud Guardrails policy templates repository from your vRealize Automation Cloud instance.
    1. On the Guardrails tab, click +New.
    2. Click From library.
    3. Click the Bootstrap card.
  2. Create the organizational unit and member account.
    1. Select the template named AWS Organizational Unit.
    2. Select the template named AWS Member Account.
  3. If you need to create a landing zone, select the template named Create AWS Landing Zone.
  4. Click Add Selected Template.
    The templates you selected appear in the list.
  5. In the Add Project area, click the drop-down arrow and select a project.
    You can create templates by importing them from the Cloud Guardrails library.
  6. To add more templates from the library, click More Library Items.
  7. Click Import.
    The Cloud Guardrails templates that you select and import appear in the list of templates.
    The list of Cloud Guardrails templates now includes the AWS templates that you imported.
  8. You can add other bootstrap templates to the list of available templates.
    1. On the Guardrails tab, click +New.
    2. Click From library.
    3. Click the Bootstrap card and select another template.
    For example, you might select the template named Create AWS Account Vending Machine (AVM) so that you can create new AWS accounts in OUs that a Cloud Operations administrator already configured with an account security baseline and a network.

Results

You imported several bootstrap templates from the Cloud Guardrails template library so that you can enforce them as Cloud Guardrails desired states.

What to do next

Create a Cloud Guardrails desired state that runs the Cloud Guardrails templates you selected. See How do I create a Cloud Guardrails desired state from a template and enforce it.

If you have direct access to the Cloud Guardrails templates repository, you can view all the available templates there.