Automate account creation by using the Landing Zone Accelerator on AWS - AWS Prescriptive Guidance

Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources Additional information

Halaman ini belum diterjemahkan ke dalam bahasa Anda. Minta terjemahan

Automate account creation by using the Landing Zone Accelerator on AWS

Created by Justin Kuskowski (AWS), Joe Behrens (AWS), and Nathan Scott (AWS)

Summary

This pattern explains how to use the Landing Zone Accelerator on AWS solution to automatically deploy a new AWS account when an authorized user submits a request. It uses AWS Step Functions to orchestrate a number of AWS Lambda functions. The Lambda functions add the account information to a Git repository, initiate an AWS CodePipeline pipeline, and validate that the necessary AWS resources are provisioned. When the process is complete, the user receives a notification that the account has been created.

Optionally, you can integrate Microsoft Entra ID groups and assign AWS IAM Identity Center permission sets during the account creation process. If your organization is using Microsoft Entra ID as an identity source, this optional feature helps you automatically manage and configure access to the new account.

Prerequisites and limitations

Prerequisites

Access to the management account in AWS Organizations
AWS Cloud Development Kit (AWS CDK) version 2.118.0 or later, installed and configured
Python version 3.9 or later, installed
AWS Command Line Interface (AWS CLI) version 2.13.19 or later, installed
Docker version 24.0.6 or later, installed
Landing Zone Accelerator on AWS solution, deployed in the management account
(Optional) Microsoft Entra ID and IAM Identity Center, integrated

Limitations

The account creation workflow supports sequential executions to deploy a single AWS account. This limitation makes sure that the account creation workflow has successfully completed without having to compete for resources during a parallel run.

Architecture

Target architecture

The following image shows the high-level architecture of automating creation of a new AWS account by using the Landing Zone Accelerator on AWS. AWS Step Functions orchestrates the automation. Each task in the Step Functions workflow is performed by one or more AWS Lambda functions.

Workflow to automate the creation of a new account by using the Landing Zone Accelerator on AWS.

The diagram shows the following workflow:

The user requests an account by either running a Python script or by using Amazon API Gateway.
The Account Creation Orchestrator workflow starts in AWS Step Functions.
The workflow updates the account-config.yaml file in the source code repository. It also initiates the Landing Zone Accelerator on AWS pipeline and checks the status of the pipeline. This pipeline creates and sets up the new account. For more information about how this works, see the Architecture overview for the Landing Zone Accelerator on AWS.
(Optional) When the pipeline is complete, the workflow checks whether the group exists in Microsoft Entra ID. If the group doesn’t exist in Microsoft Entra ID, the workflow adds the group to Microsoft Entra ID.
The workflow performs additional steps that the Landing Zone Accelerator on AWS solution can't do. The default steps include:
- Creating an account alias in AWS Identity and Access Management (IAM)
- Attaching tags to the account in AWS Organizations
- Creating parameters in AWS Systems Manager Parameter Store based on the tags assigned to the account
(Optional) The workflow assigns one or more permission sets to the Microsoft Entra ID group that you previously specified. The permission sets allow users in the group to access the new account and allow them to perform the actions you configure.
An AWS Lambda function runs QA and validation tests. It validates resource creation, checks that tags have been created, and validates that security resources have been deployed.
The workflow releases the account and uses Amazon Simple Email Service (Amazon SES) to notify the user that the process has completed successfully.

For more information about the Step Functions workflow, see Step Functions workflow diagram in the Additional information section of this pattern.

Microsoft Entra ID applications

If you choose to integrate with Microsoft Entra ID, you create the following two applications when you deploy this pattern:

An application that is linked to IAM Identity Center and makes sure that Microsoft Entra ID groups are available in IAM Identity Center. In this example, this Microsoft Entra ID application is named LZA2.
An application that allows a Lambda function to communicate with Microsoft Entra ID and call the Microsoft Graph APIs. In this pattern, this application is named create_aws_account.

These applications collect data that is used to sync the Microsoft Entra ID group and assign permission sets.

Tools

AWS services

Amazon API Gateway helps you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs at any scale. In this pattern, you use API Gateway to check the availability of AWS account names, initiate the AWS Step Functions workflow, and check the status of the Step Functions execution.
AWS Cloud Development Kit (AWS CDK) is a software development framework that helps you define and provision AWS Cloud infrastructure in code.
AWS Control Tower helps you set up and govern an AWS multi-account environment, following prescriptive best practices.
Amazon EventBridge is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. For example, AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts. This solution uses an EventBridge rule that starts a Lambda function if the Step Functions workflow state changes to Failed, Timed-out, or Aborted.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
AWS IAM Identity Center helps you centrally manage single sign-on (SSO) access to all of your AWS accounts and cloud applications.
AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data. In this pattern, AWS KMS keys are used to encrypt data, such as data stored in Amazon Simple Storage Service (Amazon S3), Lambda environment variables, and data in Step Functions.
AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
Amazon Simple Email Service (Amazon SES) helps you send and receive emails by using your own email addresses and domains. After a new account is successfully created, you receive a notification through Amazon SES.
Amazon Simple Notification Service (Amazon SNS) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses. If an error occurs during the account creation process, Amazon SNS sends a notification to the email addresses that you configure.
AWS Step Functions is a serverless orchestration service that helps you combine AWS Lambda functions and other AWS services to build business-critical applications.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management.

Other tools

awscurl automates the process of signing AWS API requests and helps you make requests as a standard curl command.
Microsoft Entra ID, formerly known as Azure Active Directory, is a cloud-based identity and access management service.
Microsoft Graph APIs help you access data and intelligence in Microsoft cloud services, such as Microsoft Entra and Microsoft 365.

Code repository

The code for this pattern is available in the GitHub lza-account-creation-workflow repository.

The lambda_layer directory contains the following layers, which are referenced in more than one Lambda function:

account_creation_helper – This layer includes the modules for assuming roles and checking the progress in AWS Service Catalog.
boto3 – This layer includes the AWS SDK for Python (Boto3) module to make sure that AWS Lambda has the latest version.
identity_center_helper – This layer supports calls to IAM Identity Center.

