Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(CORE-1155): Add beginning of manage accounts #1058

Merged
merged 8 commits into from
Aug 30, 2023
Merged

feat(CORE-1155): Add beginning of manage accounts #1058

merged 8 commits into from
Aug 30, 2023

Conversation

MoonMoon1919
Copy link
Contributor

No description provided.

@MoonMoon1919 MoonMoon1919 changed the title [WIP] feat(CORE-1155): Add beginning of manage accounts feat(CORE-1155): Add beginning of manage accounts Aug 22, 2023
@infraredgirl
Copy link
Contributor

I wonder why there's no deploy preview for this PR?

@MoonMoon1919
Copy link
Contributor Author

I wonder why there's no deploy preview for this PR?

We only get deploy previews for PRs going to master :(

@ebeneliason
Copy link
Contributor

Sorry for the delay, I've finally found time to pull this down and preview it. I thought this might work better as a table, so I took a quick stab at laying it out that way. For expedience, and so as not to clobber your version here, I'll just share a screenshot and the Markdown I used to generate it:

image
View Markdown 
# Manage your accounts

Gruntwork's Control Tower integration provides an IaC-based approach to many of your account management needs. Operations within those accounts can be grouped according to whether they may be performed in IaC, the AWS Console, or either. _When operations may be performed in either location, we strongly recommend using IaC._

## Prerequisites

- An AWS account with AWS Control Tower set up
- Access to an IAM User or Role with administrative permissions to AWS Control Tower

## How to manage your accounts

| Management Operation                                       | Terraform (IaC)  | AWS Console (ClickOps) |
| ---------------------------------------------------------- | ---------------- | ---------------------- |
| Create a new Organization Unit (OU)                        | ❌               | ✅                     |
| Delete an account (requires un-managing the account first) | ❌               | ✅                     |
| Modify account controls                                    | ❌               | ✅                     |
| Request a new account                                      | ✅               | ❌                     |
| Create a new account                                       | ✅               | ❌                     |
| Un-manage an account                                       | ✅               | ❌                     |
| Update Account Access IAM Identity Center user information | ✅ (recommended) | ✅ (discouraged)       |
| Moving an account to a new Organizational Unit             | ✅ (recommended) | ✅ (discouraged)       |

A few additional thoughts and questions:

  1. Are there any other account management operations we haven't covered?
    • Renaming an account
    • Changing the primary account email
    • Managing account access
    • Changing permissions for those with access
    • Anything else that can be done in Control Tower…?
  2. Are there any operations that we should emphasize should not be done in either place?
  3. Note that I added "Modify account controls" to the list and indicated that it must be done via ClickOps (at least for now). Feel free to adjust phrasing or correct if I'm mistaken.
  4. It might be nice to provide more context for actually performing these operations
    • We could link to e.g. the "add an account" page from the "create" and "request" an account items
    • We could link to the appropriate AWS docs for operations that can only be performed there
    • We could extend this page with additional information about actions (and use anchor links) if they don't warrant a dedicated page in our nav.
  5. I went back and forth on whether to sort these based on their relationship to each other (e.g., grouping deleting an account with un-managing an account, etc.) or based on which management approach we recommend. I went with the latter since it kept the emoji looking neat and tidy, but I'm open to the alternative.

@MoonMoon1919
Copy link
Contributor Author

MoonMoon1919 commented Aug 30, 2023
edited
Loading

Renaming an account

We can add.

Changing the primary account email

Do you mean the root email, or the email that is automatically granted access via SSO?

Managing account access

The initial SSO access, or the group access? Other than permitting the initial SSO user, account access is managed by AWS Identity Center, not Control Tower. The IAM Identity Center call out in these docs is directly modifiable by updating the account request file. For other users, it is not. Do we want to cover both cases (and thus, both AWS services) in this single doc?

Changing permissions for those with access

See above - do we want to make this doc exclusive to control tower or control tower + SSO.

EDIT - after further thought, I added it.

Anything else that can be done in Control Tower…?

My understanding is that the only other modifiable resources in Control Tower, other than what we have listed, are related to Controls. Do we want to cover those here?

Note that I added "Modify account controls" to the list and indicated that it must be done via ClickOps (at least for now).

Thanks!

It might be nice to provide more context for actually performing these operations

I'll work on this today.

@MoonMoon1919
Copy link
Contributor Author

@ebeneliason Thanks for the helpful feedback! I've folded in the requested changes.

