Options
All
  • Public
  • Public/Protected
  • All
English
  • English
  • Français
Menu
Warning
The configuration file schema documentation is a work in progress. Please use this draft document with caution. The deeper you browse into the hierarchy, the less accurate the definitions are likely to be.

The Account Config object is used to define both workload and manadatory (shared) accounts, and enables customizing each individual account to have its own unique persona. It is recommended that accounts primarily receive their persona or configuation based on their OU, each accounts persona can be customized within this section. Typically workload accounts have minimum amount of account level customization, wheras shared accounts typically contain high levels of customization based on their unique nature.

Hierarchy

  • AccountConfig

Index

Properties

account-name

account-name: string
Title: Account Name
Description: The name to be used to create the AWS account. The name appears in the AWS console, the SSO login screen and other locations end-user will see it.

Optional account-warming-required

account-warming-required: boolean
Title: Account Warming Required
Description: This flag is set to true to force a new AWS account to be initialized, such that future programmatic deployments within the account succeed. Warming is performed by spinning up a small temporary VPC and EC2 instance in the account and letting it run for ~15 minutes before attempting to programmatically deploy resources.

Optional alb

alb: (ALBConfig | { action-type: string; apply-tags?: {}; cross-zone?: boolean; endpoint-subnets: { account?: string; subnet: string; vpc: string }[]; ip-type: string; name: string; subnets: string; targets: ALBTargetConfig1[]; type: "GWLB"; vpc: string })[]
Title: ELB
Description: Deploys an ELB (ALB and/or GWLB), per the defined configuration, in this account (in addition to any OU defined ELBs).

Optional aws-config

Title: AWS Config Rules
Description: A list of config rules to be excluded from deployment to this account, even though specified to be deployed at the OU level.

Optional budget

budget: BudgetConfig
Title: Budget
Description: AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. This setting defines the AWS Budget configuration which will be created in this account, including budget alerts (overrides OU budgets).

Optional certificates

Title: Certificates
Description: Defines certificates to be created or imported into this account, in addition to OU defined certificates.

Optional cwl-retention

cwl-retention: number
Title: Override CloudWatch Log Retention
Description: Overrides the default retention period (in days) for CloudWatch Log Groups for this account. Valid values include: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653.

Optional deleted

deleted: boolean
Title: Deleted
Description: Marks the account as Suspended or Deleted. Internal Use only.

Optional deployments

deployments: Deployments
Title: Deployments
Description: This section is used define the deployment configuration for higher level objects like like rsyslog clusters, 3rd party firewalls and management appliances, Transit Gateways, and directory services like MAD and ADCs within an account. Directory service deployments only supported in mandatory-accounts.

Optional description

description: string
Title: Description
Description: Description field used in the future GUI, and allows customers to provide a purpose for this account.

email

email: string
Title: Email
Description: The email address associated with this account, it must be unique across all AWS accounts and never before used to open an AWS account.

Optional enable-s3-public-access

enable-s3-public-access: boolean
Title: Enable S3 Public Access
Description: By default, the Accelerator blocks S3 Public Access in all accounts. Setting this flag enables S3 public access for this account.

Optional exclude-ou-albs

exclude-ou-albs: boolean
Title: Exclude OU ALBs
Description: Setting this flag prevents the deployment of the OU defined ALBs in this account.

Optional gui-perm

gui-perm: boolean
Title: GUI Permission
Description: Set to true to block this field from being edited in the GUI.

Optional iam

Title: IAM
Description: Creates the defined IAM users, roles, and policies in this account in addition to the OU defined IAM objects.

Optional keep-default-vpc-regions

keep-default-vpc-regions: string[]
Title: Keep Default VPC regions
Description: The Accelerator deletes default VPCs in every region, this specifies regions where the Accelerator will not delete default VPCs for this specific account.

Optional key-pairs

key-pairs: { name: string; region: string }[]
Title: Key Pairs
Description: Creates an EC2 keypair of the specified name in this account.

Optional limits

limits: {}
Title: Limits
Description: Automatically request limit increases for the account and prevents the Accelerator from exceeding the limit by not deploying objects until the limit has been confirmed increased.

Type declaration

Optional opt-in-vpcs

opt-in-vpcs: string[]
Title: Opt-In VPCs
Description: The names of the Opt-In VPCs, defined in the OU, to opt this account in to.

ou

ou: string
Title: OU
Description: The Organizational Unit (OU) this account belongs to, which defines the persona the account assumes. The OU must be defined in the OU section of the config file. Core or shared accounts typically belong to the ‘Security’ or ‘Infrastructure’ OU. The Accelerator does not support OUs with a / in thier name.

Optional ou-path

ou-path: string
Title: OU Path
Description: This field is used when an account is located in a nested OU, formatted as follows: `Dev/subou1/subou2`. OUs can be up to 5 levels deep.

Optional populate-all-elbs-in-param-store

populate-all-elbs-in-param-store: boolean
Title: Populate all Organization ELBs in local Parameter store
Description: Populates Parameter Store for the specified account with ALB information from all accounts in the organization. This feature is typically used in a central ingress/egress account.

Optional s3-retention

s3-retention: number
Title: Account S3 logging bucket retention period
Description: In certain cases logs are delivered to the local account before being centralized to the central logging bucket (i.e. VPC Flow logs). This setting determines the retention for the local account copy of the logs in S3. If not specified the `global-options`default-s3-retention value is utilized.

Optional scps

scps: string[]
Title: SCPs
Description: A list of SCPs which were defined in `global-options` and are to be attached to this account.

Optional secrets

secrets: { name: string; region: string; size: number }[]
Title: Secrets
Description: Creates a secret of the specified name and length in Secrets Manager in this account.

Optional share-mad-from

share-mad-from: string
Title: Share MAD From
Description: Shares the Managed Microsoft Active Directory (MAD) from the account specified in this parameter to this account.

src-filename

src-filename: string
Title: Source Filename
Description: Source filename with the top-level config for this account. This allows the config file to be split into several files, and enable finding the accounts config file.

Optional ssm-automation

ssm-automation: SSMShareAutomation[]
Title: SSM Automation Documents
Description: A list of the SSM automation documents defined and created within `global-options` to be *shared* into this account, in addition to any OU level documents shared into this account.

Optional ssm-inventory-collection

ssm-inventory-collection: boolean
Title: SSM Inventory Collection
Description: When true, deploys and configures SSM Inventory Collection.

Optional vpc

vpc: VPCConfig[]
Title: VPC
Description: Defines VPC(s) to be created inside this account. VPCs defined inside accounts are local to that account. For shared VPCs define them inside OUs.