Before you can execute any command you need to select the correct profile:
export CUSTOMER=<prefix used in your profiles>
export AWS_PROFILE=${CUSTOMER}-audit
Before you can use the CLI commands you need to execute the following command:
landingzone-organization organization download
This command will query the AWS Organization API and store the aggregated data to a file in the current working directory. This file will be reused for every other command.
Managing profiles for the AWS CLI could become a nightmare when you have a lot of accounts. To make it easier you can generate a separate config file for your organization.
AWS_CONFIG_FILE="~/.aws/config-acme" landingzone-organization profiles generate acme \
--sso-start-url "https://acme.awsapps.com/start" \
--sso-region "eu-central-1" \
--role-session-name "John.Doe@acme.com" \
--sso-role-name "my-sso-audit-role"
This will create a file called ~/.aws/config-acme
and when you set the AWS_CONFIG_FILE
environment variable.
export AWS_CONFIG_FILE=~/.aws/config-acme
From now on the profiles are selected from your new “organization” config file. And you can use the account names within your organization as profiles:
aws s3 ls --profile <aws account name>
This will work as long as you have the right to assume the my-sso-audit-role
role in the target account.
To get an overview of all the workloads within your organization you can execute the following command:
landingzone-organization workload list [--location "<OU NAME>"]
When you want to list a nested OU you can use comma separation:
landingzone-organization workload list [--location "<OU NAME>,<OU NAME>"]
Sometimes you have an Account ID and you need to know what account it is. To get more information about the given Account ID you can execute the following command:
landingzone-organization account view <ACCOUNT_ID>
In order to enable git approval flows for your workloads you will need a file structure. The following command will create this structure for you:
landingzone-organization export workloads "./workloads" "workloads"
The following will happen:
workloads
organization unit../workloads
folder.info.yaml
and a <ENVIRONMENT>.yaml
per environment is generated.