Actually just start with that then let me look at the docs again
Iirc 1 is about right
Do you have to manually trigger stuff in CodeStar or w/e
Watched some YT video and the guy made it seem weirdly manual inside the console for some steps
There is a lot that’s manual
The api isn’t terribly well instrumented ime
Still better than how we are doing it now haha
It is really nice for containing people who know enough to be dangerous
The first six parameters are required. As a prerequisite, I need to pass the ID of four AWS accounts in my AWS organization:
• ct_management_account_id
– AWS Control Tower management account
• log_archive_account_id
– Log Archive account
• audit_account_id
– Audit account
• aft_management_account_id
– AFT management account
Did you have to make four different aws accounts at first just to set this up?
Example has it all as different accounts
AWS needs an account factory account factory
I get that you need at least one account, but can those values all be the same account?
source = "git@github.com:aws-ia/terraform-aws-control_tower_account_factory.git"
# Required Parameters
ct_management_account_id = "123412341234"
log_archive_account_id = "234523452345"
audit_account_id = "345634563456"
aft_management_account_id = "456745674567"
ct_home_region = "us-east-1"
tf_backend_secondary_region = "us-west-2"
}```
What kind of mad lad is making 4 accounts for this
Yes you need all those
Think of it this way - in a single account you wouldn’t have the ability to limit the base role from accessing information that is considered “sensitive”
The idea being that each of the seperate accounts creates privilege isolation necessary
Because the only role that will be in those is effectively something akin to the root account