The lambda_src directory contains the following Lambda functions:

AccountTagToSsmParameter – This function uses the tags attached to the account in AWS Organizations in order to create parameters in Parameter Store. Each parameter starts with an /account/tags/ prefix.
AttachPermissionSet – This function adds a permission set to an IAM Identity Center group.
AzureADGroupSync – This function syncs the target Microsoft Entra ID group to IAM Identity Center.
CheckForRunningProcesses – This function checks whether the AWSAccelerator-Pipeline pipeline is currently running. If the pipeline is running, the function delays the AWS Step Functions workflow.
CreateAccount – This function uses AWS Service Catalog and AWS Control Tower to create the new AWS account.
CreateAdditionalResources – This function creates the AWS resources that aren't managed by Landing Zone Accelerator or AWS CloudFormation, such as the account alias and AWS Service Catalog tags.
GetAccountStatus – This function scans for the provisioned product in AWS Service Catalog to determine if the account creation process has completed.
GetExecutionStatus – This function retrieves the status of a running or completed AWS Step Functions execution.
NameAvailability – This function checks if an AWS account name already exists in AWS Organizations.
ReturnResponse – If the account creation was successful, this function returns the ID of the new account. If the account creation was not successful, it returns an error message.
RunStepFunction – This function runs the AWS Step Functions workflow that creates the account.
SendEmailWithSES – This function sends emails to the users who are waiting for the account creation to finish.
ValidateADGroupSyncToSSO – This function checks if the specified Microsoft Entra ID groups are synced with IAM Identity Center.
ValidateResources – This function validates that all AWS Control Tower customizations have run successfully.

Best practices

We recommend the following naming conventions for the AWS CDK:

Start all parameters with a p prefix.
Start all conditions with a c prefix.
Start all resources with an r prefix.
Start all outputs with an o prefix.

Epics

Task	Description	Skills required
Prepare the Landing Zone Accelerator on AWS for customization.	In the Landing Zone Accelerator on AWS code repository, create a file named `customizations-config.yaml`. You use this file to define customizations for the core solution. For more information, see Customizing the solution. In the `customizations-config.yaml` file, create a section called `cloudFormationStacks`.	AWS DevOps
Prepare to deploy the `lza-account-creation-validation` role.	Now, you customize the solution to deploy the `lza-account-creation-validation` IAM role in all accounts other than the management account. This role provides the `ValidateResources` Lambda function with read-only access to the new accounts. Download the account-creation-validation-role.yaml file from GitHub. Save the file to the location that is indicated in the templates section of the `customizations-config.yaml` file. Open the `customizations-config.yaml` file. In the `cloudFormationStacks` section, add the following code. Update the target AWS Region as needed for your landing zone: `- deploymentTargets: organizationalUnits: - Root excludedAccounts: - Management description: IAM Role to allow Account Validation name: lza-account-creation-validation regions: - us-east-1 template: cloudformation/account-creation-validation-role.yaml runOrder: 1 terminationProtection: true parameters: - name: pManagementAccountId value: "{{ account Management }}"` Save and close the `customizations-config.yaml` file.	AWS DevOps
Prepare to deploy the `account-tagging-to-ssm-parameter-role` role.	Now, you customize the solution to deploy the `account-tagging-to-ssm-parameter-role` IAM role in all accounts other than the management account. This role is used to create the parameters in AWS Systems Manager Parameter Store. Download the account-tagging-to-ssm-parameter-role.yaml file from GitHub. Save the file to the location that is indicated in the templates section of the `customizations-config.yaml` file. Open the `customizations-config.yaml` file. In the `cloudFormationStacks` section, add the following code. Update the target AWS Region as needed for your landing zone: `- deploymentTargets: organizationalUnits: - Root excludedAccounts: - Management description: IAM Role to create SSM Parameters based on Account Tagging name: lza-account-tagging-to-ssm-parameter regions: - us-east-1 template: cloudformation/account-tagging-to-ssm-parameter-role.yaml runOrder: 1 terminationProtection: true parameters: - name: pManagementAccountId value: "{{ account Management }}"` Save and close the `customizations-config.yaml` file.	AWS DevOps
Prepare to deploy the `config-log-validation-role` role.	Now, you customize the solution to deploy the `config-log-validation-role` IAM role in the log archive account. This role allows the `ValidateResources` Lambda function to access the Amazon S3 bucket for logging and access AWS Config rules. Download the config-log-validation-role.yaml file from GitHub. Save the file to the location that is indicated in the templates section of the `customizations-config.yaml` file. Open the `customizations-config.yaml` file. In the `cloudFormationStacks` section, add the following code. Update the target AWS Region as needed for your landing zone: `- deploymentTargets: accounts: - LogArchive description: IAM Role to validate Config and Logs name: lza-config-log-validation-role regions: - us-east-1 template: cloudformation/config-log-validation-role.yaml runOrder: 1 terminationProtection: true parameters: - name: pManagementAccountId value: "{{ account Management }}"` Save, close, and commit the changes made to the `customizations-config.yaml` file.	AWS DevOps

