Welcome to Bedrock’s documentation!
Bedrock is an AWS landing zone generator utilising either CloudFormation or Terraform
Check out the Usage section to get your landing zone code
Note
This project is under active development.
Contents
Usage
Quick Start Landing Zone Code
To use Bedrock Landing Zone, first fork/clone the Repo with your preferred CI/CD framework:
GitHub Actions
git clone https://github.com/trustypangolin/bedrock-foundation-template
BitBucket Pipelines
git clone https://bitbucket.org/trustypangolin/bedrock-foundation-template
GitLab Pipelines
git clone https://gitlab.com/trustypangolin/bedrock-foundation-template
Management AWS Account
The landing zone will need the initial AWS account to be created. All other sub accounts are created as part of the CI/CD process
Add The Variables in your Git Secrets
Repository Secrets, Variables |
Example |
Description |
|---|---|---|
|
|
Your 12 digit AWS Management Account ID
|
|
dGVycmFmb3JtIHsKICBiYWNrZW5kICJzMyIgewogICAgcmVnaW9uICAgICAgICAgPSAiYXAtc291dGhlYXN0LTIiCiAgICBkeW5hbW9kYl90YWJsZSA9ICJiZWRyb2NrLXRmc3RhdGUiCiAgfQp9 |
Single line Base64 version of the
remote_state.tfNote that Key and Bucket are not included.
|
|
dW5pcXVlX3ByZWZpeCA9ICJpbmRpZ29jYXB5YmFyYSIgIApiYXNlX3JlZ2lvbiA9ICJhcC1zb3V0aGVhc3QtMiIKcm9vdF9lbWFpbHMgPSB7CiAgIlNlY3VyaXR5IiAgID0gImF3cytiZWRyb2NrLnNlY0Bkb21haW4iCiAgIlNoYXJlZCIgICAgID0gImF3cytiZWRyb2NrLnNoYXJlZEBkb21haW4iCiAgIlByb2R1Y3Rpb24iID0gImF3cytiZWRyb2NrLnByb2RAZG9tYWluIgp9Cm5vdGlmaWNhdGlvbnMgPSB7CiAgYmlsbGluZyAgICA9ICJhd3MrYmVkcm9jay5iaWxsaW5nQGRvbWFpbiIKICBvcGVyYXRpb25zID0gImF3cytiZWRyb2NrLm9wZXJhdGlvbnNAZG9tYWluIgogIHNlY3VyaXR5ICAgPSAiYXdzK2JlZHJvY2suc2VjdXJpdHlAZG9tYWluIgp9 |
Single line Base64 version of the
terraform.tfvars |
|
Password123! |
Artifacts such as STS credentials are encoded between
jobs with OpenSSL, so that non-admins can’t access temporary
credentials from an artifcats file
|
Bootstrap your AWS Managment Account
You will need the AWS CLI tools and a local copy of Terraform installed
Activate SSO in your preferred region
Configure SSO with the preferred IdP (eg AWS/Azure/Google/OKTA).
Create and Assign yourself AdministratorAccess permissions via the PermissionsSets to the Management Account
Log into the AWS account landing page (http://d-someid.awsapps.com/start)
Either grab the temporary keys from the AWS Landing Page and input them into the
~/.aws/credentialsfile, orconfigure your
~/.aws/configfile for SSO and useaws sso login --profile <your profile>Ensure the credentials/profile is set as default by setting
export AWS_PROFILE=<your profile>
Typical ~/.aws/config file setup
[profile bedrock]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 111111111111
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
You should now have admin access to the account via SSO, confirmed by running a simple cli command such as aws organizations list-roots should return organizations values for the Management account Id
You now need a way for GitHub/GitLab/BitBucket to have access to your new AWS account, there is some terraform files in the /tf folder that will allow you bootstrap the various OIDC and roles required
copy the terraform.tfvars.template file to terraform.tfvars and
change the values to suit your repo and naming for the OIDC
terraform init
terraform apply
Your CI/CD process should now be able to assume the basic roles setup if you set the repo values up corectly
Terraform
OIDC Terraform files
AWS will require the correct OIDC settings depending on your Git provider
The following OIDC tf files have been included, along with associated pipeline setups
Gitlab (CI/CD)
gitlab-oidc.tfand.gitlab-ci.ymlCI/CDGithub (Github Actions)
github-oidc.tfand.githubfolder with Github ActionsBitbucket (Pipelines)
bitbucket-oidc.tfandbitbucket-pipelines.ymlPipelines
There is some initial bootstrapping involved with Terraform before the pipeline code can takeover the hardwork
Customising the Terraform environment variables
First, open a cli and move into the tf folder
cd /tf
copy the terraform.tfvars.template to terraform.tfvars
cp terraform.tfvars.template terraform.tfvars
this file should stay untracked in your repo via .gitignore, as it will generally have secret or semi-secret information
Intialise Terraform
Ensure terraform has been installed
rename the git repository tf files that are not utilised to -oidc.tf.disabled, however leaving them as-is will not give additonal access without proper variables
CloudFormation
Begin OIDC
AWS will require the correct OIDC settings depending on your Git provider
The following OIDC setups have been included, along with associated pipeline setups
Gitlab (CI/CD)
Github (Github Actions)
Bitbucket (Pipelines)
High Level Design
Overall Account Design
Management
Overall Managment Account Architecture
Management Account Design
Operational Excellence Design
Cost Optimisation Design
Reliability Design
Security Design
Security
Account Design
Operational Excellence Design
Security Design
Central
Account Design
Operational Excellence Design
Cost Optimisation Design
Reliability Design
Security Design
Operational
Account Design
Operational Excellence Design
Cost Optimisation Design
Scheduler has a role in these accounts, actual Lambda and CloudWatch schedule is in the Central account
Reliability Design
AWS Backup is set from the Organisation Level, refer to Management-Reliability
Security Design
Overall CI CD Design
Overall Terraform Design
Terraform
Overall CloudFormation Design
CloudFormation
Frequently Asked Questions
Performance Pillar?
There are no real workloads aside from the VPN and some basic Lambda functions
Sustainability Pillar?
Aside from region selection, No workloads are available to really account for this
Bedrock has its documentation hosted on Read the Docs.