The Shared Network account is owned by the Cloud Team and exists to do one thing well: provide shared connectivity that the rest of the ARGLabs organization can consume. Instead of every account building and maintaining its own network, this account builds the baseline once and shares it through AWS Resource Access Manager (RAM).

What it provisions

The repository is split into two Terraform roots that are always applied in order, because the second reads the first remote state.

• terraform-account-creation: the AWS account under the Shared OU, its team permission set, the sharednetwork subdomain hosted zone, and the NS delegation record in the apex zone. Runs in the default workspace only.
• terraform-account-configuration: the baseline VPC with public and private subnets (built with the bigbang-network Terraform module), the RAM resource share and its subnet associations, per-environment DNS zones, and the DNS delegation. Supports the default, stg, and prd workspaces.

NAT gateways are disabled, so the private subnets have no outbound internet egress by design.

How it deploys

Like the rest of ARGLabs, everything runs through Bitbucket Pipelines. The pipeline assumes the bitbucket-openid role via OIDC, which in turn assumes the deployer role to touch AWS. No long-lived credentials anywhere.

On the main branch the pipeline plans and applies account creation first (behind a manual approval), cleans up the default VPCs in the new account, runs an Infracost cost estimate, and then applies the account configuration across the default, stg, and prd environments.

Repository: bitbucket.org/arglabs/arglabs-account-sharednetwork
Network module: bitbucket.org/arglabs/arglabs-tfmod-bigbang-network