Deploy the IAM roles for validation and tagging

Task	Description	Skills required
Prepare the Landing Zone Accelerator on AWS for customization.	In the Landing Zone Accelerator on AWS code repository, create a file named `customizations-config.yaml`. You use this file to define customizations for the core solution. For more information, see Customizing the solution. In the `customizations-config.yaml` file, create a section called `cloudFormationStacks`.	AWS DevOps
Prepare to deploy the `lza-account-creation-validation` role.	Now, you customize the solution to deploy the `lza-account-creation-validation` IAM role in all accounts other than the management account. This role provides the `ValidateResources` Lambda function with read-only access to the new accounts. Download the account-creation-validation-role.yaml file from GitHub. Save the file to the location that is indicated in the templates section of the `customizations-config.yaml` file. Open the `customizations-config.yaml` file. In the `cloudFormationStacks` section, add the following code. Update the target AWS Region as needed for your landing zone: `- deploymentTargets: organizationalUnits: - Root excludedAccounts: - Management description: IAM Role to allow Account Validation name: lza-account-creation-validation regions: - us-east-1 template: cloudformation/account-creation-validation-role.yaml runOrder: 1 terminationProtection: true parameters: - name: pManagementAccountId value: "{{ account Management }}"` Save and close the `customizations-config.yaml` file.	AWS DevOps
Prepare to deploy the `account-tagging-to-ssm-parameter-role` role.	Now, you customize the solution to deploy the `account-tagging-to-ssm-parameter-role` IAM role in all accounts other than the management account. This role is used to create the parameters in AWS Systems Manager Parameter Store. Download the account-tagging-to-ssm-parameter-role.yaml file from GitHub. Save the file to the location that is indicated in the templates section of the `customizations-config.yaml` file. Open the `customizations-config.yaml` file. In the `cloudFormationStacks` section, add the following code. Update the target AWS Region as needed for your landing zone: `- deploymentTargets: organizationalUnits: - Root excludedAccounts: - Management description: IAM Role to create SSM Parameters based on Account Tagging name: lza-account-tagging-to-ssm-parameter regions: - us-east-1 template: cloudformation/account-tagging-to-ssm-parameter-role.yaml runOrder: 1 terminationProtection: true parameters: - name: pManagementAccountId value: "{{ account Management }}"` Save and close the `customizations-config.yaml` file.	AWS DevOps
Prepare to deploy the `config-log-validation-role` role.	Now, you customize the solution to deploy the `config-log-validation-role` IAM role in the log archive account. This role allows the `ValidateResources` Lambda function to access the Amazon S3 bucket for logging and access AWS Config rules. Download the config-log-validation-role.yaml file from GitHub. Save the file to the location that is indicated in the templates section of the `customizations-config.yaml` file. Open the `customizations-config.yaml` file. In the `cloudFormationStacks` section, add the following code. Update the target AWS Region as needed for your landing zone: `- deploymentTargets: accounts: - LogArchive description: IAM Role to validate Config and Logs name: lza-config-log-validation-role regions: - us-east-1 template: cloudformation/config-log-validation-role.yaml runOrder: 1 terminationProtection: true parameters: - name: pManagementAccountId value: "{{ account Management }}"` Save, close, and commit the changes made to the `customizations-config.yaml` file.	AWS DevOps

Task	Description	Skills required
Create the application that that allows a Lambda function to communicate with Microsoft Entra ID.	In the Microsoft Entra ID admin center, register the `create_aws_account` application. For instructions, see Register an application in the Microsoft documentation. Follow the instructions in Update an app's requested permissions in the Microsoft documentation to configure the following Microsoft Graph permissions for the `create_aws_account` application: Application.Read.All Type: Application Admin consent required: Yes AppRoleAssignment.ReadWrite.All Type: Application Admin consent required: Yes Group.ReadWrite.All Type: Application Admin consent required: Yes ServicePrincipalEndpoint.Read.All Type: Application Admin consent required: Yes Synchronization.ReadWrite.All Type: Application Admin consent required: Yes User.Read Type: Delegated Admin consent required: No	Microsoft Entra ID
Retrieve values for the `create_aws_account` application.	Now, you retrieve the values that you need for the `create_aws_account` application. In the Microsoft Entra ID admin center, navigate to App registrations, and then choose `create_aws_account`. In the left pane, choose Overview. On the Overview page, make note of the following values: Application (client) ID Directory (tenant) ID In the left pane, under Manage, choose Certificates & secrets. On the Certificates & secrets page, choose the Client secrets tab, and then make note of the following values: Client secret value Client secret ID	Microsoft Entra ID
Create the application that integrates Microsoft Entra ID with IAM Identity Center.	In the Microsoft Entra ID admin center, register the `LZA2` application. For instructions, see Register an application in the Microsoft documentation.	Microsoft Entra ID
Retrieve values for the `LZA2` application.	Now, you retrieve the values that you need for the `LZA2` application. In the Microsoft Entra ID admin center, navigate to Enterprise applications, and then choose `LZA2`. In the left pane, choose Overview. On the Overview page, make note of the following values: Name Object ID In the left pane, under Manage, choose Manifest. In the JSON file, in the `appRoles` section, locate the app role named `User`. Make note of the `id` value for this app role.	Microsoft Entra ID
Create a secret.	In the AWS CLI, enter the following command to create the variables. Use the values that you retrieved for the `create_aws_account` and `LZA2` applications: `# Variables for create_aws_account app TENANT_ID='<Directory ID>' CLIENT_ID='<Application ID>' SECRET_ID='<Client secret ID>' SECRET_VALUE='<Client secret value>' # Variables for LZA2 app OBJECT_ID='<Object ID>' APP_ROLE_ID='<App role ID>' ENTERPRISE_APP_NAME='<Name>'` Enter the following command to create a secret named `GraphApiSecret` in AWS Secrets Manager: `aws secretsmanager create-secret \ --name GraphApiSecret \ --secret-string "{\"client_id\": \"${CLIENT_ID}\", \"tenant_id\": \"${TENANT_ID}\", \"object_id\": \"${OBJECT_ID}\", \"app_role_id\": \"${APP_ROLE_ID}\", \"secret_value\": \"${SECRET_VALUE}\", \"secret_id\": \"${SECRET_ID}\"}"` If you need to update the secret in the future, you can update the variables and run the following command: `aws secretsmanager update-secret \ --secret-id GraphApiSecret \ --secret-string "{\"client_id\": \"${CLIENT_ID}\", \"tenant_id\": \"${TENANT_ID}\", \"object_id\": \"${OBJECT_ID}\", \"app_role_id\": \"${APP_ROLE_ID}\", \"secret_value\": \"${SECRET_VALUE}\", \"secret_id\": \"${SECRET_ID}\"}"`	AWS DevOps

