Prerequisites
You must meet the following prerequisites before launching the stack.
Activate a multi-account management solution
Before deploying the Landing Zone Accelerator on AWS, activate AWS Control Tower or AWS Organizations. AWS Control Tower is strongly recommended if deploying to a Region where it's supported.
Important
The default configuration for Landing Zone Accelerator on AWS assumes that an OU
named Infrastructure was created. We built this OU for core infrastructure
workload accounts that you can add to your organization,
such as central networking or shared services. Before running the Core pipeline, either create the
Infrastructure OU or modify the
organization-config.yaml
configuration file to represent your landing zone
base configuration. See Adding an Organizational Unit (OU)
for more information.
If you want to deploy to an existing multi-account environment, see Working with existing landing zones for additional considerations before deploying the solution.
For AWS Control Tower based installation (recommended)
To set up AWS Control Tower, refer to Getting started with AWS Control Tower in the AWS Control Tower User Guide.
Note
If you're using AWS Control Tower, we strongly recommended creating an AWS KMS customer managed key before deploying your landing zone. This AWS KMS key is used by services that AWS Control Tower manages to apply encryption at rest to sensitive log files.
For more information on activating encryption for AWS Control Tower, see Configure your shared accounts and encryption.
If you’re deploying a new AWS Control Tower landing zone, you can add the prerequisite Infrastructure OU during the initial setup wizard. By default, the landing zone deploys with an additional Sandbox OU. You can rename this OU to Infrastructure if desired. Alternatively, you can create the Infrastructure OU after the landing zone is provisioned.
For more information about customizing the additional OU created during Control Tower setup, see Step 2b. Configure your organizational units (OUs) in the Control Tower User Guide.
For AWS Organizations based installation (without AWS Control Tower)
To set up AWS Organizations, refer to Getting started with AWS Organizations in the AWS Organization User Guide.
Ensure the Mandatory accounts are created. The Landing Zone Accelerator on AWS requires these three accounts at minimum to successfully deploy to your environment.
For more information on managing accounts in an AWS Organization, refer to Managing the AWS accounts in your organization in the AWS Organization User Guide.
Update AWS CodeBuild concurrency quota
Follow this procedure to check your current CodeBuild concurrency quota.
-
Navigate to the Service Quotas console
in the account and Region for which you will deploy the Landing Zone Accelerator on AWS solution. -
In the navigation pane, choose AWS services.
-
Search for then select AWS CodeBuild.
-
Select Concurrently running builds for Linux/Large environment.
-
If the value under Applied quota value is less than 3, select the quota link. Otherwise, skip the remaining steps.
-
Choose Request increase at account-level. In the Increase quota value box, enter
3
or more as the new quota value. -
Choose Request. Ensure this quota increase request has been approved prior to deploying the solution. You can view your request status by choosing Quota request history in the navigation sidebar.
Ensure your global Region is accessible
Some AWS services and features apply configurations to your accounts at a global level rather than a regional level. In addition to the Regions that you enable in the solution configuration files; this solution requires access to the Region where global service API endpoints are hosted. The global Region depends on the AWS partition you will be deploying the solution to.
AWS partitions and their corresponding global Region
AWS Partition | Global Region |
---|---|
Standard (aws) |
|
GovCloud US (aws-us-gov) |
|
China (aws-cn) |
|
Important
Ensure that you don’t have any existing AWS Organizations service control policies and/or Control Tower Region deny settings configured in your environment that would block access to the global Region listed above. You might experience Core pipeline failures if you do not allow access to this Region.
Create a GitHub personal access token and store in Secrets Manager
You require a GitHub access token to access the Landing Zone
Accelerator on AWS code repository. Instructions on how to
create a personal access token are located on
GitHub
Docs
Note
The GitHub access token must have public_repo
permissions.
Store the personal access token in Secrets Manager as plain
text. Name the secret accelerator/github-token
(case sensitive).
With the AWS Management Console:
-
Store a new secret, and select Other type of secrets, Plaintext.
-
Paste your secret with no formatting, leading, or trailing spaces (completely remove the example text).
-
Select an encryption key.
-
Set the secret name to
accelerator/github-token
(case sensitive). -
Select Disable rotation.