AWS CDK Landing Zone

Landing Zone Settings

Configure the core settings for your AWS CDK Landing Zone deployment, including organization name, mail domain, management account ID, and regions.

src/config/landing-zone-settings.ts contains the core deployment boundary for your landing zone. These values are read by every stack and StackSet to wire names, targets, and regions correctly.

After changing this file, re-run pnpm exec projen to regenerate the npm scripts and GitHub Actions workflow with the updated values.

Options

OptionTypeRequiredDescription
organizationNamestringYesShort organization slug used for resource names and tags. Use lowercase and dashes.
mailDomainstringYesEmail domain used to generate root email addresses for new AWS accounts (e.g. aws+log@your-org.com).
managementAccountIdstringYes12-digit AWS Organizations management account ID.
primaryRegionstringYesPrimary AWS Region where the CDK app and management resources deploy.
secondaryRegionsstring[]YesAdditional active Regions that receive multi-region StackSet deployments. Pass [] if you only use one region.
externalAdminsLandingZoneExternalAdmin[]NoEnables an ExternalAccessStackSet that grants one or more third-party accounts admin access across organization accounts. Each entry takes accountId (string, required), managedPolicyName (string, optional, default ReadOnlyAccess), and roleName (string, optional, default ExternalLandingZoneAdmin-<accountId>).
organizationAccountLimitnumberNoDesired AWS Organizations account limit. Submits a Service Quotas request from us-east-1 (the required region for Organizations quota requests). Approval is asynchronous.

Example

export const landingZoneSettings: LandingZoneSettings = {
  organizationName: 'acme',
  mailDomain: 'acme.com',
  managementAccountId: '123456789012',
  primaryRegion: 'eu-west-1',
  secondaryRegions: ['us-east-1'],
  externalAdmins: [
    {
      accountId: '111122223333',
      managedPolicyName: 'ReadOnlyAccess',
    },
  ],
  organizationAccountLimit: 120,
};

How it's used

These settings flow into every part of the landing zone:

  • organizationName and mailDomain prefix the generated OU and account names defined in organization-structure.ts
  • managementAccountId and primaryRegion are embedded in the generated management:* npm scripts and the GitHub Actions deployment workflow by pnpm exec projen
  • primaryRegion and secondaryRegions determine which regions the region-guardrail SCP allows (see Service Control Policies) and which regions multi-region StackSets such as Secure Defaults and Central Alerts target
  • externalAdmins deploys an ExternalAccessStackSet across the organization when set
  • organizationAccountLimit deploys an OrganizationAccountQuotaStackSet in us-east-1 when set

Things to know

  • Re-run pnpm exec projen after every change to this file, as the generated workflow and npm scripts embed managementAccountId and primaryRegion directly
  • organizationName should be stable: changing it renames all OU and account resources, which CloudFormation handles as a delete-and-recreate
  • Email addresses for accounts must be globally unique across all of AWS; the mailDomain approach using aws+<alias>@your-domain.com keeps them namespaced under your domain
ConfigurationOrganization Structure