(Optional) Get data from Microsoft Entra ID

Task	Description	Skills required
Create the application that that allows a Lambda function to communicate with Microsoft Entra ID.	In the Microsoft Entra ID admin center, register the `create_aws_account` application. For instructions, see Register an application in the Microsoft documentation. Follow the instructions in Update an app's requested permissions in the Microsoft documentation to configure the following Microsoft Graph permissions for the `create_aws_account` application: Application.Read.All Type: Application Admin consent required: Yes AppRoleAssignment.ReadWrite.All Type: Application Admin consent required: Yes Group.ReadWrite.All Type: Application Admin consent required: Yes ServicePrincipalEndpoint.Read.All Type: Application Admin consent required: Yes Synchronization.ReadWrite.All Type: Application Admin consent required: Yes User.Read Type: Delegated Admin consent required: No	Microsoft Entra ID
Retrieve values for the `create_aws_account` application.	Now, you retrieve the values that you need for the `create_aws_account` application. In the Microsoft Entra ID admin center, navigate to App registrations, and then choose `create_aws_account`. In the left pane, choose Overview. On the Overview page, make note of the following values: Application (client) ID Directory (tenant) ID In the left pane, under Manage, choose Certificates & secrets. On the Certificates & secrets page, choose the Client secrets tab, and then make note of the following values: Client secret value Client secret ID	Microsoft Entra ID
Create the application that integrates Microsoft Entra ID with IAM Identity Center.	In the Microsoft Entra ID admin center, register the `LZA2` application. For instructions, see Register an application in the Microsoft documentation.	Microsoft Entra ID
Retrieve values for the `LZA2` application.	Now, you retrieve the values that you need for the `LZA2` application. In the Microsoft Entra ID admin center, navigate to Enterprise applications, and then choose `LZA2`. In the left pane, choose Overview. On the Overview page, make note of the following values: Name Object ID In the left pane, under Manage, choose Manifest. In the JSON file, in the `appRoles` section, locate the app role named `User`. Make note of the `id` value for this app role.	Microsoft Entra ID
Create a secret.	In the AWS CLI, enter the following command to create the variables. Use the values that you retrieved for the `create_aws_account` and `LZA2` applications: `# Variables for create_aws_account app TENANT_ID='<Directory ID>' CLIENT_ID='<Application ID>' SECRET_ID='<Client secret ID>' SECRET_VALUE='<Client secret value>' # Variables for LZA2 app OBJECT_ID='<Object ID>' APP_ROLE_ID='<App role ID>' ENTERPRISE_APP_NAME='<Name>'` Enter the following command to create a secret named `GraphApiSecret` in AWS Secrets Manager: `aws secretsmanager create-secret \ --name GraphApiSecret \ --secret-string "{\"client_id\": \"${CLIENT_ID}\", \"tenant_id\": \"${TENANT_ID}\", \"object_id\": \"${OBJECT_ID}\", \"app_role_id\": \"${APP_ROLE_ID}\", \"secret_value\": \"${SECRET_VALUE}\", \"secret_id\": \"${SECRET_ID}\"}"` If you need to update the secret in the future, you can update the variables and run the following command: `aws secretsmanager update-secret \ --secret-id GraphApiSecret \ --secret-string "{\"client_id\": \"${CLIENT_ID}\", \"tenant_id\": \"${TENANT_ID}\", \"object_id\": \"${OBJECT_ID}\", \"app_role_id\": \"${APP_ROLE_ID}\", \"secret_value\": \"${SECRET_VALUE}\", \"secret_id\": \"${SECRET_ID}\"}"`	AWS DevOps

Task	Description	Skills required
Clone the source code.	Enter the following command to clone the lza-account-creation-workflow repository: `git clone https://github.com/aws-samples/lza-account-creation-workflow` Enter the following command to navigate into the `config` directory of the cloned repository: `cd lza-account-creation-workflow/config`	DevOps engineer
Update the `deploy-config.yaml` file.	Open the `deploy-config.yaml` file. Review the template and update the values as needed for deployment in your AWS environment. For example, update values for the following: `accountCreationFailure` `accountCompletionFromEmail` `ssoLoginUrl` `rootEmailPrefix` `rootEmailDomain` If you're integrating with Microsoft Entra ID, do the following: Set `enableAzureADIntegration` to `true`. For `graphApiSecretName` value, enter the secret that you created previously (`GraphApiSecret`). Save and close the `deploy-config.yaml` file.	AWS DevOps
Deploy the solution in your AWS environment.	Enter the following command: `cdk bootstrap <account-number>/<Region>` For more information, see Bootstrapping in the AWS CDK documentation. Enter the following command to synthesize the CloudFormation template: `cdk synth` For more information, see Configure and perform AWS CDK stack synthesis in the AWS CDK documentation. Enter the following command to deploy the solution. `cdk deploy` For more information, see Deploy AWS CDK applications in the AWS CDK documentation. Note This solution uses an Amazon S3 bucket to store the source code for this solution. You can use the upload_to_source_bucket.py script to create an archive of the source code and upload an updated version.	AWS DevOps

Deploy the solution

Task	Description	Skills required
Clone the source code.	Enter the following command to clone the lza-account-creation-workflow repository: `git clone https://github.com/aws-samples/lza-account-creation-workflow` Enter the following command to navigate into the `config` directory of the cloned repository: `cd lza-account-creation-workflow/config`	DevOps engineer
Update the `deploy-config.yaml` file.	Open the `deploy-config.yaml` file. Review the template and update the values as needed for deployment in your AWS environment. For example, update values for the following: `accountCreationFailure` `accountCompletionFromEmail` `ssoLoginUrl` `rootEmailPrefix` `rootEmailDomain` If you're integrating with Microsoft Entra ID, do the following: Set `enableAzureADIntegration` to `true`. For `graphApiSecretName` value, enter the secret that you created previously (`GraphApiSecret`). Save and close the `deploy-config.yaml` file.	AWS DevOps
Deploy the solution in your AWS environment.	Enter the following command: `cdk bootstrap <account-number>/<Region>` For more information, see Bootstrapping in the AWS CDK documentation. Enter the following command to synthesize the CloudFormation template: `cdk synth` For more information, see Configure and perform AWS CDK stack synthesis in the AWS CDK documentation. Enter the following command to deploy the solution. `cdk deploy` For more information, see Deploy AWS CDK applications in the AWS CDK documentation. Note This solution uses an Amazon S3 bucket to store the source code for this solution. You can use the upload_to_source_bucket.py script to create an archive of the source code and upload an updated version.	AWS DevOps

