Properties
account-name
account-name: string
Title: Account Name
Description: The name to be used to create the AWS account. The name appears in the AWS console, the SSO login screen and other locations end-user will see it.
Optional account-warming-required
account-warming-required: boolean
Title: Account Warming Required
Description: This flag is set to true to force a new AWS account to be initialized, such that future programmatic deployments within the account succeed. Warming is performed by spinning up a small temporary VPC and EC2 instance in the account and letting it run for ~15 minutes before attempting to programmatically deploy resources.
Optional alb
alb
: (ALBConfig1 | { action-type
: string; apply-tags
?: {}; cross-zone
?: boolean; endpoint-subnets
: { account
?: string; subnet
: string; vpc
: string }[]; ip-type
: string; name
: string; subnets
: string; targets
: ALBTargetConfig3[]; type
: "GWLB"; vpc
: string })[]
Title: ELB
Description: Deploys an ELB (ALB and/or GWLB), per the defined configuration, in this account (in addition to any OU defined ELBs).
Optional aws-config
Title: AWS Config Rules
Description: A list of config rules to be excluded from deployment to this account, even though specified to be deployed at the OU level.
Optional budget
Title: Budget
Description: AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. This setting defines the AWS Budget configuration which will be created in this account, including budget alerts (overrides OU budgets).
Optional certificates
Title: Certificates
Description: Defines certificates to be created or imported into this account, in addition to OU defined certificates.
Optional cwl-retention
cwl-retention: number
Title: Override CloudWatch Log Retention
Description: Overrides the default retention period (in days) for CloudWatch Log Groups for this account. Valid values include: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653.
Optional deleted
deleted: boolean
Title: Deleted
Description: Marks the account as Suspended or Deleted. Internal Use only.
Optional deployments
Title: Deployments
Description: This section is used define the deployment configuration for higher level objects like like rsyslog clusters, 3rd party firewalls and management appliances, Transit Gateways, and directory services like MAD and ADCs within an account. Directory service deployments only supported in mandatory-accounts.
Optional description
description: string
Title: Description
Description: Description field used in the future GUI, and allows customers to provide a purpose for this account.
email
email: string
Title: Email
Description: The email address associated with this account, it must be unique across all AWS accounts and never before used to open an AWS account.
Optional enable-s3-public-access
enable-s3-public-access: boolean
Title: Enable S3 Public Access
Description: By default, the Accelerator blocks S3 Public Access in all accounts. Setting this flag enables S3 public access for this account.
Optional exclude-ou-albs
exclude-ou-albs: boolean
Title: Exclude OU ALBs
Description: Setting this flag prevents the deployment of the OU defined ALBs in this account.
Optional gui-perm
gui-perm: boolean
Title: GUI Permission
Description: Set to true to block this field from being edited in the GUI.
Optional iam
Title: IAM
Description: Creates the defined IAM users, roles, and policies in this account in addition to the OU defined IAM objects.
Optional keep-default-vpc-regions
keep-default-vpc-regions: string[]
Title: Keep Default VPC regions
Description: The Accelerator deletes default VPCs in every region, this specifies regions where the Accelerator will not delete default VPCs for this specific account.
Optional key-pairs
key-pairs: { name: string; region: string }[]
Title: Key Pairs
Description: Creates an EC2 keypair of the specified name in this account.
Optional limits
limits: {}
Title: Limits
Description: Automatically request limit increases for the account and prevents the Accelerator from exceeding the limit by not deploying objects until the limit has been confirmed increased.
Optional opt-in-vpcs
opt-in-vpcs: string[]
Title: Opt-In VPCs
Description: The names of the Opt-In VPCs, defined in the OU, to opt this account in to.
ou
ou: string
Title: OU
Description: The Organizational Unit (OU) this account belongs to, which defines the persona the account assumes. The OU must be defined in the OU section of the config file. Core or shared accounts typically belong to the ‘Security’ or ‘Infrastructure’ OU. The Accelerator does not support OUs with a / in thier name.
Optional ou-path
ou-path: string
Title: OU Path
Description: This field is used when an account is located in a nested OU, formatted as follows: `Dev/subou1/subou2`. OUs can be up to 5 levels deep.
Optional populate-all-elbs-in-param-store
populate-all-elbs-in-param-store: boolean
Title: Populate all Organization ELBs in local Parameter store
Description: Populates Parameter Store for the specified account with ALB information from all accounts in the organization. This feature is typically used in a central ingress/egress account.
Optional s3-retention
s3-retention: number
Title: Account S3 logging bucket retention period
Description: In certain cases logs are delivered to the local account before being centralized to the central logging bucket (i.e. VPC Flow logs). This setting determines the retention for the local account copy of the logs in S3. If not specified the `global-options`default-s3-retention value is utilized.
Optional scps
scps: string[]
Title: SCPs
Description: A list of SCPs which were defined in `global-options` and are to be attached to this account.
Optional secrets
secrets: { name: string; region: string; size: number }[]
Title: Secrets
Description: Creates a secret of the specified name and length in Secrets Manager in this account.
Optional share-mad-from
share-mad-from: string
Title: Share MAD From
Description: Shares the Managed Microsoft Active Directory (MAD) from the account specified in this parameter to this account.
src-filename
src-filename: string
Title: Source Filename
Description: Source filename with the top-level config for this account. This allows the config file to be split into several files, and enable finding the accounts config file.
Optional ssm-automation
Title: SSM Automation Documents
Description: A list of the SSM automation documents defined and created within `global-options` to be *shared* into this account, in addition to any OU level documents shared into this account.
Optional ssm-inventory-collection
ssm-inventory-collection: boolean
Title: SSM Inventory Collection
Description: When true, deploys and configures SSM Inventory Collection.
Optional vpc
Title: VPC
Description: Defines VPC(s) to be created inside this account. VPCs defined inside accounts are local to that account. For shared VPCs define them inside OUs.
The Account Config object is used to define both workload and manadatory (shared) accounts, and enables customizing each individual account to have its own unique persona. It is recommended that accounts primarily receive their persona or configuation based on their OU, each accounts persona can be customized within this section. Typically workload accounts have minimum amount of account level customization, wheras shared accounts typically contain high levels of customization based on their unique nature.