Document multi-account deployment best practices and resources

aws / copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.

https://aws.github.io/copilot-cli/

Apache License 2.0

3.53k stars 417 forks source link

Document multi-account deployment best practices and resources #3602

Open dannyrandall opened 2 years ago

dannyrandall commented 2 years ago

From Gitter.

It would be helpful for the copilot docs to include some documentation around deploying to multiple accounts, for example, having a separate test and a prod account. Some useful details to include:

What resources are created in each account
How pipelines work with multiple accounts
Which credentials to use when (kinda covered here)

craigjbass commented 2 years ago

@iamhopaul123 https://github.com/aws/copilot-cli/issues/2939#issuecomment-949031717 mentions in this issue that multiple accounts is possible/encouraged, but it's not clear to me how to do this.

paragbhingre commented 2 years ago

@craigjbass Let's take the same example from the issue that you have mentioned above to help you understand multiple accounts implementation with Copilot.

Let say you run copilot app init --name example, then your application's infrastructure role stack will be created in your tooling(default) AWS account.
Now you can run copilot env init --name prod --app example --profile prod and then copilot env deploy --name prod --app example and your environment will be setup under prod account and it will be linked to your example app in the tooling account. In this environment you can deploy your choice of services, jobs etc.
As I mentioned in the previous point you can now run copilot svc init --app example --env prod followed by copilot svc deploy --app example --env prod and it will create a service inside prod environment.

Please let us know if you have any more questions.

craigjbass commented 2 years ago

Thanks for the reply, that's interesting! It did not occur to me that the application infrastructure role stack could exist in a different account (I didn't really understand how this component worked).

Hmm, I wonder how this would work with e.g. AWS SSO (now IAM Identity Center). I presume the profile prod needs access to resources in the tooling account?

dannyrandall commented 2 years ago

jumping in to link https://github.com/aws/copilot-cli/issues/3786 - there are a few multi account options discussed over there!

rsyring commented 3 months ago

I think there could be a step inserted before "Set up our app" at: https://aws.github.io/copilot-cli/docs/getting-started/first-app-tutorial/

It should ask the user if they are planning a multi-account deployment. If so, direct them to a new page dedicated to discussing multi-account deployments. Emphasize that the account where the app lives is where DNS will live (#5909) and, if there is not a dedicated/common account separate from the app's environments, then it should probably live in the production account since the DNS will affect the production app (IMO).