Post-Deployment
Landing Zone
Adding new AWS accounts
To add new accounts to the organization, in the landing zone repository, simply edit terraform.tfvars and add new account names in the account catagories.
Run terraform plan and apply.
You also need to apply terraform again in iam repo to apply access permissions on these new accounts.
Suspending AWS Accounts
Suspending an account will move the AWS account under suspended organization unit which will remove all access except for ogranization Administrators.
This way we can keep track of suspended accounts and later we can delete them completely.
To suspend an account, update terraform.tfvars to add the account name in suspended_accounts parameter. Don't remove the same account from other parameters.
Run terraform plan and apply.
Connect Existing AWS Accounts to the Organization
You can connect existing accounts to new organization and if that account has promotional credits, you can share that credit with new organization.
All existing resources and IAM accounts will remain same after adding this account as a member of the organization.
In Management Account
Go to AWS Organization → AWS Accounts → Invitations.
Click Invite AWS Account and enter existing account id. Click Send Invitation.
Accepting Invitation In Invited Account
In the invited account, make sure you’re in us-east-1 region and go to AWS Organizations → Invitations.
Click Accept invitation.
Share AWS Promotional Credits
In a multi-account setup, billing is consolidated in main accounts and is billed for member accounts as well.
If you already have AWS promotion credits in the existing account, with credit sharing turned on by default, credit is shared with the main account automatically. You can find more information on credit sharing in below link.
IAM Identity Center
Access Portal URL
In the management account go to IAM Identity Center → Dashboard
You can find the URL to Access Portal. Also you can customize the URL with your organization name.
Add and Remove User Accounts
Head over to Manage User Accounts section.
Share AWS Organization ID with OPStimus
To access OPStimus IaC modules OPStimus needs the new AWS Organization ID. Follow the steps below to get that.
- Go to AWS Organizations console.
- At the bottom of left sidebar, you will find the Organization ID.