Task	Description	Skills required
Identify which arguments to use.	Choose which arguments to use when you run the Python script that initiates the Step Functions workflow. For a complete list of arguments, see the Additional information section of this pattern.	AWS DevOps, Python
Start the Python script.	Enter the following command to navigate into the cloned repository: `cd lza-account-creation-workflow` Run the Python script that initiates the Step Functions workflow. The following is an example command that includes sample arguments and values: `python ./run-stepfunction.py \ --account-name "lza-test-01" \ --support-dl "johnsmith@example.com" \ --managed-org-unit "Workloads/Workload-1" \ --purpose "Testing new micro service" \ --force-update true \ --ad-integration "{\"CustomerAccountAdmin\": \"platform-admin\", \"CustomerAccountDev\": \"workload1-app1\"}" \ --bypass-creation true \ --tags APPLICATION=TestingMicroService` Wait until you receive a notification that the account has been successfully created. Note If the account creation process fails, Amazon SNS sends a notification to the email addresses that you define in `accountCreationFailure` in the `deploy-config.yaml` file. The account requester is not notified.	DevOps engineer, Python

Option 1 – Create an account using Python

Task	Description	Skills required
Identify which arguments to use.	Choose which arguments to use when you run the Python script that initiates the Step Functions workflow. For a complete list of arguments, see the Additional information section of this pattern.	AWS DevOps, Python
Start the Python script.	Enter the following command to navigate into the cloned repository: `cd lza-account-creation-workflow` Run the Python script that initiates the Step Functions workflow. The following is an example command that includes sample arguments and values: `python ./run-stepfunction.py \ --account-name "lza-test-01" \ --support-dl "johnsmith@example.com" \ --managed-org-unit "Workloads/Workload-1" \ --purpose "Testing new micro service" \ --force-update true \ --ad-integration "{\"CustomerAccountAdmin\": \"platform-admin\", \"CustomerAccountDev\": \"workload1-app1\"}" \ --bypass-creation true \ --tags APPLICATION=TestingMicroService` Wait until you receive a notification that the account has been successfully created. Note If the account creation process fails, Amazon SNS sends a notification to the email addresses that you define in `accountCreationFailure` in the `deploy-config.yaml` file. The account requester is not notified.	DevOps engineer, Python

Task Description Skills required

Task	Description	Skills required
Set up the variables for awscurl.	Enter the following command to navigate into the source code directory: `cd lza-account-creation-workflow` Enter the following command to set the AWS access key variables. You can copy the variables from the AWS access portal and then paste them into a shell. The following is an example: `export AWS_ACCESS_KEY_ID="<id>" export AWS_SECRET_ACCESS_KEY="<key>" export AWS_SESSION_TOKEN="<token>"` Enter the following command to set the AWS Region for API calls: `export AWS_REGION=$(aws configure get region)` Enter the following command to retrieve the API Gateway endpoint from the `lza-account-creation-workflow-application` CloudFormation output: export API_GATEWAY_ENDPOINT=$(aws cloudformation describe-stacks --stack-name "lza-account-creation-workflow-application" --query 'Stacks[*].Outputs[?OutputKey==`oApiGatewayCreateAccountEndpoint`].OutputValue' --output text)	AWS DevOps
Check name availability.	Enter the following command to verify that the name is available for the AWS account. Replace `<AWS_ACCOUNT_NAME>` with the name of the target account: `awscurl --service execute-api \ --region ${AWS_REGION} \ --access_key ${AWS_ACCESS_KEY_ID} \ --secret_key ${AWS_SECRET_ACCESS_KEY} \ --security_token ${AWS_SESSION_TOKEN} \ -X POST ${API_GATEWAY_ENDPOINT}check_name?account_name=<AWS_ACCOUNT_NAME>`	AWS DevOps
Run the account creation workflow.	In the root folder of the cloned repository, open the `api_example.json` file. Update the parameters with your configuration values: { "account_name": "lza-test-01", "account_email": "johnsmith+lzatest01@example.com", "support_dl": "johnsmith@example.com", "managed_org_unit": "Workloads/Workload-1", "ad_integration": [ { "PermissionSetName": "CustomerAccountAdmin", "ActiveDirectoryGroupName": "platform-admin" }, { "PermissionSetName": "CustomerAccountDev", "ActiveDirectoryGroupName": "workload1-app1" } ], "force_update": "true", "bypass_creation": "false", "account_tags": [ { "Key": "Environment", "Value": "Dev" }, { "Key": "DeploymentMethod", "Value": "ApiGateway" } ] } Save and close the `api_example.json` file. Enter the following command to initiate the Step Functions workflow: `awscurl --service execute-api \ --data @api-example.json \ --region ${AWS_REGION} \ --access_key ${AWS_ACCESS_KEY_ID} \ --secret_key ${AWS_SECRET_ACCESS_KEY} \ --security_token ${AWS_SESSION_TOKEN} \ -X POST ${API_GATEWAY_ENDPOINT}execute` In the output from the previous command, make note of the Step Functions execution Amazon Resource Name (ARN). If you want to check the status of the Step Functions workflow, enter the following command. Replace `<STEP_FUNCTION_EXECUTION_NAME>` with the Step Functions execution ARN or name: `awscurl --service execute-api \ --region ${AWS_REGION} \ --access_key ${AWS_ACCESS_KEY_ID} \ --secret_key ${AWS_SECRET_ACCESS_KEY} \ --security_token ${AWS_SESSION_TOKEN} \ -X GET ${API_GATEWAY_ENDPOINT}get_execution_status?execution=<STEP_FUNCTION_EXECUTION_NAME>` Wait until you receive a notification that the account has been successfully created. Note If the account creation process fails, Amazon SNS sends a notification to the email addresses that you define in `accountCreationFailure` in the `deploy-config.yaml` file. The account requester is not notified.	AWS DevOps

Set up the variables for awscurl.

