feat: AWS multi-account IAC setup with scripts for custom usage (#1)

Author: Lstedmanfalls

.github/workflows/lint-and-test-infra.yaml

@@ -0,0 +1,84 @@
+name: Lint and Test Infrastructure Setup
+
+on: 
+  pull_request:
+    types: 
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+
+jobs:
+  lint-and-test-infra-code:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Get Terraform and Terragrunt Versions
+        id: get-versions
+        run: |
+          TERRAFORM_VERSION=$(grep "terraform_version" ${GITHUB_WORKSPACE}/root.hcl | head -1 | awk -F'"' '{print $2}' | sed 's/~> //' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9x]+/\1.0/')
+
+          TERRAGRUNT_VERSION=$(grep "terragrunt_version" ${GITHUB_WORKSPACE}/root.hcl | head -1 | awk -F'"' '{print $2}' | sed 's/~> //' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9x]+/\1.0/')
+          
+          echo "terraform_version=$TERRAFORM_VERSION" >> $GITHUB_OUTPUT
+          echo "terragrunt_version=$TERRAGRUNT_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ steps.get-versions.outputs.terraform_version }}
+
+      - name: Setup Terragrunt
+        run: |
+          wget -q https://github.com/gruntwork-io/terragrunt/releases/download/v${{ steps.get-versions.outputs.terragrunt_version }}/terragrunt_linux_amd64 -O /tmp/terragrunt
+          chmod +x /tmp/terragrunt
+          sudo mv /tmp/terragrunt /usr/local/bin/terragrunt
+          terragrunt --version
+
+      - name: Setup Terraform and Terragrunt Cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            /tmp/terragrunt
+            ~/.terraform.d
+            ~/.terragrunt
+          key: ${{ runner.os }}-tf-tg-${{ steps.get-versions.outputs.terraform_version }}-${{ steps.get-versions.outputs.terragrunt_version }}
+          
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Setup Python Cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/pip
+            ~/.cache/uv
+            ~/.cache/hatch
+          key: ${{ runner.os }}-python-${{ matrix.python-version }}-${{ hashFiles('requirements.lock', 'pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-python-${{ matrix.python-version }}-
+
+      - name: Setup Hatch and UV
+        run: |
+          pip install hatch uv
+      
+      - name: Create Hatch Environment
+        run: hatch env create env
+      
+      - name: Setup Infra Test Dependencies
+        run: hatch run env:install-infra-deps
+      
+      - name: Lint Infra Setup
+        run: hatch run env:lint-infra
+
+      - name: Test Infra Setup
+        run: hatch run env:test-infra

.github/workflows/lint-and-test-scripts.yaml

@@ -0,0 +1,56 @@
+name: Lint and Test Setup Scripts
+
+on: 
+  pull_request:
+    types: 
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+
+jobs:
+  lint-and-test-setup-scripts:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./setup-scripts
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+          
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Setup Python Cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/pip
+            ~/.cache/uv
+            ~/.cache/hatch
+          key: ${{ runner.os }}-setup-scripts-${{ matrix.python-version }}-${{ hashFiles('setup-scripts/requirements.lock', 'setup-scripts/pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-setup-scripts-${{ matrix.python-version }}-
+
+      - name: Setup Hatch and UV
+        run: |
+          pip install hatch uv
+      
+      - name: Create Hatch Environment
+        run: hatch env create env
+        
+      - name: Install Setup Scripts Dependencies
+        run: hatch run env:install-script-deps
+      
+      - name: Lint Setup Scripts
+        run: hatch run env:lint-scripts
+      
+      - name: Test Setup Scripts
+        run: hatch run env:test-scripts

.gitignore

@@ -1,3 +1,81 @@
+######### TERRAFORM #########
+
+# Local .terraform directories
+**/.terraform
+**/.terraform/*
+**/.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+######### PYTHON #########
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Distribution / packaging
+build/
+dist/
+*.egg-info/
+*.egg
+
+# Unit test / coverage reports
+.coverage
+.coverage.*
+coverage.xml
+.pytest_cache/
+
+# Hatch
+.hatch/
+
+# Type checking
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Linting
+.ruff_cache/
+
+# Virtual environments (in case someone uses them)
+.env
+.venv
+env/
+venv/
+
 # IDE specific files
 .idea/
 .vscode/

Makefile

@@ -0,0 +1,46 @@
+.PHONY: clean env format lint test help lock-deps install upgrade-deps
+
+.DEFAULT_GOAL := help
+
+env:
+	hatch shell env
+
+install:
+	hatch run env:install-infra-deps
+
+format:
+	ruff format test_infrastructure.py
+
+lint:
+	hatch run env:lint-infra
+
+test:
+	hatch run env:test-infra
+
+lock-deps:
+	uv pip compile pyproject.toml -o requirements.lock
+
+upgrade-deps:
+	uv pip compile --upgrade pyproject.toml -o requirements.lock
+
+clean:
+	find . -type d -name "__pycache__" -exec rm -rf {} + 2>/dev/null || true
+	find . -type f -name "*.pyc" -delete
+	find . -type d -name ".pytest_cache" -exec rm -rf {} + 2>/dev/null || true
+	find . -type d -name ".coverage" -delete
+	find . -type f -name ".coverage" -delete
+	find . -type f -name "coverage.xml" -delete
+	find . -type d -name ".ruff_cache" -exec rm -rf {} + 2>/dev/null || true
+	find . -type d -name ".mypy_cache" -exec rm -rf {} + 2>/dev/null || true
+	@echo "IMPORTANT: If you're in a Hatch shell, type 'exit' to leave"
+
+help:
+	@echo "Available commands:"
+	@echo "  env          Create and activate Hatch environment"
+	@echo "  install      Install dependencies using Hatch script"
+	@echo "  format       Format test_infrastructure.py"
+	@echo "  lint         Run linting checks on test_infrastructure.py"
+	@echo "  test         Run tests for test_infrastructure.py"
+	@echo "  lock-deps    Generate requirements.lock from pyproject.toml"
+	@echo "  upgrade-deps Update and regenerate requirements.lock files with latest dependency versions"
+	@echo "  clean        Remove Python cache files"

