diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons.yaml index cb62b9ad2..6df3be533 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml index 000a92246..64e63bec5 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml index 09fab9bee..2c7f7563f 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml index 69997b766..b6113d974 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml index 8416df10c..6dfb95750 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml index c06e59146..9d59a9049 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml index b70d12770..d327568ac 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml index edfacb2e1..e9d10a4b8 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml index 1ec2d9f7d..0461f2dfc 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml index 118d4db95..805094ef9 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml index bdf58dd9e..eced5f3e1 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml index f04a4ca7d..6b5a2def4 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml index 4f3c7bd03..36a961f3d 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml index 0ccd8dd0d..6a3be8293 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml index 661b99144..23ea19140 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml index fad86334b..c8154ce18 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml b/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml index 83d070a56..a85e860b7 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: deploy: description: | diff --git a/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml b/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml index 0eb5779b8..1836f8303 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: verify/github-oidc-providers: description: | diff --git a/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml b/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml index 90a138089..32d6368d5 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: steps: diff --git a/examples/snippets/stacks/workflows/quickstart/app/data.yaml b/examples/snippets/stacks/workflows/quickstart/app/data.yaml index 0811ce476..68021471e 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/data.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/data.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/cold-start.yaml b/examples/snippets/stacks/workflows/quickstart/cold-start.yaml new file mode 100644 index 000000000..be9e5eba6 --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/cold-start.yaml @@ -0,0 +1,43 @@ +# Cold-Start Workflow - Complete Infrastructure Bootstrap +# +# This workflow orchestrates the complete infrastructure deployment from scratch, +# following the proper dependency order: +# 1. Terraform state backend +# 2. AWS Organization and accounts +# 3. IAM Identity Center (SSO) and execution roles +# 4. Network layer (VPCs, Transit Gateway, DNS) +# +# Usage: +# # Complete cold-start deployment: +# atmos workflow all -f quickstart/cold-start +# +# # Individual layers: +# atmos workflow deploy/foundation -f quickstart/cold-start +# atmos workflow deploy/network -f quickstart/cold-start +# +# # Step-by-step validation: +# atmos workflow deploy/tfstate -f quickstart/cold-start +# atmos workflow deploy/accounts -f quickstart/cold-start +# atmos workflow deploy/identity -f quickstart/cold-start +# atmos workflow deploy/network -f quickstart/cold-start +# +# Available workflows: +# - all: Complete cold-start deployment (tfstate → network) +# - deploy/foundation: Deploy foundation layer (accounts + identity) +# - deploy/tfstate: Initialize Terraform state backend +# - deploy/accounts: Deploy accounts layer +# - deploy/identity: Deploy identity layer +# - deploy/network: Deploy network layer +# + +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + +workflows: + all: + description: Complete cold-start deployment from tfstate to network + steps: + - command: workflow all -f quickstart/foundation/accounts diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml index 42357feb8..21f1a6f88 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml @@ -21,10 +21,17 @@ # - deploy/cloudtrail: Enable CloudTrail logging # - deploy/ecr: Deploy ECR registry # +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: Deploy complete accounts layer steps: + - command: workflow initial-setup -f quickstart/foundation/accounts - command: workflow vendor -f quickstart/foundation/accounts - command: workflow init/tfstate -f quickstart/foundation/accounts - command: workflow deploy/tfstate -f quickstart/foundation/accounts @@ -37,6 +44,34 @@ workflows: - command: workflow deploy/cloudtrail -f quickstart/foundation/accounts - command: workflow deploy/ecr -f quickstart/foundation/accounts + initial-setup: + description: Initial commands to run before deploying the accounts layer. + env: + ATMOS_PROFILE: superadmin + ATMOS_IDENTITY: core-root/terraform + steps: + - command: auth login + - command: auth whoami + # Request increase for IAM service quota (This is always in us-east-1) + - command: | + QUOTA_VALUE=$(atmos auth exec --identity core-root/terraform -- \ + aws service-quotas get-service-quota \ + --service-code iam \ + --quota-code L-C07B4B0D \ + --region us-east-1 | jq '.Quota.Value') + + if [[ "$QUOTA_VALUE" != "4096.0" ]]; then + atmos auth exec --identity core-root/terraform -- \ + aws service-quotas request-service-quota-increase \ + --service-code iam \ + --quota-code L-C07B4B0D \ + --desired-value 4096 \ + --region us-east-1 + else + echo "IAM service quota is already at 4096.0" + fi + type: shell + vendor: description: Vendor accounts layer components. steps: @@ -55,8 +90,9 @@ workflows: init/tfstate: description: Provision Terraform State Backend for initial deployment. steps: + - command: terraform clean tfstate-backend --stack core-use1-root -f - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --auto-generate-backend-file=false - - command: until aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done + - command: until atmos auth exec --identity core-root/terraform -- aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done type: shell - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --init-run-reconfigure=false @@ -70,7 +106,7 @@ workflows: Deploy the AWS Organization. This is required before finishing the root account requirements. steps: - command: terraform deploy aws-organization -s core-gbl-root - - command: aws ram enable-sharing-with-aws-organization + - command: atmos auth exec --identity core-root/terraform -- aws ram enable-sharing-with-aws-organization type: shell deploy/organizational-units: @@ -96,6 +132,7 @@ workflows: description: Deploy Service Control Policies steps: - command: terraform deploy aws-scp/deny-leaving-organization -s core-gbl-root + - command: terraform deploy aws-scp/deny-creating-users -s core-gbl-root deploy/aws-account-settings: description: Apply AWS Account settings for best practices. diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/all.