Enter the following command to navigate into the source code directory:
```
cd lza-account-creation-workflow
```
Enter the following command to set the AWS access key variables. You can copy the variables from the AWS access portal and then paste them into a shell. The following is an example:
```
export AWS_ACCESS_KEY_ID="<id>"
export AWS_SECRET_ACCESS_KEY="<key>"
export AWS_SESSION_TOKEN="<token>"
```
Enter the following command to set the AWS Region for API calls:
```
export AWS_REGION=$(aws configure get region)
```

Enter the following command to retrieve the API Gateway endpoint from the lza-account-creation-workflow-application CloudFormation output:


export API_GATEWAY_ENDPOINT=$(aws cloudformation describe-stacks --stack-name "lza-account-creation-workflow-application" --query 'Stacks[*].Outputs[?OutputKey==`oApiGatewayCreateAccountEndpoint`].OutputValue' --output text)

AWS DevOps

Check name availability.

Enter the following command to verify that the name is available for the AWS account. Replace <AWS_ACCOUNT_NAME> with the name of the target account:


awscurl --service execute-api \
    --region ${AWS_REGION} \
    --access_key ${AWS_ACCESS_KEY_ID} \
    --secret_key ${AWS_SECRET_ACCESS_KEY} \
    --security_token ${AWS_SESSION_TOKEN} \
    -X POST ${API_GATEWAY_ENDPOINT}check_name?account_name=<AWS_ACCOUNT_NAME>

AWS DevOps

Run the account creation workflow.

In the root folder of the cloned repository, open the api_example.json file.

Update the parameters with your configuration values:


{
    "account_name": "lza-test-01",
    "account_email": "johnsmith+lzatest01@example.com",
    "support_dl": "johnsmith@example.com",
    "managed_org_unit": "Workloads/Workload-1",
    "ad_integration": [
        {
            "PermissionSetName": "CustomerAccountAdmin",
            "ActiveDirectoryGroupName": "platform-admin"
        },
        {
            "PermissionSetName": "CustomerAccountDev",
            "ActiveDirectoryGroupName": "workload1-app1"
        }
    ],
    "force_update": "true",
    "bypass_creation": "false",
    "account_tags": [
        {
            "Key": "Environment",
            "Value": "Dev"
        }, {
            "Key": "DeploymentMethod",
            "Value": "ApiGateway"
        }
    ]
}

Save and close the api_example.json file.

Enter the following command to initiate the Step Functions workflow:


awscurl --service execute-api \
    --data @api-example.json \
    --region ${AWS_REGION} \
    --access_key ${AWS_ACCESS_KEY_ID} \
    --secret_key ${AWS_SECRET_ACCESS_KEY} \
    --security_token ${AWS_SESSION_TOKEN} \
    -X POST ${API_GATEWAY_ENDPOINT}execute

In the output from the previous command, make note of the Step Functions execution Amazon Resource Name (ARN).

If you want to check the status of the Step Functions workflow, enter the following command. Replace <STEP_FUNCTION_EXECUTION_NAME> with the Step Functions execution ARN or name:


awscurl --service execute-api \
  --region ${AWS_REGION} \
  --access_key ${AWS_ACCESS_KEY_ID} \
  --secret_key ${AWS_SECRET_ACCESS_KEY} \
  --security_token ${AWS_SESSION_TOKEN} \
  -X GET ${API_GATEWAY_ENDPOINT}get_execution_status?execution=<STEP_FUNCTION_EXECUTION_NAME>

Wait until you receive a notification that the account has been successfully created.
Note
If the account creation process fails, Amazon SNS sends a notification to the email addresses that you define in accountCreationFailure in the deploy-config.yaml file. The account requester is not notified.

