{"id":20017106,"url":"https://github.com/blackbird-cloud/aws-cloud-foundation-template","last_synced_at":"2026-02-25T13:02:01.270Z","repository":{"id":177245700,"uuid":"656373197","full_name":"blackbird-cloud/aws-cloud-foundation-template","owner":"blackbird-cloud","description":"Boilerplate repository for AWS Cloud deployment used by Blackbird Cloud","archived":false,"fork":false,"pushed_at":"2024-09-18T09:46:15.000Z","size":44,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-03T01:11:47.764Z","etag":null,"topics":["aws","cloud-foundation","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blackbird-cloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-20T20:24:54.000Z","updated_at":"2025-03-14T15:39:06.000Z","dependencies_parsed_at":"2025-01-12T15:43:48.630Z","dependency_job_id":"0b395213-e782-4eec-ab6d-af9f13e3089d","html_url":"https://github.com/blackbird-cloud/aws-cloud-foundation-template","commit_stats":null,"previous_names":["blackbird-cloud/aws-cloud-foundation-template"],"tags_count":0,"template":true,"template_full_name":null,"purl":"pkg:github/blackbird-cloud/aws-cloud-foundation-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackbird-cloud%2Faws-cloud-foundation-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackbird-cloud%2Faws-cloud-foundation-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackbird-cloud%2Faws-cloud-foundation-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackbird-cloud%2Faws-cloud-foundation-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blackbird-cloud","download_url":"https://codeload.github.com/blackbird-cloud/aws-cloud-foundation-template/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blackbird-cloud%2Faws-cloud-foundation-template/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260452762,"owners_count":23011541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud-foundation","terraform"],"created_at":"2024-11-13T08:14:27.332Z","updated_at":"2025-10-27T23:10:02.251Z","avatar_url":"https://github.com/blackbird-cloud.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Blackbird Cloud AWS Cloud Environment Template\n\n\n[![blackbird-logo](https://raw.githubusercontent.com/blackbird-cloud/terraform-module-template/main/.config/logo_simple.png)](https://www.blackbird.cloud)\n\n## Intro\n\nWe (Blackbird Cloud) have deployed many AWS cloud environment for our clients. We use this repository as a boilerplate for our cloud deployment.\n\nThis Repository includes:\n* AWS Cloudformation Stack templates to bootstrap your account after creation.\n* Terragrunt and Terraform resources to configure the following services:\n    * AWS Organizations\n    * AWS IAM Identity Center\n    * AWS Cloudformation StackSets\n    * AWS KMS key for Terraform state encryption.\n    * AWS S3 bucket for Terraform state storage.\n    * AWS KMS key for audit log encryption.\n    * AWS S3 bucket for audit log collection.\n    * AWS Cloudtrial organization configuration.\n* GitOps (GitHub Action) pipeline\n\n## How to deploy\n\n1. Create an AWS Account [here](https://portal.aws.amazon.com/billing/signup#/start/email]), name it management. Select the region you would like to deploy your resources to, write down the region and account id.\n2. Navigate to Security Credentials, and register a MFA device for your root account.\n3. Navigate to your Account page in the Billing console, and enable acces for IAM users.\n4. Select the region in which you would like to create your AWS resources.\n5. Navigate to AWS Cloudformation =\u003e Stacks, and manually deploy the following stack templates in the specified order: `stacks/github-oidc-provider.yaml`, `stacks/github-oidc-role.yaml`, `stacks/terraform-state.yaml`, and `stacks/iam-role.yaml`.\n    * For the Github oidc role stack, fill in `GitHubIdentityProviderArn` with the ARN of the IDP created on the `github-oidc-provider` stack. Fill in `SubjectClaimFilters` with the following data relating to your infra repo `repo:YOUR_GITHUB_ORGANIZATION/YOUR_GITHUB_REPOSITORY_NAME:ref:refs/heads/BRANCH_NAME` we advise to deploy use `main` as branch name. This is nessecary to make sure that only GitHub Actions that run on the main branch are allowed to plan and apply changes on AWS. Make sure to protect your main branch, as it will receive AdministratorAccess on your AWS cloud. Once the stack has been created, navigate to its resources, and note down the arn of created IAM role. For `GitHubActionsJumpRoleName` use the same name as you will on the `iam-role` stack `RoleName` parameter.\n    * For the `terraform-state` stack, fill in `GithubActionsRoleArn` with the role ARN created in the `github-oidc-role` stack. Once the terraform state stack has been created, note down the bucket name, it will be used as the state bucket for the next steps.\n    * For the `iam-role` stack, fill in `PrincipalARN` with the role ARN created in the `github-oidc-role` stack. Make sure to write down the Role name, and configure it in `globals.hcl` at `github_role_name`. Under `ManagedPolicyARNs` one can configure `arn:aws:iam::aws:policy/AdministratorAccess`.\n6. Create 2 variables on GitHub -\u003e Settings -\u003e Secrets and variables -\u003e Actions -\u003e Variables\n    * `AWS_IAM_ROLE`: fill in `IAM Role ARN` created by github-oidc-role stack\n    * `AWS_REGION`: fill in your selected AWS region.