Pipelines Account Factory Configurations as Code

Pipelines Account Factory uses configurations written in HashiCorp Configuration Language (HCL) to enable dynamic behavior. These configurations determine how Account Factory will provision and configure new AWS accounts using Gruntwork Pipelines.

To process configurations, Pipelines parses all .hcl files within a .gruntwork directory or a single file named gruntwork.hcl. Typically, global configurations relevant to the entire repository are placed in the .gruntwork directory at the root hence the file is typically named account-factory.hcl and placed in the .gruntwork directory at the root of the repository.

info

We recommend reviewing our concepts page on the HCL language to ensure familiarity with its features.

Basic configuration

Below is an example of a minimal configuration required for AccountFactory:

# .gruntwork/account-factory.hcl
account_factory {
  control_tower_module_version                  = "va.b.c"
  security_module_version                       = "va.b.c"
  architecture_catalog_module_version           = "va.b.c"
  infrastructure_catalog_module_version         = "va.b.c"
  access_control_repository_name                = "your-access-control-repository-name"
  infrastructure_catalog_module_repository_name = "your-infrastructure-catalog-module-repository-name"
}

Block Reference

For a more comprehensive walkthrough of how blocks work please see the Pipelines Configurations as Code concepts.

account_factory block

account_factoryblockrequired

Account Factory blocks are used to define configurations that are applicable for provisioning and configuring new AWS accounts.

See detailed attributes configuration options below.

Example

# .gruntwork/account-factory.hcl
account_factory {
  control_tower_module_version                  = "va.b.c"
  security_module_version                       = "va.b.c"
  architecture_catalog_module_version           = "va.b.c"
  infrastructure_catalog_module_version         = "va.b.c"
  access_control_repository_name                = "your-access-control-repository-name"
  infrastructure_catalog_module_repository_name = "your-infrastructure-catalog-module-repository-name"
}

account_vending block

account_vendinglabeled-blockoptional

Account Vending blocks are available for Gruntwork Enterprise customers, nested within account_factory blocks, to define how additional features such as multi-environment account provisioning and delegated repositories are enabled. Each account-vending configuration block is a template for vending accounts as desired.

The labels such as "sdlc" or "sandbox" serve as the name of the account-vending configuration block and are the default Gruntwork Provided labels for the account-vending configuration block. Enterprise customers may define their own configuration blocks or modify the Gruntwork Provided blocks but should contact support@gruntwork.io if they intend to use the Gruntwork Developer Portal to generate new account requests.

Account Vending blocks are used to define configurations that are applicable to a single account vending within a repository. See more below.

Example

# .gruntwork/account-factory.hcl
account_factory {
  account_vending "sdlc" {
    account_identifiers  = ["dev", "stage", "prod"]
    catalog_repositories = ["path/to/catalog-repositories"]
  }

  account_vending "sandbox" {
    account_identifiers  = ["sandbox"]
    catalog_repositories = ["path/to/catalog-repositories"]
  }
}

In this example, when an account request of type sdlc is requested, an account will be created for each of the identifiers; dev, stage, and prod as the suffixes for the new accounts being created. Also, if a "Delegate Management of Account(s)?" option is chosen during account request, the catalog repositories path/to/catalog-repositories will be added to the new accounts.

Similarly, when an account request of type sandbox is requested, the account will be created for the identifier sandbox as the suffix for the new account being created. Also, if a "Delegate Management of Account(s)?" option is chosen during account request, the catalog repositories path/to/catalog-repositories will be added to the new account.

ci_collaborator block

ci_collaboratorlabeled-blockoptional

A block, nested within an account_vending block, that adds a GitHub/GitLab team and their permissions to a dedicated infrastructure-live repository if the "Delegate Management of Account(s)?" option is chosen during account request. See detailed attributes configuration options below.

Example

account_factory {
  account_vending "sdlc" {
    account_identifiers  = ["dev", "stage", "prod"]
    catalog_repositories = ["path/to/catalog-repositories"]

    ci_collaborator "a-team" {
      team: "apple-team"
      permission: "maintainer"
    }

    ci_collaborator "b-team" {
      team: "banana-team"
      permission: "read"
    }
  }
}

In this example, the a-team will be added as a maintainer and the b-team will be added as a read only collaborator to a dedicated infrastructure-live repository if the "Delegate Management of Account(s)?" option is chosen during account request of type sdlc.