AWS DevOps

Option 2 – Create an account using API Gateway and awscurl

Task Description Skills required

Task	Description	Skills required
Set up the variables for awscurl.	Enter the following command to navigate into the source code directory: `cd lza-account-creation-workflow` Enter the following command to set the AWS access key variables. You can copy the variables from the AWS access portal and then paste them into a shell. The following is an example: `export AWS_ACCESS_KEY_ID="<id>" export AWS_SECRET_ACCESS_KEY="<key>" export AWS_SESSION_TOKEN="<token>"` Enter the following command to set the AWS Region for API calls: `export AWS_REGION=$(aws configure get region)` Enter the following command to retrieve the API Gateway endpoint from the `lza-account-creation-workflow-application` CloudFormation output: export API_GATEWAY_ENDPOINT=$(aws cloudformation describe-stacks --stack-name "lza-account-creation-workflow-application" --query 'Stacks[*].Outputs[?OutputKey==`oApiGatewayCreateAccountEndpoint`].OutputValue' --output text)	AWS DevOps
Check name availability.	Enter the following command to verify that the name is available for the AWS account. Replace `<AWS_ACCOUNT_NAME>` with the name of the target account: `awscurl --service execute-api \ --region ${AWS_REGION} \ --access_key ${AWS_ACCESS_KEY_ID} \ --secret_key ${AWS_SECRET_ACCESS_KEY} \ --security_token ${AWS_SESSION_TOKEN} \ -X POST ${API_GATEWAY_ENDPOINT}check_name?account_name=<AWS_ACCOUNT_NAME>`	AWS DevOps
Run the account creation workflow.	In the root folder of the cloned repository, open the `api_example.json` file. Update the parameters with your configuration values: { "account_name": "lza-test-01", "account_email": "johnsmith+lzatest01@example.com", "support_dl": "johnsmith@example.com", "managed_org_unit": "Workloads/Workload-1", "ad_integration": [ { "PermissionSetName": "CustomerAccountAdmin", "ActiveDirectoryGroupName": "platform-admin" }, { "PermissionSetName": "CustomerAccountDev", "ActiveDirectoryGroupName": "workload1-app1" } ], "force_update": "true", "bypass_creation": "false", "account_tags": [ { "Key": "Environment", "Value": "Dev" }, { "Key": "DeploymentMethod", "Value": "ApiGateway" } ] } Save and close the `api_example.json` file. Enter the following command to initiate the Step Functions workflow: `awscurl --service execute-api \ --data @api-example.json \ --region ${AWS_REGION} \ --access_key ${AWS_ACCESS_KEY_ID} \ --secret_key ${AWS_SECRET_ACCESS_KEY} \ --security_token ${AWS_SESSION_TOKEN} \ -X POST ${API_GATEWAY_ENDPOINT}execute` In the output from the previous command, make note of the Step Functions execution Amazon Resource Name (ARN). If you want to check the status of the Step Functions workflow, enter the following command. Replace `<STEP_FUNCTION_EXECUTION_NAME>` with the Step Functions execution ARN or name: `awscurl --service execute-api \ --region ${AWS_REGION} \ --access_key ${AWS_ACCESS_KEY_ID} \ --secret_key ${AWS_SECRET_ACCESS_KEY} \ --security_token ${AWS_SESSION_TOKEN} \ -X GET ${API_GATEWAY_ENDPOINT}get_execution_status?execution=<STEP_FUNCTION_EXECUTION_NAME>` Wait until you receive a notification that the account has been successfully created. Note If the account creation process fails, Amazon SNS sends a notification to the email addresses that you define in `accountCreationFailure` in the `deploy-config.yaml` file. The account requester is not notified.	AWS DevOps

Set up the variables for awscurl.

Enter the following command to navigate into the source code directory:
```
cd lza-account-creation-workflow
```
Enter the following command to set the AWS access key variables. You can copy the variables from the AWS access portal and then paste them into a shell. The following is an example:
```
export AWS_ACCESS_KEY_ID="<id>"
export AWS_SECRET_ACCESS_KEY="<key>"
export AWS_SESSION_TOKEN="<token>"
```
Enter the following command to set the AWS Region for API calls:
```
export AWS_REGION=$(aws configure get region)
```

Enter the following command to retrieve the API Gateway endpoint from the lza-account-creation-workflow-application CloudFormation output:


export API_GATEWAY_ENDPOINT=$(aws cloudformation describe-stacks --stack-name "lza-account-creation-workflow-application" --query 'Stacks[*].Outputs[?OutputKey==`oApiGatewayCreateAccountEndpoint`].OutputValue' --output text)

AWS DevOps

Check name availability.

Enter the following command to verify that the name is available for the AWS account. Replace <AWS_ACCOUNT_NAME> with the name of the target account:


awscurl --service execute-api \
    --region ${AWS_REGION} \
    --access_key ${AWS_ACCESS_KEY_ID} \
    --secret_key ${AWS_SECRET_ACCESS_KEY} \
    --security_token ${AWS_SESSION_TOKEN} \
    -X POST ${API_GATEWAY_ENDPOINT}check_name?account_name=<AWS_ACCOUNT_NAME>

AWS DevOps

Run the account creation workflow.

In the root folder of the cloned repository, open the api_example.json file.

Update the parameters with your configuration values:


{
    "account_name": "lza-test-01",
    "account_email": "johnsmith+lzatest01@example.com",
    "support_dl": "johnsmith@example.com",
    "managed_org_unit": "Workloads/Workload-1",
    "ad_integration": [
        {
            "PermissionSetName": "CustomerAccountAdmin",
            "ActiveDirectoryGroupName": "platform-admin"
        },
        {
            "PermissionSetName": "CustomerAccountDev",
            "ActiveDirectoryGroupName": "workload1-app1"
        }
    ],
    "force_update": "true",
    "bypass_creation": "false",
    "account_tags": [
        {
            "Key": "Environment",
            "Value": "Dev"
        }, {
            "Key": "DeploymentMethod",
            "Value": "ApiGateway"
        }
    ]
}

Save and close the api_example.json file.

Enter the following command to initiate the Step Functions workflow:


awscurl --service execute-api \
    --data @api-example.json \
    --region ${AWS_REGION} \
    --access_key ${AWS_ACCESS_KEY_ID} \
    --secret_key ${AWS_SECRET_ACCESS_KEY} \
    --security_token ${AWS_SESSION_TOKEN} \
    -X POST ${API_GATEWAY_ENDPOINT}execute

In the output from the previous command, make note of the Step Functions execution Amazon Resource Name (ARN).

If you want to check the status of the Step Functions workflow, enter the following command. Replace <STEP_FUNCTION_EXECUTION_NAME> with the Step Functions execution ARN or name:


awscurl --service execute-api \
  --region ${AWS_REGION} \
  --access_key ${AWS_ACCESS_KEY_ID} \
  --secret_key ${AWS_SECRET_ACCESS_KEY} \
  --security_token ${AWS_SESSION_TOKEN} \
  -X GET ${API_GATEWAY_ENDPOINT}get_execution_status?execution=<STEP_FUNCTION_EXECUTION_NAME>

Wait until you receive a notification that the account has been successfully created.
Note
If the account creation process fails, Amazon SNS sends a notification to the email addresses that you define in accountCreationFailure in the deploy-config.yaml file. The account requester is not notified.

