aws
Document multi-account deployment best practices and resources
From Gitter.
It would be helpful for the copilot docs to include some documentation around deploying to multiple accounts, for example, having a separate test and a prod account. Some useful details to include:
- What resources are created in each account
- How pipelines work with multiple accounts
- Which credentials to use when (kinda covered here)
Related issue: https://github.com/aws/copilot-cli/issues/2939
@iamhopaul123 https://github.com/aws/copilot-cli/issues/2939#issuecomment-949031717 mentions in this issue that multiple accounts is possible/encouraged, but it's not clear to me how to do this.
@craigjbass Let's take the same example from the issue that you have mentioned above to help you understand multiple accounts implementation with Copilot.
- Let say you run
copilot app init --name example, then your application's infrastructure role stack will be created in your tooling(default) AWS account. - Now you can run
copilot env init --name prod --app example --profile prodand thencopilot env deploy --name prod --app exampleand your environment will be setup under prod account and it will be linked to your example app in the tooling account. In this environment you can deploy your choice of services, jobs etc. - As I mentioned in the previous point you can now run
copilot svc init --app example --env prodfollowed bycopilot svc deploy --app example --env prodand it will create a service inside prod environment.
Please let us know if you have any more questions.
Thanks for the reply, that's interesting! It did not occur to me that the application infrastructure role stack could exist in a different account (I didn't really understand how this component worked).
Hmm, I wonder how this would work with e.g. AWS SSO (now IAM Identity Center). I presume the profile prod needs access to resources in the tooling account?
jumping in to link https://github.com/aws/copilot-cli/issues/3786 - there are a few multi account options discussed over there!