Repositories

André Ramoni

001 – Main account first pipeline

The Main Account is the root of the ARGLabs AWS Organization, but it is intentionally minimal. It does not run any workloads. Its only job is to host the pieces that have to live at the very top of the tree: the organization structure, the identity provider for everyone who logs into AWS, and the company’s main domain.

What it provisions

  • AWS Organizations: a Teams OU (Cloud Team, App Team) and a Shared OU.
  • IAM Identity Center (SSO): a CloudAdministrators group, an AdministratorAccess permission set, the account assignment that grants the group admin on the Main Account, and the group membership for the configured admin users.
  • Route 53: the arglabs.org hosted zone and the registered domain entry, wired to that zone name servers.

How it deploys

Everything runs through Bitbucket Pipelines. The pipeline assumes the bitbucket-openid role via OIDC (provisioned by the pre-requisites project), which in turn assumes the deployer role to actually touch AWS. No long-lived credentials anywhere.

The main branch pipeline runs terraform plan, an Infracost cost estimate, a “should we deploy today?” guard (no Friday deploys), and then waits for a manual approval before applying. There is also a gitops branch that short-circuits straight to apply for cases where you know what you are doing.

Repository: bitbucket.org/arglabs/arglabs-mainaccount

André Ramoni

000 – Main account pre-requisites

We aim to do everything as code in ARGLabs, but at the very first moment we cannot even run pipelines. There is no IAM role for Bitbucket to assume, no S3 bucket to store Terraform state, and no policies to authorize anything. This project breaks that chicken-and-egg cycle by provisioning the foundational pieces every other ARGLabs project depends on.

What it provisions

  • Bitbucket OIDC provider on AWS IAM, trusting the arglabs Bitbucket workspace.
  • bitbucket-openid IAM role, assumed by Bitbucket Pipelines via sts:AssumeRoleWithWebIdentity. Its only permission is to assume the deployer role.
  • deployer IAM role, assumed only by bitbucket-openid. Holds the actual deploy permissions: iam:*, s3:*, organizations:*, account:*, route53:*, route53domains:*, sso:*.
  • arglabs-terraform-states S3 bucket, the shared remote state backend used by every ARGLabs Terraform project.

How to bootstrap it

A temporary IAM user is required for the very first apply, with two policies attached: IAMReadOnlyAccess (AWS managed) and iamuser-mainaccount-iac-prereqs (customer managed, least-privilege for the resources in this repo).

Export the keys, run terraform init / plan / apply from terraform/, then deactivate the credentials. After that, every future change runs through Bitbucket Pipelines via OIDC, with no long-lived AWS credentials anywhere.

Repository: bitbucket.org/arglabs/arglabs-mainaccount-iac-prereqs