AWS DevOps

Task Description Skills required

Task	Description	Skills required
Remove objects from the Amazon S3 buckets.	Remove any objects in the following Amazon S3 buckets: `lza-account-creation-work-<CDK_UNIQUE_ID>` `lza-account-creation-workflow-src-<AWS_REGION>-<AWS_ACCOUNT>` `lza-account-creation-workflow-<AWS_REGION>-<AWS_ACCOUNT>`	AWS DevOps
Delete the CloudFormation stack.	Enter the following command to delete the CloudFormation stack: `aws cloudformation delete-stack \ --stack-name lza-account-creation-workflow-application aws cloudformation wait stack-delete-complete \ --stack-name lza-account-creation-workflow-application`	AWS DevOps
Delete the pipeline.	Enter the following command to delete the `lza-account-creation-workflow-pipeline` pipeline: `cdk destroy lza-account-creation-workflow-pipeline --force`	AWS DevOps

Remove objects from the Amazon S3 buckets.

Remove any objects in the following Amazon S3 buckets:

lza-account-creation-work-<CDK_UNIQUE_ID>
lza-account-creation-workflow-src-<AWS_REGION>-<AWS_ACCOUNT>
lza-account-creation-workflow-<AWS_REGION>-<AWS_ACCOUNT>

AWS DevOps

Delete the CloudFormation stack.

Enter the following command to delete the CloudFormation stack:


aws cloudformation delete-stack \
  --stack-name lza-account-creation-workflow-application
aws cloudformation wait stack-delete-complete \
  --stack-name lza-account-creation-workflow-application

AWS DevOps

Delete the pipeline.

Enter the following command to delete the lza-account-creation-workflow-pipeline pipeline:


cdk destroy lza-account-creation-workflow-pipeline --force

AWS DevOps

(Optional) Clean up the solution

Task Description Skills required

Task	Description	Skills required
Remove objects from the Amazon S3 buckets.	Remove any objects in the following Amazon S3 buckets: `lza-account-creation-work-<CDK_UNIQUE_ID>` `lza-account-creation-workflow-src-<AWS_REGION>-<AWS_ACCOUNT>` `lza-account-creation-workflow-<AWS_REGION>-<AWS_ACCOUNT>`	AWS DevOps
Delete the CloudFormation stack.	Enter the following command to delete the CloudFormation stack: `aws cloudformation delete-stack \ --stack-name lza-account-creation-workflow-application aws cloudformation wait stack-delete-complete \ --stack-name lza-account-creation-workflow-application`	AWS DevOps
Delete the pipeline.	Enter the following command to delete the `lza-account-creation-workflow-pipeline` pipeline: `cdk destroy lza-account-creation-workflow-pipeline --force`	AWS DevOps

Remove objects from the Amazon S3 buckets.

Remove any objects in the following Amazon S3 buckets:

lza-account-creation-work-<CDK_UNIQUE_ID>
lza-account-creation-workflow-src-<AWS_REGION>-<AWS_ACCOUNT>
lza-account-creation-workflow-<AWS_REGION>-<AWS_ACCOUNT>

AWS DevOps

Delete the CloudFormation stack.

Enter the following command to delete the CloudFormation stack:


aws cloudformation delete-stack \
  --stack-name lza-account-creation-workflow-application
aws cloudformation wait stack-delete-complete \
  --stack-name lza-account-creation-workflow-application

AWS DevOps

Delete the pipeline.

Enter the following command to delete the lza-account-creation-workflow-pipeline pipeline:


cdk destroy lza-account-creation-workflow-pipeline --force

AWS DevOps

Related resources

Landing Zone Accelerator on AWS (AWS Solutions Library)
Troubleshooting common AWS CDK issues (AWS CDK documentation)

Additional information

Step Functions workflow diagram

The following image shows the states in the Step Functions workflow.

Arguments

The following are the arguments that you can use when you run the Python script that initiates the Step Functions workflow.

The following arguments are required:

account-name (-a) (string) – The name of the new AWS account.
support-dl (-s) (string) – The email address that receives notification when the account creation process is complete.
managed-org-unit (-m) (string) – The managed organizational unit (OU) that will contain the new account.

The following arguments are optional:

ad-integration (-ad) (string dictionary) – The Microsoft Entra ID group and assigned permission set. The following is an example of how to use this argument:
```
--ad-integration "{\"<PermissionSetName>\": \"<EntraIdGroupName>\"}"
```
account-email (-e) (string) – The email address for the root user of the new AWS account.
Note
If this argument isn't used, an email address will be generated by using the values rootEmailPrefix and rootEmailDomain from the configs/deploy-config.yaml file. If an email address isn't provided, an email address is generated by using the following format: rootEmailPrefix+accountName@rootEmailDomain.
region (-r) (string) – The AWS Region where the Step Functions workflow was deployed. The default value is us-east-1.
force-update (-f) (string Boolean) – Enter true to force AWS Service Catalog to update the provisioned product.
bypass-creation (-b) (string Boolean) – Enter true to bypass adding the account to the accounts-config.yaml file and bypass running the AWSAccelerator-Pipeline pipeline. This argument is typically used to test the account creation workflow process or to run the rest of the Step Functions steps if an error occurs in the Landing Zone Accelerator pipeline.
tags (-t) (string) – Additional tags that you want to add to the AWS account. By default, the following tags are added: account-name, support-dl, and purpose. The following is an example of how to use this argument:
```
--tags TEST1=VALUE1 TEST2=VALUE2
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cloud foundations

Automatically inventory AWS resources

Pilih preferensi cookie Anda

Sesuaikan preferensi cookie

Penting

Kinerja

Fungsional

Iklan

Tidak dapat menyimpan preferensi cookie

Automate account creation by using the Landing Zone Accelerator on AWS

Summary

Prerequisites and limitations

Architecture

Tools

Best practices

Epics

Deploy the IAM roles for validation and tagging

(Optional) Get data from Microsoft Entra ID

Note

Deploy the solution

Note

Note

Option 1 – Create an account using Python

Note

Note

Option 2 – Create an account using API Gateway and awscurl

Note

(Optional) Clean up the solution

Related resources

Additional information

Note

Apakah halaman ini membantu Anda?

Topik berikutnya:

Topik sebelumnya:

Perlu bantuan?

Workflow to automate the creation of a new account by using the Landing Zone Accelerator on AWS.

States in the Step Functions workflow.