Modifying an AWS Account
Managing AWS accounts involves tasks such as requesting new accounts, creating accounts, or renaming them. The Gruntwork Account Factory specifies which account management tasks must be performed exclusively through Infrastructure as Code (IaC), which are restricted to ClickOps in the AWS Console, and which support both methods.
This page outlines the appropriate mode (IaC or ClickOps) for various AWS account operations. When both options are available, we strongly recommended IaC for consistency, auditability, and reduced manual error.
Prerequisites
This page is intended for users who are:
- Are actively running Gruntwork Account Factory
- Have access to an AWS user or IAM role with administrative permissions for AWS Control Tower
When to use IaC vs. ClickOps
The table below lists common AWS account operations and provides guidance on whether to perform them using IaC or the AWS Console. Again, when both methods are supported, we strongly recommend IaC. For detailed information on each operation, click the operation name in the table.
- ✅ means that the operation is allowed or only possible in the specified mode.
- ❌ means the operation is not allowed or possible in the specified mode.
| Management operation | Terraform (IaC) | AWS Console (ClickOps) |
|---|---|---|
| Create a new Organization Unit (OU) | ❌ | ✅ |
| Request a new account | ✅ | ❌ |
| Create a new account | ✅ | ❌ |
| Remove an account | ✅ | ❌ |
| Rename an account | ❌ | ✅ |
| Update root account e-mail address | ❌ | ✅ |
| Modify account controls | ❌ | ✅ |
| Moving an account to a new Organizational Unit | ✅ (recommended) | ✅ (discouraged) |
| Update account admin user in Account Access IAM Identity Center | ✅ (recommended) | ✅ (discouraged) |
| Granting additional users access to accounts in AWS IAM Identity Center | ✅ (recommended) | ✅ (discouraged) |
Updating the account through the new AWS account request file
You can update specific attributes of an AWS account by modifying the corresponding account request file in the _new_account_requests directory. Follow the steps below to update specific attributes:
Steps to update
- Create a new branch to contain your changes.
- Update the desired attributes:
- To change the Organizational Unit (OU) name, modify the value of the
organizational_unit_namekey. - To update the account admin user, adjust the
sso_user_first_name,sso_user_last_name, andsso_user_emailkeys with the new user's first name, last name, and email.
- To change the Organizational Unit (OU) name, modify the value of the
Applying the updates
After completing your modifications:
- Push the branch with your changes and open a pull request.
- Gruntwork Pipelines automatically detects updates and executes a
planoperation. - Review the
planoutput to confirm the changes are accurate and align with expectations. - Once validated, merge the pull request to apply the updates.