README.md

@@ -1,3 +1,103 @@
 # aws-multi-account
 
 [![CodeQL](https://github.com/mindbuttergold/template-repo/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/mindbuttergold/aws-multi-account/actions/workflows/github-code-scanning/codeql) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/mindbuttergold/aws-multi-account/badge)](https://scorecard.dev/viewer/?uri=github.com/mindbuttergold/aws-multi-account) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10740/badge)](https://www.bestpractices.dev/projects/10740)
+
+This repository demonstrates the setup of an AWS multi-account model with recommended Organization Units, via Infrastructure as Code (IAC) via Terraform and Terragrunt.
+
+The `./accounts` directory and files at the root of the repository show the core infrastructure setup. 
+
+The code in the `./setup-scripts` directory is just to facilitate custom, automated setup of the accounts directories and required IAM resources if desired. This `./setup-scripts` directory can be deleted if desired, and the infra setup will stand on its own with its own workflow, tests, etc.
+
+## Organization Structure
+
+```
+AWS Organization Root
+│
+├── Management OU
+│   └── Management Account (mbg-management)
+│       └── Organization-wide IAM and account management
+│
+├── Security OU
+│   └── Security Account (mbg-security)
+│       └── Security tools, GuardDuty, audit logs
+│
+├── Infrastructure OU
+│   ├── Backup Account (mbg-backup)
+│   │   └── Centralized backup and disaster recovery
+│   ├── Development Account (mbg-infrastructure-development)
+│   │   └── Shared development infrastructure
+│   ├── Staging Account (mbg-infrastructure-staging)
+│   │   └── Pre-production infrastructure validation
+│   └── Production Account (mbg-infrastructure-production)
+│       └── Production infrastructure and shared services
+│
+├── Workloads OU
+│   ├── Development Account (mbg-workloads-development)
+│   │   └── Development environment workloads
+│   ├── Staging Account (mbg-workloads-staging)
+│   │   └── Pre-production workload validation
+│   └── Production Account (mbg-workloads-production)
+│       └── Production workloads and applications
+│
+└── Sandbox OU
+    └── Sandbox Account (mbg-sandbox)
+        └── Isolated environment for testing and exploration
+```
+
+This structure follows AWS best practices by separating accounts by their unique purposes, to isolate potential impact of security events. The infrastructure setup also employs role-based access control (RBAC) for cross-account login and resource management via IAC.
+
+## AWS Documentation:
+
+- [Benefits of Using Multiple AWS Accounts](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-multiple-aws-accounts.html)
+- [Benefits of Using Organizational Units](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-organizational-units-ous.html)
+- [Best Practices for a Multi-Account Environment](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices.html)
+- [Organizing Your AWS Environment Using Multiple Accounts](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html)
+- [Design Principles for Your Multi-Account Strategy](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/design-principles-for-your-multi-account-strategy.html)
+- [Recommended OUs and Accounts](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/recommended-ous-and-accounts.html)
+- [AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html)
+
+## Getting Started
+
+If you wish, you can use the setup scripts in this repository to create your own, custom AWS multi-account infrastructure. To do so, carefully follow all steps in the [setup-scripts README](./setup-scripts/README.md).
+
+## Testing
+
+There are basic unit tests that validate the structure and configuration of the AWS multi-account infrastructure setup, without requiring actual AWS credentials or resources.
+
+### Test Dependencies:
+   - Python 3.10 or later
+   - [Hatch](https://hatch.pypa.io/latest/install/) - For environment management
+   - All other deps are the `requirements.lock` file.
+
+### Running Tests
+
+A Makefile is available for easier local development, most of which just uses Hatch scripts from the `pyproject.yaml` file.
+You can choose to use the makefile commands, or you can use the Hatch script commands directly that are noted in the Makefile.
+
+```zsh
+# Create and activate a virtual Hatch environment
+
+make env
+
+# Install the required dependencies
+
+make install
+
+# Run tests
+
+make test
+
+# Run linting
+
+make lint
+```
+
+## Cost
+
+This setup should not incur costs to use. AWS does not charge you for creating Organizational Units or accounts. Rather, you incur charges based on resources used within accounts.
+
+The setup scripts will create an S3 bucket and IAM roles, which should fall within the free-tier level. 
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

accounts/mbg-backup/account_details.hcl

@@ -0,0 +1,8 @@
+locals {
+  account_name              = "mbg-backup"
+  account_id                = "222222222222"
+  organizational_unit       = "Infrastructure"
+  aws_region                = "us-west-2"
+  terraform_admin_role_name = "TerraformAdminRole"
+  s3_backend_bucket_name    = "mbg-terraform-state"
+}

accounts/mbg-backup/main.tf

@@ -0,0 +1,4 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+resource "aws_iam_account_alias" "alias" {
+  account_alias = var.account_name
+}