♻️ feat: make super user name configurable

examples/snippets/stacks/workflows/quickstart/app/addons.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   deploy:
     description: |

examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   verify/github-oidc-providers:
     description: |

examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     steps:

examples/snippets/stacks/workflows/quickstart/app/data.yaml

@@ -1,3 +1,9 @@
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: run all workflows

examples/snippets/stacks/workflows/quickstart/cold-start.yaml

@@ -0,0 +1,43 @@
+# Cold-Start Workflow - Complete Infrastructure Bootstrap
+#
+# This workflow orchestrates the complete infrastructure deployment from scratch,
+# following the proper dependency order:
+#   1. Terraform state backend
+#   2. AWS Organization and accounts
+#   3. IAM Identity Center (SSO) and execution roles
+#   4. Network layer (VPCs, Transit Gateway, DNS)
+#
+# Usage:
+#   # Complete cold-start deployment:
+#   atmos workflow all -f quickstart/cold-start
+#
+#   # Individual layers:
+#   atmos workflow deploy/foundation -f quickstart/cold-start
+#   atmos workflow deploy/network -f quickstart/cold-start
+#
+#   # Step-by-step validation:
+#   atmos workflow deploy/tfstate -f quickstart/cold-start
+#   atmos workflow deploy/accounts -f quickstart/cold-start
+#   atmos workflow deploy/identity -f quickstart/cold-start
+#   atmos workflow deploy/network -f quickstart/cold-start
+#
+# Available workflows:
+#   - all: Complete cold-start deployment (tfstate → network)
+#   - deploy/foundation: Deploy foundation layer (accounts + identity)
+#   - deploy/tfstate: Initialize Terraform state backend
+#   - deploy/accounts: Deploy accounts layer
+#   - deploy/identity: Deploy identity layer
+#   - deploy/network: Deploy network layer
+#
+
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
+workflows:
+  all:
+    description: Complete cold-start deployment from tfstate to network
+    steps:
+      - command: workflow all -f quickstart/foundation/accounts

examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml

@@ -21,10 +21,17 @@
 #   - deploy/cloudtrail: Enable CloudTrail logging
 #   - deploy/ecr: Deploy ECR registry
 #
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: Deploy complete accounts layer
     steps:
+      - command: workflow initial-setup -f quickstart/foundation/accounts
       - command: workflow vendor -f quickstart/foundation/accounts
       - command: workflow init/tfstate -f quickstart/foundation/accounts
       - command: workflow deploy/tfstate -f quickstart/foundation/accounts
@@ -37,6 +44,34 @@ workflows:
       - command: workflow deploy/cloudtrail -f quickstart/foundation/accounts
       - command: workflow deploy/ecr -f quickstart/foundation/accounts
 
+  initial-setup:
+    description: Initial commands to run before deploying the accounts layer.
+    env:
+      ATMOS_PROFILE: superadmin
+      ATMOS_IDENTITY: core-root/terraform
+    steps:
+      - command: auth login
+      - command: auth whoami
+      # Request increase for IAM service quota (This is always in us-east-1)
+      - command: |
+          QUOTA_VALUE=$(atmos auth exec --identity core-root/terraform -- \
+            aws service-quotas get-service-quota \
+            --service-code iam \
+            --quota-code L-C07B4B0D \
+            --region us-east-1 | jq '.Quota.Value')
+
+          if [[ "$QUOTA_VALUE" != "4096.0" ]]; then
+            atmos auth exec --identity core-root/terraform -- \
+              aws service-quotas request-service-quota-increase \
+              --service-code iam \
+              --quota-code L-C07B4B0D \
+              --desired-value 4096 \
+              --region us-east-1
+          else
+            echo "IAM service quota is already at 4096.0"
+          fi
+        type: shell
+
   vendor:
     description: Vendor accounts layer components.
     steps:
@@ -55,8 +90,9 @@ workflows:
   init/tfstate:
     description: Provision Terraform State Backend for initial deployment.
     steps:
+      - command: terraform clean tfstate-backend --stack core-use1-root -f
       - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --auto-generate-backend-file=false
-      - command: until aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done
+      - command: until atmos auth exec --identity core-root/terraform -- aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done
         type: shell
       - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --init-run-reconfigure=false
 
@@ -70,7 +106,7 @@ workflows:
       Deploy the AWS Organization. This is required before finishing the root account requirements.
     steps:
       - command: terraform deploy aws-organization -s core-gbl-root
-      - command: aws ram enable-sharing-with-aws-organization
+      - command: atmos auth exec --identity core-root/terraform -- aws ram enable-sharing-with-aws-organization
         type: shell
 
   deploy/organizational-units:
@@ -96,6 +132,7 @@ workflows:
     description: Deploy Service Control Policies
     steps:
       - command: terraform deploy aws-scp/deny-leaving-organization -s core-gbl-root
+      - command: terraform deploy aws-scp/deny-creating-users -s core-gbl-root
 
   deploy/aws-account-settings:
     description: Apply AWS Account settings for best practices.

examples/snippets/stacks/workflows/quickstart/foundation/all.yaml

@@ -0,0 +1,42 @@
+# Foundation Layer Workflows - Master Orchestrator
+#
+# This workflow orchestrates the complete foundation layer deployment,
+# combining accounts and identity setup in the proper dependency order.
+#
+# Documentation:
+#   - https://docs.cloudposse.com/layers/accounts/
+#   - https://docs.cloudposse.com/layers/identity/
+#
+# Usage:
+#   atmos workflow all -f quickstart/foundation/all
+#   atmos workflow deploy/accounts -f quickstart/foundation/all
+#   atmos workflow deploy/identity -f quickstart/foundation/all
+#
+# Available workflows:
+#   - all: Deploy complete foundation (accounts + identity)
+#   - deploy/accounts: Deploy accounts layer only
+#   - deploy/identity: Deploy identity layer only
+#
+
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
+workflows:
+  all:
+    description: Deploy complete foundation layer (accounts + identity)
+    steps:
+      - command: workflow all -f quickstart/foundation/accounts
+      - command: workflow all -f quickstart/foundation/identity
+
+  deploy/accounts:
+    description: Deploy accounts layer only
+    steps:
+      - command: workflow all -f quickstart/foundation/accounts
+
+  deploy/identity:
+    description: Deploy identity layer only
+    steps:
+      - command: workflow all -f quickstart/foundation/identity

examples/snippets/stacks/workflows/quickstart/foundation/atmos-pro.yaml

@@ -18,6 +18,12 @@
 #   - vendor: Pull required components
 #   - deploy: Deploy all GitOps infrastructure
 #
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   all:
     description: Run all Atmos Pro workflows

examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml

@@ -19,6 +19,12 @@
 #   - deploy/iam-role: Deploy Terraform execution roles
 #   - deploy/github-oidc-provider: Deploy GitHub OIDC Provider to all accounts
 #
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
+env:
+  ATMOS_PROFILE: superadmin
+
 workflows:
   check-setup:
     description: Verify that the environment is setup correctly to run these workflows.