Sorry, currently no German translation is available for this blog post

Intro

The ACF Account Cache is made for caching AWS account details of large AWS Organizations.

For one AWS account, the details have the following structure:

{
  "accountId": "905418151471",
  "accountName": "acai_aws-lab1_wl2",
  "accountStatus": "ACTIVE",
  "accountTags": {
    "owner": "Finance",
    "environment": "Non-Prod",
    "application": "SAP",
    "type": "Workload",
    "confidentiality_level": "Restricted"
  },
  "ouId": "ou-er26-hsal28aq",
  "ouIdWithPath": "o-3iuv4h36uk/r-er26/ou-er26-08tbwblz/ou-er26-sgxk358u/ou-er26-hsal28aq",
  "ouName": "NonProd",
  "ouNameWithPath": "Root/Lab_WorkloadAccounts/BusinessUnit_1/NonProd",
  "ouTags": {
    "module_provider": "ACAI GmbH",
    "environment": "Production",
    "module_source": "github.com/acai-consulting/terraform-aws-acf-org-ou-mgmt",
    "application": "AWS MA Core",
    "cicd_ado_organization": "acai-consulting",
    "cicd_branch_name": "initial_version",
    "cicd_pipeline_name": "Org-Mgmt",
    "module_name": "terraform-aws-acf-org-ou-mgmt",
    "module_version": "1.1.1",
    "cicd_ado_project_name": "aws-lab-2024"
  }
}

Querying the ACF AWS Account Context Cache

Large organizations may face scenarios where they want to select a subset of AWS Accounts based on specific criteria:

  • Select all AWS Accounts where the account-tag “environment” is not “Non-Prod” (In the ChatBot type: /Sample1)
  • Select all AWS Accounts where “accountName” contains “core-” (In the ChatBot type: /Sample2)
  • Select all AWS Accounts where the account-tag “environment” is “Prod” and that have “/Department_1/” in their OU-path (In the ChatBot type: /Sample3)

To accomplish this, we have introduced a query language in alignment with Amazon EventBridge > Create event patterns:

For all accounts in the cache:
query_json = "*" 

For selected accounts in the cache:
query_json = {
    "exclude": "*" | Pattern JSON-Object | [
        Pattern JSON-Object
    ],
    "forceInclude": Pattern JSON-Object | [
        Pattern JSON-Object
    ]
}

Try it out by clicking on the chat-icon on the right side of this site.

Architecture

We have created an Amazon Bedrock based LLM backend that will transform user-prompts like the sample statements into ACF Account Cache Queries.

Step 1: The LLM Lambda will produce the JSON based query and provide it to the chat-bot.

Step 2: The user can then decide to query the Account Contect Cache with the query and get the account IDs that match the query.

Step 3: With the ‘/detail:account_id’ command the user can get the account details.

CICD Pipeline Overview

ACAI Lab AWS Organization

The full Account Context Cache of the ACAI AWS Lab is shown here as JSON: link

CICD Pipeline Overview