Reference architecture should be deployable over SAR

[OlafConijn]

would be most convenient to deploy the reference architecture using the Serverless Application Repository (from within the management account).

Limitations in CloudFormation would prevent you from executing code (cant do: org-formation init)... but if you do something like set up a codecommit/codebuild/codepipeline, point it at an 'initial-commit.zip' it will run automatically.

this is a bit of a hack but imho really worth the while.

implementing this reference architecture would then be as easy as:

1. create account
2. deploy using SAR
3. done

[mbarneyjr]

I would love to see something like this, I think it could even be part of the org-formation cli itself. I do have some thoughts:

I just started to build a landing zone/org-formation setup from scratch to see what the process would be, and there's definitely some manual work required initially before you can let org-formation start configuring everything, like creating the organization itself and enabling all features and policy types. I think these are things that org-formation could handle directly. As someone who works with many different customers and will likely be doing this a bunch, I'd love to have a really streamlined process for creating and configuring new AWS organizations

I would love to be able to take an existing orgformation repo like this reference architecture or something else (replacing the emails and account id of the management account - maybe these could be parameterized?), and have that be all I need to tell org-formation to create my organization. Including a build account setup (which now requires you to go in and manually create the build account first). All of that starting with a brand new AWS account (assuming I've created a user to execute org-formation with). I basically want to treat something like this reference architecture repo as a parameterized template for how I want to define AWS Organizations configurations for any number of customers/management accounts

There's some kinks to something like this, for instance AWS SSO, since that is required to be manually setup, so any SSO configuration I might have in my reference architecture would break the first time around, so I'd probably have to break that out into a two-step process. The CLI would also have to be pretty solid around how it handles retries since AWS accounts can take a bit until they're ready to be used after creation

Ultimately, I'd still want everything else to be in one org-formation creat-everything-for-me command

These are just some thoughts, what we have now is fantastic and lightyears ahead of anything else, so I definitely appreciate all of the work put in to building something like this ❤️

[OlafConijn]

yes - i think we think about this along the same lines.

i am currently working on this and my current thinking is a bit like the following:
org-formation init-pipeline --build-account-id 1111 --etc --template https://raw.github.com/path/to.zip
this would:

1. download the zip and replace contents with defauls and/parameters
2. repack the output and upload to codecommit as the initial commit.

I am going to take the SSO things out of this project as it requires manual steps.
I think it should be possible to have other projects with e.g. compliance as code using AWS Config, Monitoring towards slack that could be installed in a similar way and wire these together. still, having this baseline is step 1.

SAR would install a cloudformation template that creates an initial pipeline to bootstrap this process.
The steps would roughly be:

1. visit SAR in the AWS console, select template and install the pipeline that bootstraps
2. the pipeline that bootstraps runs npm i on org-formation and then org-formation init-pipeline --build-account-id 1111 --etc --template https://raw.github.com/path/to.zip
3. org-formation init pipeline creates(?) or assumes a role in the build account and sets up the org-formation repository.

quite a bit to wrap your head around i guess :) but pretty sure this will work.
happy to think about a structure in which we can work together on this!