Quickstart
Start using telophasecli
Requirements
- You must have AWS Organizations enabled.
- Follow directions from here to set up your AWS Organization.
- AWS CLI must be configured. See Authentication below
Installation
Go
go install github.com/santiago-labs/telophasecli@latest
Homebrew
brew tap Santiago-Labs/telophasecli
brew install telophasecli
Authentication
Note: Set AWS_SDK_LOAD_CONFIG=1
when passing env variables directly e.g. AWS_PROFILE=<profile_name> AWS_SDK_LOAD_CONFIG=1 telophasecli account import
Option 1: IAM Identity Center/AWS SSO (Recommended)
- Navigate to Identity Center in the Management Account
- Create a group and add the users who will manage accounts and apply IaC changes
- Navigate to the
AWS accounts
tab in Identity Center - Assign the group to all accounts you want telophase to manage (note: you must include your management account)
- Assign these permission sets to the group:
AWSOrganizationsFullAccess
- This policy allows the creation of organizations and linked roles.sts:*
- This policy allows the AWS CLI to assume roles in sub-accounts to update infrastructure.
- Configure AWS CLI using
aws configure sso
. Make sure to choose the region where IAM Identity Center is configured!
For more details, visit the Identity Center CLI Guide
Option 2: IAM
- Navigate to IAM in the Management Account
- Create a role and attach the following policies:
AWSOrganizationsFullAccess
- This policy allows the creation of organizations and linked roles.sts:*
- This policy allows the AWS CLI to assume roles in sub-accounts to update infrastructure.
- Configure AWS CLI to use the role you just created.
- Follow the instructions here to configure the CLI with role-based access.
Configure organization.yml
Telophase uses a file called organization.yml
to manage your AWS Organization and IaC. See organization.yml for configuration options.
Option 1: Import Existing AWS Organization
Telophase can import your AWS Organization (including OU structure):
telophasecli account import
This command will output an organization.yml
file containing all the accounts in your AWS Organization. You can remove any accounts you don’t want Telophase to manage from this file.
Option 2: Start From Scratch
If you prefer to start fresh and not have Telophase manage any of your existing accounts, create the organization.yml file with the following content:
Organization:
Name: root
You’re ready!
Here’s a few examples of what you can do. Visit Features for a more detailed guide.
Example: Create account
Create an account by adding a new entry to organization.yml
:
Organization:
Name: root
Accounts:
- Email: ethan+ci@telophase.dev
AccountName: CI
Then run telophasecli account deploy
Example: Apply Terraform
You can apply IaC by assigning a stack to the account in organization.yml
:
Organization:
Name: root
Accounts:
- Email: ethan+ci@telophase.dev
AccountName: CI
Stacks:
- Path: tf/ci_blueprint
Type: Terraform
Then run telophasecli deploy