Create the default accounts

[malparty]

Why?

• As a repo admin, I can log in to an admin AWS account (non-root) to connect AWS to the Terraform WorkSpace.
• Any code change can trigger a TF Cloud plan in the selected workspace

What?

• 1x root AWS account created
• 1x admin AWS account is created from the Root account (so until IAM users are provisioned, we will use this non-root account)
• 1 TF Cloud account created with a workspace
• The repository linked to this TF Cloud Workspace

[byhbt]

How about creating 1 AWS root account, then using this AWS root account to create an iamadmin AWS account? We can use the iamadmin as regular basis. So we never touch the root account to make sure it is safe.

Should we create 2 different AWS root accounts separately?

• 1 for the development
• 1 for the production

[malparty]

Good idea to use a non-root account until we have the IAM Users managed by TerraForm 👍

Regarding the two different root accounts, I suggest not doing that for this internal certification because I want to manage AWS Billing very carefully and having 2 different source of costs to manage will kill me 🙈

[byhbt]

yup, i see your concerns, we don't really need this one for the IC. Just nice to have. FYI about the concern AWS Billing you can check it here: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html

Let's say we have 2 separate root accounts: infra-prod and infra-dev We can login to the infra-prod and invite the infra-dev to the Organization. From that moment on, the infra-prod become the management account and handling the billing.

[malparty]

TIL AWS consolidated billing 💡 Thanks Thanh :)