Awesome Open Source
Awesome Open Source

Cloud Posse Reference Architectures

Latest Release Slack Community Discourse Forum


Cloud Posse

Get up and running quickly with one of our reference architectures using our fully automated cold-start process.

NOTE: This project is under active development and subject to change. Please file issues for all bugs encountered.

Table of Contents

This project is part of our comprehensive "SweetOps" approach towards DevOps.

It's 100% Open Source and licensed under the APACHE2.


demo Example of using the geodesic shell as a build a docker image built from the cloudposse/reference-architectures


High-Level Overview

You can provision the basic reference architecture in 3 "easy" steps. =)

All accounts will leverage our terraform-root-modules service catalog to get you started. Later, we recommend you fork this and start your very own service catalog suitable for your organization.

This process involves using terraform to generate the code (Dockerfile, Makefile, terraform.tfvar, etc) that you will use to manage your infrastructure.

This repo contains everything necessary to administer this architecture. We strive for a "share nothing" approach, which is why we use multiple AWS accounts and DNS zones. This reduces the blast radius from human errors. This reference architecture is ideally suited for larger enterprise or corporate environments where various stakeholders will be responsible for running services in their account.

See the Next Steps section for where to go after this process completes.


Our "reference architecture" is an opinionated approach to architecting accounts for AWS.

This process provisions 7+ accounts that have different designations.

Here is what it includes. Enable the accounts you want.

Account Description
master The "master" (parent, billing) account creates all member accounts and is where users login.
prod The "production" is account where you run your most mission critical applications
staging The "staging" account is where you run all of your QA/UAT/Testing
dev The "dev" sandbox account is where you let your developers have fun and break things
audit The "audit" account is where all logs end up
corp The "corp" account is where you run the shared platform services for the company
data The "data" account is where the quants live =)
testing The "testing" account is where to run automated tests of unblessed infrastructure code
security The "security" account is where to run automated security scanning software
identity The "identity" account is where to add users and delegate access to the other accounts

Each account has its own terraform state backend, along with a dedicated DNS zone for service discovery.

The master account owns the top-level DNS zone and then delegates NS authority to each member account.

Quick Start


  1. We are starting with a clean AWS environment and a new "master" (top-level) AWS account. This means you need the "master" credentials, since a fresh AWS account doesn't even have any AWS roles that can be assumed.
  2. You have administrator access to this account.
  3. You have docker installed on your workstation.
  4. You have terraform installed on your workstation.


Before we get started, make sure you have the following

  • [ ] Before you can create new AWS accounts under your organization, you must verify your email address.
  • [ ] Open a support ticket to request the limit of AWS accounts be increased for your organization (the default is 1).
  • [ ] Clone this repo on your workstation.
  • [ ] Create a temporary pair of Access Keys. These should be deleted afterwards.
  • [ ] Export your AWS "root" account credentials as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (this is temporary for bootstrapping).
  • [ ] An available domain we can use for DNS-base service discovery (E.g. This domain must not be in use elsewhere as the master account will need to be the authoritative name server (SOA).

Getting Started

1. Provision Master Account

The "master" account is the top-most AWS account from which all other AWS accounts are programmatically created.

WARNING: Terraform cannot remove an AWS account from an organization. Terraform cannot close the account. The member account must be prepared to be a standalone account beforehand. To do this, issue a password reset using the member account's email address. Login and accept the prompts. Then you should be good to go. See the AWS Organization documentation for more information.

This account is provisioned slightly differently from the other member accounts.

Update the configuration for this account by editing the configs/master.tfvar file.

Then to get started, run:

make root

NOTE: We need to know each account's AWS_ACCOUNT_ID for Step 2. NOTE: Sometimes provisioning of the account module fails due to rate limiting by AWS on creating member accounts. If this happens, just run make root/provision to retry. If that works, just continue on with step 2, once it completes.

Here's what that roughly looks like (but entirely automated).
  1. Create a new account git repo.
  2. Render templates into the repo (including Dockerfile).
  3. Build a docker image.
  4. Run the docker image and start provisioning resources including the Terraform state backend and member accounts.
  5. Create the IAM groups to permit access to member accounts.
  6. Write a list of member account IDs so we can use them in the next phase.