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/all.yaml new file mode 100644 index 000000000..7a2096d34 --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/foundation/all.yaml @@ -0,0 +1,42 @@ +# Foundation Layer Workflows - Master Orchestrator +# +# This workflow orchestrates the complete foundation layer deployment, +# combining accounts and identity setup in the proper dependency order. +# +# Documentation: +# - https://docs.cloudposse.com/layers/accounts/ +# - https://docs.cloudposse.com/layers/identity/ +# +# Usage: +# atmos workflow all -f quickstart/foundation/all +# atmos workflow deploy/accounts -f quickstart/foundation/all +# atmos workflow deploy/identity -f quickstart/foundation/all +# +# Available workflows: +# - all: Deploy complete foundation (accounts + identity) +# - deploy/accounts: Deploy accounts layer only +# - deploy/identity: Deploy identity layer only +# + +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + +workflows: + all: + description: Deploy complete foundation layer (accounts + identity) + steps: + - command: workflow all -f quickstart/foundation/accounts + - command: workflow all -f quickstart/foundation/identity + + deploy/accounts: + description: Deploy accounts layer only + steps: + - command: workflow all -f quickstart/foundation/accounts + + deploy/identity: + description: Deploy identity layer only + steps: + - command: workflow all -f quickstart/foundation/identity diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml index f7b8cce1b..5a85af019 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml @@ -18,6 +18,12 @@ # - vendor: Pull required components # - deploy: Deploy all GitOps infrastructure # +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: Run all Atmos Pro workflows diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml index a5057195b..fb83738d1 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml @@ -19,6 +19,12 @@ # - deploy/iam-role: Deploy Terraform execution roles # - deploy/github-oidc-provider: Deploy GitHub OIDC Provider to all accounts # +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: check-setup: description: Verify that the environment is setup correctly to run these workflows. diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/runs-on.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/runs-on.yaml index 10217c93d..92f27ba20 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/runs-on.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/runs-on.yaml @@ -17,6 +17,12 @@ # - vendor: Pull required components # - deploy/runs-on: Deploy RunsOn GitHub Runners # +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: Deploy RunsOn self-hosted runners diff --git a/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml b/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml index 923d14399..b3f284ad7 100644 --- a/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml +++ b/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml @@ -1,4 +1,10 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml b/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml index 9ec61fe7a..38adf829f 100644 --- a/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml +++ b/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml @@ -1,4 +1,10 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/monitor/security-and-compliance.yaml b/examples/snippets/stacks/workflows/quickstart/monitor/security-and-compliance.yaml index 638fb7b6f..5d279e190 100644 --- a/examples/snippets/stacks/workflows/quickstart/monitor/security-and-compliance.yaml +++ b/examples/snippets/stacks/workflows/quickstart/monitor/security-and-compliance.yaml @@ -17,7 +17,13 @@ # - deploy/security-hub/step1-3: Deploy Security Hub (3 steps) # - deploy/guardduty/step1-3: Deploy GuardDuty (3 steps) # - deploy/aws-inspector2/step1-2: Deploy AWS Inspector (2 steps) -#workflows: +## NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + +workflows: vendor: description: Vendor compliance layer components and scripts. steps: diff --git a/examples/snippets/stacks/workflows/quickstart/network/network.yaml b/examples/snippets/stacks/workflows/quickstart/network/network.yaml index 79de6c59a..a7efca22a 100644 --- a/examples/snippets/stacks/workflows/quickstart/network/network.yaml +++ b/examples/snippets/stacks/workflows/quickstart/network/network.yaml @@ -21,6 +21,12 @@ # - deploy/bastion: Deploy bastion hosts # +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: run all workflows diff --git a/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml b/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml index 4e15f5ae8..19a1d5a1f 100644 --- a/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml +++ b/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: | diff --git a/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml b/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml index b4469eede..b4dd1a8ec 100644 --- a/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml +++ b/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml @@ -1,3 +1,9 @@ +# NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + workflows: all: description: | diff --git a/examples/snippets/stacks/workflows/quickstart/platform/software-delivery.yaml b/examples/snippets/stacks/workflows/quickstart/platform/software-delivery.yaml index 8d9d75373..e4c5e3f8d 100644 --- a/examples/snippets/stacks/workflows/quickstart/platform/software-delivery.yaml +++ b/examples/snippets/stacks/workflows/quickstart/platform/software-delivery.yaml @@ -15,7 +15,13 @@ # - deploy/argocd: Deploy ArgoCD to EKS clusters # - deploy/argocd-repos: Deploy ArgoCD repository configurations # - deploy/iam-identity-center-app/{stage}: Configure SSO SAML for ArgoCD -#workflows: +## NOTE: Use 'superadmin' profile for initial infrastructure setup. +# After SSO is configured and IAM roles are deployed (via identity layer), +# update this to 'managers' for day-to-day operations. +env: + ATMOS_PROFILE: superadmin + +workflows: vendor: description: | This workflow vendors all ArgoCD related components to the latest provided version