src/config/landing-zone-settings.ts contains the core deployment boundary for your landing zone. These values are read by every stack and StackSet to wire names, targets, and regions correctly.
Two account IDs anchor the deployment. The management account is your AWS Organizations root, where the organization phase runs. The landing zone account is a dedicated member account that deploys the StackSet stacks as the CloudFormation StackSets delegated administrator, so day-to-day provisioning does not run from the management account. See Stacks for how the two phases relate.
After changing this file, re-run pnpm exec projen to regenerate the npm scripts and GitHub Actions workflow with the updated values.
Options
| Option | Type | Required | Description |
|---|---|---|---|
organizationName | string | Yes | Short organization slug used for resource names and tags. Use lowercase and dashes. |
mailDomain | string | Yes | Email domain used to generate root email addresses for new AWS accounts (e.g. aws+log@your-org.com). |
managementAccountId | string | Yes | 12-digit AWS Organizations management account ID. The organization phase deploys here. |
landingZoneAccountId | string | No* | 12-digit ID of the dedicated member account that deploys the landing-zone StackSets as the CloudFormation StackSets delegated administrator. Leave it unset only for the very first organization-phase deploy; set it before you deploy the landing-zone phase. *Required to deploy the landingzone phase. |
primaryRegion | string | Yes | Primary AWS Region where the CDK app and landing-zone resources deploy. |
secondaryRegions | string[] | Yes | Additional active Regions that receive multi-region StackSet deployments. Pass [] if you only use one region. |
externalAdmins | LandingZoneExternalAdmin[] | No | Enables an ExternalAccessStackSet that grants one or more third-party accounts admin access across organization accounts. Each entry takes accountId (string, required), managedPolicyName (string, optional, default ReadOnlyAccess), and roleName (string, optional, default ExternalLandingZoneAdmin-<accountId>). |
organizationAccountLimit | number | No | Desired AWS Organizations maximum-accounts quota. When set, the Provision Management StackSet requests it against the management account. The request is idempotent and approval is asynchronous. |
Example
export const landingZoneSettings: LandingZoneSettings = {
organizationName: 'acme',
mailDomain: 'acme.com',
managementAccountId: '123456789012',
landingZoneAccountId: '234567890123',
primaryRegion: 'eu-west-1',
secondaryRegions: ['us-east-1'],
externalAdmins: [
{
accountId: '111122223333',
managedPolicyName: 'ReadOnlyAccess',
},
],
organizationAccountLimit: 120,
};
How it's used
These settings flow into every part of the landing zone:
organizationNameandmailDomainprefix the generated OU and account names defined in organization-structure.tsmanagementAccountId,landingZoneAccountId, andprimaryRegionare embedded in the generatedorganization:*andlandingzone:*npm scripts and the two-account GitHub Actions deployment workflow bypnpm exec projenprimaryRegionandsecondaryRegionsdetermine which regions the region-guardrail SCP allows (see Service Control Policies) and which regions multi-region StackSets such as Account Security and Central Alerts targetexternalAdminsdeploys anExternalAccessStackSetacross the organization when setorganizationAccountLimitis passed into theProvisionManagementStackSet, which requests the quota against the management account when set
Things to know
- Re-run
pnpm exec projenafter every change to this file, as the generated workflow and npm scripts embedmanagementAccountId,landingZoneAccountId, andprimaryRegiondirectly landingZoneAccountIdhas a bootstrapping quirk: leave it unset for the first organization-only deploy, then set it to the ID of theLandingZoneAccountthat the organization phase creates and re-runpnpm exec projenbefore deploying the landing-zone phase. Install walks through this orderingorganizationNameshould be stable: changing it renames all OU and account resources, which CloudFormation handles as a delete-and-recreate- Email addresses for accounts must be globally unique across all of AWS; the
mailDomainapproach usingaws+<alias>@your-domain.comkeeps them namespaced under your domain