@MoonMoon1919 MoonMoon1919 merged commit 29dd148 into devops-foundations Aug 30, 2023
3 checks passed
@MoonMoon1919 MoonMoon1919 deleted the feat/CORE-1155/manage-accounts-clickops-vs-terraform branch August 30, 2023 18:03
ellisonc added a commit that referenced this pull request Sep 19, 2023
@oredavids @ebeneliason
@infraredgirl @MoonMoon1919 @ellisonc @docs-sourcer @josh-padnick
[WIP] Devops foundations v1 docs (#985)
53b1cc2 
* Account foundations phase 1 v1 docs

* Create section for post control-tower setup actions

* Add comments

* Add Account Factory Documentation (#1027)

* Add account vending documentation

---------

Co-authored-by: Eben Eliason <eben.eliason@gmail.com>
Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Reorg Pipelines docs

* Placeholder IA for the new DevOps Foundations docs (#1031)

* Address review suggestions

* Use ecs-deploy-runner in URLs

* Add docs for Pipelines to DevOps foundations (#1035)

* Add docs for Pipelines to DevOps foundations

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Update _docs-sources/foundations/ci-cd/pipelines.md

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* address PR feedback

---------

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* feat(CORE-1155): Add beginning of manage accounts (#1058)

* Add manage accounts page

---------

Co-authored-by: Andrew Ellison <andrew@gruntwork.io>

* Add disclaimer about pipelines usage data and how customers can disable it (#1077)

* Add disclaimer about usage data and how customers can disable it

* feat(CORE-1148): Module Default Docs (#1082)

* add module default docs

---------

Co-authored-by: Eben Eliason <eben@gruntwork.io>

* Feat(CORE-1149): Add docs for folder structure to tf foundations (#1092)

* Add docs for folder structure to tf foundations

---------

Co-authored-by: Eben Eliason <eben.eliason@gmail.com>

* Feature/core 1151 control tower clickops (#1070)

* initial docs for enabling control tower

* fix root thing

* add next steps

* Add more detailed step-by-step

* Add prerequisites and reformat steps

* address pr comments

* Add Instructions for Shared Account Permissions

* Feat(CORE-1255): Add pipelines code exec docs (2) (#1099)

* Add docs on what pipelines is and how it works

---------

Co-authored-by: Andrew Ellison <andrew@gruntwork.io>
Co-authored-by: Eben Eliason <eben@gruntwork.io>
Co-authored-by: docs-sourcer[bot] <99042413+docs-sourcer[bot]@users.noreply.github.com>

* feat(CORE-1238): Add upgrade guide from EDR to pipelines v2 (#1115)

* Add upgrade guide

---------

Co-authored-by: Josh Padnick <josh@gruntwork.io>

* Feat(CORE-1238): Add single account tutorial pipelines docs (#1114)

* Add single account tutorial pipelines docs

---------

Co-authored-by: Oreoluwa Agunbiade <21035422+oredavids@users.noreply.github.com>
Co-authored-by: Andrew Ellison <andrew@gruntwork.io>
Co-authored-by: Josh Padnick <josh@gruntwork.io>

* Add docs for PR workflow and Branch Protection Settings (#1123)

* Tweak sidebar (#1118)

- Add "external link" SVG to ECS Deploy Runner section
- Put "knowledge base" under a "Community" header

Co-authored-by: Andrew Ellison <andrew@gruntwork.io>

* Feat(CORE-1273): Add pipelines security docs (#1116)

* Add pipelines security docs

---------

Co-authored-by: Andrew Ellison <andrew@gruntwork.io>

* Feature/terraform foundations (#1125)

* add terraform foundations link to control tower page

* Start terraform foundations docs

* add getting started instructions

* make the template instructions less repetitive

* call out private repo

* oops, staged the docs sourcer file

* add machine user docs (#1126)

* Restore networking section (#1129)

* restore networking section and overview pages

* restore running apps

* forgot a sidebar overview

* feat(CORE-1275): Add Enterprise action permissions (#1127)

* Add call out for enterprise users to allow workflows from GW org

* Add pipelines action overview page and update pipelines overview (#1128)

* add pipelines action overview page

* add common terms

* fix link

* Update _docs-sources/pipelines/overview/index.md

Co-authored-by: Andrew Ellison <andrew@gruntwork.io>

* remove docker talk

---------

Co-authored-by: Andrew Ellison <andrew@gruntwork.io>

---------

Co-authored-by: Eben Eliason <eben.eliason@gmail.com>
Co-authored-by: Eben Eliason <eben@gruntwork.io>
Co-authored-by: Ana Krivokapic <ana@gruntwork.io>
Co-authored-by: Max Moon <moon.maxwell@gmail.com>
Co-authored-by: Andrew Ellison <andrew@gruntwork.io>
Co-authored-by: docs-sourcer[bot] <99042413+docs-sourcer[bot]@users.noreply.github.com>
Co-authored-by: Josh Padnick <josh@gruntwork.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ellisonc ellisonc ellisonc approved these changes

@oredavids oredavids Awaiting requested review from oredavids

@ebeneliason ebeneliason Awaiting requested review from ebeneliason

@eak12913 eak12913 Awaiting requested review from eak12913

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@MoonMoon1919 @infraredgirl @ebeneliason @ellisonc