Correct order of running account-baseline-* modules
If I have an existing single AWS account that is the master account of my Organization, should I run the `account-baseline-root` against it? What are some issues I may see, and is it safe? If I have CloudTrail running in this account, should I turn it off for the newly created one by the `account-baseline-root`? If `account-baseline-root` creates new accounts for me, should I then run `account-baseline-app` against them, assuming they are not Security or Log accounts? --- <ins datetime="2022-06-02T13:30:48Z"> <p><a href="https://support.gruntwork.io/hc/requests/108706">Tracked in ticket #108706</a></p> </ins>
`account-baseline-root` is only safe to run in a clean environment (brand new account). If you have existing infrastructure, they may conflict with what `account-baseline-root` intends to deploy. In these cases, it is safer to piecemeal deploy the individual components that you need by directly deploying the underlying modules (e.g., calling the `aws-config-multi-region` module to deploy AWS Config), or building your own `account-baseline-root` module by composing just the modules that you need (using our module as a reference). Our customers have also approached this by importing the existing components into Terraform management, but with potentially 100s of resources, this may not always be feasible, and is error prone. This is only recommended for advanced Terraform users who are very comfortable with the resource importing process. > If account-baseline-root creates new accounts for me, should I then run account-baseline-app against them, assuming they are not Security or Log accounts? Yes. `account-baseline-root` will not automatically set up the underlying Landing Zone resources as it is creating the accounts, so you will need to individually deploy `account-baseline-app` or `account-baseline-security`. Note that `account-baseline-app` should be deployed in the Logs account, but with different parameters to ensure it reuses the Logs account resources created by `account-baseline-root` in the same account (as opposed to a cross account look up).