2. Provision Member Accounts

Member accounts are created from the master account.

Update the configuration for all the member accounts by editing the configs/$env.tfvar file (replace $env with the name of the account).

To get started, run:

make children
Here's what that roughly looks like (but entirely automated).

For each member account:

  1. Create a new account git repo.
  2. Render the templates for a member account into the repo directory (include Dockerfile). Obtain the account ID from the previous phase.
  3. Build a docker image.
  4. Run the docker image and start provisioning the member account's Terraform state bucket, DNS zone, cloudtrail logs, etc.

3. Delegate DNS

Now that each member account has been provisioned, we can delegate each DNS zone to those accounts.

To finish up, run:

make finalize
Here's what that roughly looks like (but entirely automated).
  1. Re-use the docker images from phase (1) and phase (2).
  2. Update DNS so that master account delegates DNS zones to the member accounts.
  3. Enable cloudtrail log forwarding to audit account.

Known Limitations

  • AWS does not support programmatic deletion of accounts. This means that if you use this project to create the account structure, but terraform is not able to completely tear it down. Deleting AWS accounts is a long, painful process, because AWS does not want to be on the hook for deleting stuff that it cannot get back.
  • AWS by default only permits one member account. This limit can be easily increased for your organization by contacting AWS support, but it can take up to several days.
  • AWS will rate limit account creation. This might mean you'll need to restart the provisioning.
  • AWS only supports creating member accounts from the master account. This means you cannot create accounts from within member accounts.
  • AWS does not permit email addresses to be reused across accounts. One key thing is that the email address associated with the account will be forever associated with that account. You will not be able to create a new account with that email address and you will not be able to change the email address later. So before you delete an account, change the email address to something you can consider a throwaway. Gmail and some other providers allow you to use plus-addressing (e.g. [email protected])" to your username to create a unique email that still routes to you, so we suggest you use plus addressing for your accounts.

Next Steps

At this point, you have everything you need to start terraforming your way to success.

All of your account configurations are currently in repos/

  • [ ] Commit all the changes made. Open Pull Requests.
  • [ ] Ensure that the name servers for the service discovery domain (e.g. have been configured with your domain registrar (e.g. GoDaddy).
  • [ ] Delete your master account credentials. They are no longer needed and should not be used. Instead, use the created IAM users.
  • [ ] Request limits for EC2 instances to be raised in each account corresponding to the region you will be operating in.
  • [ ] Set the member account's credentials. To do this, issue a password reset using the member account's email address. Login and accept the prompts. Setup MFA.
  • [ ] Ensure you have MFA setup on your master account.
  • [ ] Consider adding some other capabilities from our service catalog.
  • [ ] Create your own terraform-root-modules service catalog for your organization.

Getting Help

Did you get stuck? Find us on slack in the #geodesic channel.


Got a question? We got answers.

File a GitHub issue, send us an email or join our Slack Community.

README Commercial Support

DevOps Accelerator for Startups

We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.

Learn More

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.

  • Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
  • Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
  • Site Reliability Engineering. You'll have total visibility into your apps and microservices.
  • Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
  • GitOps. You'll be able to operate your infrastructure via Pull Requests.
  • Training. You'll receive hands-on training so your team can operate what we build.
  • Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
  • Troubleshooting. You'll get help to triage when things aren't working.
  • Code Reviews. You'll receive constructive feedback on Pull Requests.
  • Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.

Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

Discourse Forums

Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.


Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

Office Hours

Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!



Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.


If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Fork the repo on GitHub
  2. Clone the project to your own machine
  3. Commit changes to your own branch
  4. Push your work back up to your fork
  5. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!


Copyright © 2016-2020 Cloud Posse, LLC



See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.


All other trademarks referenced herein are the property of their respective owners.


This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!

Cloud Posse

We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.

We offer paid support on all of our projects.

Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.


Erik Osterman
Erik Osterman
John C Bland II
John C Bland II
Andriy Knysh
Andriy Knysh
Jeremy Grodberg
Jeremy Grodberg

README Footer Beacon

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
kubernetes (1,772
aws (1,100
terraform (402
hcl (380
code-generator (110
terraform-modules (44
scp (26