External pipeline deployment - Landing Zone Accelerator on AWS

External pipeline deployment

In a default Landing Zone Accelerator on AWS installation, the CodePipeline and CodeCommit configuration repository deploys into the AWS Organizations management account. You may want to deploy and operate these components in a member AWS account to limit access to the management account. This solution supports this model with an optional pipeline deployment account.

External pipeline deployment.

Follow these instructions to implement this pattern:

  1. Select an AWS account for the pipeline deployment account. We recommend having the account as a member of the AWS Organizations environment.

  2. Create a new IAM role in the AWS Organizations management account that allows access from the pipeline deployment account. AcceleratorPipelineDeploymentRole is the preferred name for this role.

  3. Update the trust policy of the AcceleratorPipelineDeploymentRole to allow access from the pipeline deployment account: 

 {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Principal": {
                  "AWS":
  "arn:aws:sts::<PIPELINE_DEPLOYMENT_ACCOUNT_ID>:assumed-role/AcceleratorPipelineDeploymentRole"
       },
      "Action": "sts:AssumeRole"
       }
     ]
  }

  1. Attach the AdministratorAccess AWS managed IAM policy to the role.

After you create the IAM role in the management account, synthesize the Landing Zone Accelerator on AWS installer template configured for external deployments by following these instructions:

  1. Clone or download the latest release of the Landing Zone Accelerator on AWS source code.

  2. Navigate to the source folder: 

    cd landing-zone-accelerator-on-aws/source

  3. Install dependencies and build the source code:

    yarn install && yarn build

  4. Navigate to the installer folder:

    cd packages/\@aws-accelerator/installer/

  5. Synthesize the installer template by running:

    cdk synth --context use-external-pipeline-account=true

  6. Retrieve the synthesize template named AWSAccelerator-InstallerStack.template.json from the cdk.out directory.

  7. Use this template to create the AWSAccelerator-Installer CloudFormation stack in the external deployment account.

  8. The deployment now follows the same process as the standard deployment process with the addition of the following parameters:

    1. AcceleratorQualifier - Names the resources in the external deployment account. This must be unique for each Landing Zone Accelerator on AWS pipeline created in a single external deployment account.

    2. ManagementAccountId - This is the AWS account ID of the AWS Organizations management account.

    3. ManagementAccountRoleName - This is the name of the IAM role used to access the management account from the external deployment account.