Account Factory Block Attributes

access_control_template_path

access_control_template_pathstringoptional

Path to the access-control-accounts template, in the architecture-catalog repository, to use when provisioning new accounts.

access_control_repository_name

access_control_repository_namestringrequired

The name of your infrastructure-live-access-control repository

architecture_catalog_module_version

architecture_catalog_module_versionstringrequired

The version of the architecture catalog module to use when provisioning new accounts.

architecture_catalog_repo_url

architecture_catalog_repo_urlstringoptional

The URL of the architecture catalog repository to use when provisioning new accounts.

aws_security_repo_url

aws_security_repo_urlstringoptional

The URL of the aws-security module repository to use when provisioning new accounts.

aws_utilities_repo_url

aws_utilities_repo_urlstringoptional

The URL of the aws-utilities module repository to use when provisioning new accounts.

catalog_tags_location

catalog_tags_locationstringoptional

The path to the catalog tags file to use when provisioning new accounts.

cis_service_catalog_repo_url

cis_service_catalog_repo_urlstringoptional

The URL of the cis-service-catalog module repository to use when provisioning new accounts.

control_tower_module_version

control_tower_module_versionstringrequired

The version of the aws-control-tower module to use when provisioning new accounts.

control_tower_repo_url

control_tower_repo_urlstringoptional

The URL of the aws-control-tower repository to use when provisioning new accounts.

delegated_repository_template_path

delegated_repository_template_pathstringoptional

The path to the devops-foundations-infrastructure-live-delegated template, in the architecture-catalog repository, to use when provisioning new accounts.

disable_vpc_inputs

disable_vpc_inputsbooleanoptional

If set to true, the terragrunt.hcl generated for the VPC in new delegated accounts will not pass any inputs to the VPC module. This is useful for customers with custom VPC configurations: e.g., IPAM, transit subnets, private NAT, etc. All of this custom config can go into vpc-app.hcl in _envcommon directly in the customer's infra-live repo.

Default:false

infrastructure_catalog_module_repository_name

infrastructure_catalog_module_repository_namestringrequired

The name of your infrastructure-catalog module repository.

infrastructure_catalog_module_version

infrastructure_catalog_module_versionstringrequired

The version of your infrastructure-catalog module repository.

logs_account_name

logs_account_namestringoptional

The name of your logs account if different from the default of logs.

management_account_name

management_account_namestringoptional

The name of your management account if different from the default of management.

pipelines_read_token_name

pipelines_read_token_namestringoptional

(GitHub only) The name of your pipelines read token if different from the default of PIPELINES_READ_TOKEN.

pipelines_workflow_location

pipelines_workflow_locationstringoptional

(GitHub only) The location of your pipelines workflow if different from the default of gruntwork-io/pipelines-workflows/.github/workflows/pipelines.yml@X.

security_account_name

security_account_namestringoptional

The name of your security account if different from the default of security.

security_module_version

security_module_versionstringrequired

The version of aws-security module repository to use when provisioning new accounts.

shared_account_name

shared_account_namestringoptional

The name of your shared account if different from the default of shared.

single_account_baseline_template_path

single_account_baseline_template_pathstringoptional

The path to the single-account-baseline template, in the architecture-catalog repository, to use when provisioning new accounts.

vpc_module_url

vpc_module_urlstringoptional

The URL of the vpc module to use when provisioning new accounts.

vpc_module_version

vpc_module_versionstringoptional

The version of the vpc module to use when provisioning new accounts.

Account Vending Block Attributes

account_identifiers

account_identifierslist(string)required

A list of account identifiers. When vending accounts with this Account Vending configuration, a new account will be created for each identifier.

catalog_repositories

catalog_repositorieslist(string)optional

A list of repositories that contain infrastructure modules that can be easily leveraged as a catalog by delegated repositories vended during account provisioning.

CI Collaborator Block Attributes

team

teamstringrequired

The name of the GitHub team or GitLab group to add to a delegated infrastructure-live repository.

permission

permissionstringrequired

The permission to add to the GitHub team or GitLab group. See respective documentation for GitHub/GitLab.