Aws Naming

AWS Resource Naming Conventions #

Global Resource Naming and Onboarding App Team Process #

  1. All naming information is provided by project manager and verified with infrastructure team to fit within below naming criteria.
  2. Approved names are added to master lookup tables at centralized GitHub location for all Terraform code to reference.
  3. Names are then submitted to the Okta team for inclusion in resource based group names that grant access to whichever platforms are needed with the correct permission sets.
  4. The core 5 informational nodes of the resource names should be consistent across all resources in all platforms and resource access groups in Okta.
  5. Each resource type has a separate naming pattern.

Layout #

  1. All lowercase split with dashes.
<node1>-<node2>-[<node3>]

[] denotes optional node

<#description#> node can be added to aid in human readability. Multiple description nodes are allowed but mind overall pattern character limit.

OU Pattern # 

ou-<agency>-[<division>]-aws-<product/org-category>-[<#description#>-][<project/team>-][<prod/nonprod>-]<root-id>
  • Must be 1 to 128 characters long
  • Can include any Unicode character (no restrictions on letters, numbers, or symbols)
  • org-category examples are security, infrastructure, network, cjis, hipaa, general, etc.
  • Only prod and nonprod environments allowed.
  • root-id is taken from AWS Organizations r-**** value in the management account.

Foundation and Compliance Level 1 OUs #

Note iowa is mandatory agency with no division.

  • Specific Compliance OU:
    • ou-iowa-aws-hipaa-73t0
  • Unspecific Compliance OU:
    • ou-iowa-aws-general-73t0
  • Foundation OU:
    • ou-iowa-aws-infrastructure-nonprod-73t0
  • Foundation OU with description:
    • ou-iowa-aws-security-tooling-nonprod-73t0

Agency Level 2 OUs #

Note Levels 2 OUs can be based on agency, division, product, or project/team, but must include every name in the hierarchy down to that level of specificity.

  • Agency General OU:
    • ou-hhs-aws-prod-73t0
  • Division General OU:
    • ou-hhs-medicaid-aws-prod-73t0
  • Product Based OU:
    • ou-hhs-medicaid-aws-elias-prod-73t0
  • Project or Team Base OU:
    • ou-hhs-medicaid-aws-elias-eps-prod-73t0

The Core 5 Nodes for Account and Resource Patterns #

There are 5 required nodes that provide a primary key to aid in search for the resources they are linked to. Some resource patterns may have additional required nodes, but these are required for ALL account and resource level patterns.

agency #

Abbreviated name of agency owning the project and platform. Examples: dom, iwd, hhs, dial, ipers

platform #

Abbreviated brand name of cloud or platform. Examples: azc Azure Cloud. aws Amazon Web Services. gcp Google Cloud Platform. oci Oracle Cloud. nci Neutanix. ovm Oracle VM Infra. vmw VMware.

product #

General product that the permissions are used for. Examples: elias, avx, idss, connect, safher

project/team #

Development/implementation/infrastructure/auditing team such as a contracting group or internal team for further diviation. Examples: idss, cobalt, edbi. accen, amazon, forest, digx, mspan

env #

Environment for a given resource. Examples: dev, test, uat, prod, stage, govcloud

Account Pattern # 

acct-<agency>-[<division>-]aws-<product/category>-[<#description#>-]<project/team>-<env>-<root-id>
  • Must be 3–63 characters long
  • Can include lowercase letters, digits, and hyphens
  • Must start and end with a letter or digit (no leading/trailing hyphens)
  • Cannot contain two consecutive hyphens
  • root-id is taken from AWS Organizations r-**** value in the management account.

Foundation Accounts:

Note optional nodes highlighted below.

  • acct-iowa-aws-security-logarchive-infra-nonprod-73t0
  • acct-iowa-aws-mgmt-payer-infra-prod-9s89
  • acct-iowa-aws-security-tooling-infra-nonprod-73t0
  • acct-iowa-aws-network-infra-nonprod-73t0

Workload Accounts:

  • acct-dial-aws-safher-digix-govcloud-2we9
  • acct-dom-doit-aws-shared-infra-nonprod-w2k1
  • acct-hhs-cae-aws-elias-ddi-accenture-prod-d32s
  • acct-hhs-medicaid-aws-elias-audits-deloitte-prod-d32s

Sandbox accounts:

Note Can be a team, project, or user based in product node.

  • acct-dom-doit-aws-team-forest-sbox-59vaf
  • acct-iwd-aws-jane-smith-sbox-2k2a
  • acct-ipers-aws-project-team-sbox-qvsc

AWS Resource Pattern # 

<aws-resource-abbreviation>-<agency>-aws-<product>-[<#description#>-]-<project/team>-<env>-<region-code>-<three-character-iteration>
  • No division or root-id
  • region-code and three-character-iteration mandatory
  • aws-resource-abbreviation will be kept in a single source of truth lookup table.

Examples:

  • snet-hhs-aws-elias-chatbot-accenture-test-use2-001
  • ec2-dom-aws-management-infra-dev-use2-005

User access naming:

Note groups, roles, users, and permission sets do not require region, but do require shorthand access label as highlighted below. three-character-iteration not needed.

  • group-hhs-aws-eden-deloitte-test-developer
  • role-iowa-aws-terraform-github-nonprod-admin
  • user-iowa-aws-ryan-bartusek-nonprod-read
  • pset-hhs-aws-elias-accenture-nonprod-read

Aviatrix Network Resource Patterns #

Aviatrix Virtual Machines - Gateways and Spokes #

Note aviatrix- is prepended by aviatrix terraform module and -hagw is postpended for HA nodes. Create names without those in Terraform as highlighted below.

  • last 8 digits of aws account always takes place of product, project, and team for spokes
  • 30 character limit before pre and postpending by Aviatrix module
  • max 4 char agency
  • max 7 char env
  • aws and 4 char region standard

Spokes: #

subnets created: we create 2 private /26s and it creates 2 public /26s

  • aviatrix-dial-aws-688600819676-prod-use2
  • aviatrix-dial-aws-688600819676-nonprod-use2-hagw

Transit Gateways: #

subnets created: 2 /26s and 4 /28s for every tgateway, hub or edge.

  • aviatrix-iowa-aws-tshub-prod-usw2
  • aviatrix-iowa-aws-tsedge-prod-usw2-hagw

Aviatrix Control Plane: #

Note Aviatrix controller and copilot VMs do not have their names changed by Aviatrix module. Create the entire names in Terraform as shown below.

  • aviatrix-iowa-aws-controller-nonprod-usw2
  • aviatrix-iowa-aws-copilot-nonprod-usw2

AWS Network resources: #

Note Aviatrix network resources should replace project, product, and team with account ID and any other additional information such as public or private, hub or edge, etc.

  • vpc-dial-aws-688600819676-tshub-prod-usw1-01
  • vpc-iowa-aws-688600819676-tsedge-nonprod-usw2-02

Subnets limited to 30 character before AVX module:

  • snet-dom-aws-688600819676-pvt2-nonprod-usw2-01

Regex Pseudocode #

To find by name:

  1. Read out all character sets splitting on hyphen into an array or list.
  2. Use list of character sets to match on team, project, platform, resource, whatever. Ex. To find all ec2 resources within the Elias project, print out all full names with both.
  3. To match across platforms, match on just team, or project, or whatever want to find everything of.

To create names:

  1. Find platform node and match to pattern set of that platform. Ex. if aws is found, refer to aws tagged lists (ous, accounts, resources).
  2. Pattern match first node as key to pattern type within given platform list. Ex. if ec2 refer to resource pattern, if ou refer to ou pattern.
Edit this page