Every team at ARGLabs needs its own AWS accounts, and they all need to look the same: the same access controls, the same network baseline, the same security guardrails. Doing that by hand, account after account, environment after environment, is how drift and mistakes creep in. BigBang is the answer to that problem. It is the process the Cloud Team uses to hand a team a complete, standards-compliant set of AWS accounts, built entirely as code, in minutes, with zero manual contact.

Why multi-account, and why as code

AWS recommends a multi-account model: isolate workloads and environments into separate accounts so that a blast radius stays small and permissions stay clean. We follow that model, but a model on its own does not guarantee consistency. A team typically runs more than one environment. Here we use three, production (prd), staging (stg), and development (the default environment), but you can have as many as you want.

The catch is that those environments are only useful if they are truly identical. A staging account that differs from production in a subnet layout, an IAM boundary, or a missing guardrail is not really staging, it is a different system that happens to share a name. The only way to guarantee that every environment is the same is to stop building them by hand and build all of them from the same code. That is the whole premise of BigBang: the accounts are identical because they are produced by the same Terraform, just run in a different workspace.

What a team receives

When the Cloud Team runs BigBang for a team, each account arrives already wired with the company standards baked in:

• Access control through AWS Identity Center: per-account permission sets and group assignments (administrator, an optional read-only set, and a per-account team set) are created and attached automatically. The team can sign in to its accounts the moment they exist, with no console clicks to grant access.
• IAM configured for safe deployments: a deployer role with a mandatory permissions boundary and dedicated path scoping, so the team can ship applications without account-wide admin rights and without any path to privilege escalation.
• Network infrastructure: a baseline VPC with public and private subnets across availability zones, an internet gateway, and optional NAT, shared into the account through AWS Resource Access Manager so connectivity is managed centrally.
• Security guardrails with AWS Config: a Config recorder plus rules that run in detection mode or in enforce mode, where enforce wires automatic remediation. Misconfigurations are caught, and where we choose to, fixed on their own.

One codebase, every environment

BigBang is split into two stages. The first creates the AWS account itself under the right Organizations unit. The second configures everything inside that account, reading the new account id from the first stage so the two always line up. Each stage runs per environment using Terraform workspaces, where each workspace maps to one environment and produces one account. Because the same code runs for every workspace, the accounts come out identical by construction. The only difference between environments is a name and email suffix, since AWS requires globally unique account root emails.

Delivered in minutes, with zero manual contact

All of this runs through Bitbucket Pipelines, which authenticate to AWS using OIDC. There are no long-lived access keys anywhere in the process. The pipeline assumes the roles it needs across accounts, runs Terraform across the environments, and stands up a fully configured account end to end. From the moment the pipeline runs, a brand new account, with its access control, IAM, networking, and guardrails in place, is ready to use in a matter of minutes. Nobody opens the console to click anything into existence.

BigLab: where BigBang is built

BigLab is a fictitious team that exists purely as the development and reference ground for the BigBang process. Its repositories are where the process is built, exercised, and refined. When a real team requests new accounts, the BigBang repositories for those new accounts are created based on BigLab’s, so each team inherits the same proven, standards-compliant setup from day one.

Project: BigLab on Bitbucket