\n7. On `.github/workflows/aws_deployment.yml` update all occurences of `\u003cmy-project-name\u003e` to your github repository name, line 46.\n8. On `global.hcl` enter all the required information at the `Enter manually` block.\n9. On `cloud/management/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.\n10. Go to `cloud/management/00-organization/terragrunt.hcl` and fill in the local values under `Enter manually`, and under inputs fill in the primary, operational, securit, and billing contact information. Configure the accounts you would like to create.\n11. (Optional) If your IDP supports provisioning users and groups, you can skip this step, and delete the `cloud/management/02-iam-sso/01-users` folder, and the `cloud/management/02-iam-sso/02-groups` folder.\n    * Create the users list on `cloud/management/02-iam-sso/01-users/terragrunt.hcl`, you can remove `john.doe@email.com`.\n    *    `cloud/management/02-iam-sso/02-groups/terragrunt.hcl` enter the groups with the users you would like to create. Make sure to assign the users created by adding multiple `dependency.users.outputs.users[\"USER_EMAIL\"].user_id` and replace `USER_EMAIL` with the actual email.\n    * On initial run align the `mock_output` value of `dependency \"users\"` with `01-users`, make sure all emails registered `01-users` are `listed`. `user_id` value can be left `\"user_id\"`\n\n12. (Optional) On `cloud/management/02-iam-sso/03-permission-sets/terragrunt.hcl` enter the permission-sets you would like to create. We have included some commonly used permission-sets.\n13. (Optional) On `cloud/management/02-iam-sso/04-account-assignment/terragrunt.hcl` assign accounts and permission-sets, to users and groups. The default value will deploy the `AdministratorAccess` permission set for the Administrators group.\n14. Commit and push, it will trigger the pipeline to run.\n    * It will succesfuly create your AWS organization, and *fail* to create all other modules after that.\n15. Then there are a few steps to be taken before re-runing the pipeline\n    * Open your AWS web console and navigate to Cloudformation =\u003e StackSets, then enable trusted access.\n    * Open your AWS web console and navigate to IAM Identity Center, then click on enable.\n    * You can now choose to use the AWS IAM Center Identity Directory, or configure your own Directory. Read the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) to proceed depending your Organization's IDP.\n    * If you choose to use the AWS IAM Identity Center Directory:\n        * Configure the MFA settings.\n        * On settings =\u003e Authentication, enable `Send email OTP for users created from API`.\n16. Re-run the failed pipeline and all IAM and StackSets should now deploy succesfully.\n17. On `cloud/logs/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.\n18. On `cloud/keys/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.\n19. On `policies.hcl` replace `YOUR_KEYS_ACCOUNT_ID` with the keys account ID.\n20. On `global.hcl` enter `management_account_id` and `logs_account_id`.\n21. The pipeline jobs will fail because of missing dependencies, so you will have to retry them a few times until everything has been created.\n22. Configure AWS profiles with AdminstratorAccess permissions on your local machine for all created AWS accounts.\n23. Update `global.hcl` `remote_state_bucket` to the bucket created at `cloud/management/04-terraform-state/01-bucket`\n24. You can now migrate the Terraform state to the newly created Terraform state bucket, and delete the `terraform-state` Cloudformation stack when finished. If you open a termimal in the `cloud` directory, you can execute `terragrunt --terragrunt-non-interactive run-all init -migrate-state -input=true`, you will manually have to enter \"yes\" a number of times.\n\n## Troubleshooting\n\n### Rate Limited\n```\nError: enabling Security Hub Organization Admin Account (XXXXXXXXX): LimitExceededException: AWS Organizations can't complete your request because another request is already in progress. Try again later.\n```\nIf you see this error, it means you are being rate limited by AWS. Simply re-run the failed pipeline and give it another shot.\n\n## Future improvements\n\n- [ ] Make Cloudformation bucket public with templates\n\n- [ ] Double check CI files and remove hardcodes\n\n- [ ] Add mock outputs to organization dependencies\n\n## About Blackbird Cloud\n\nWe are [Blackbird Cloud](https://www.blackbird.cloud), Amsterdam based cloud consultancy, and cloud management service provider. We help companies build secure, cost efficient, and scale-able solutions.\n\nCheckout our other :point_right: [terraform modules](https://registry.terraform.io/namespaces/blackbird-cloud)\n\n## Copyright\n\nCopyright © 2017-2023 [Blackbird Cloud](https://www.blackbird.cloud)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblackbird-cloud%2Faws-cloud-foundation-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblackbird-cloud%2Faws-cloud-foundation-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblackbird-cloud%2Faws-cloud-foundation-template/lists"}