I'm trying to figure out the best placement for some ephemeral evaluation infrastructure in our organizational structure. Here's a quick overview of how our setup looks: We have a Management Account at the root, followed by an Infrastructure OU with various sub-OUs for Identity, Monitoring, and Network. There's also a Sandbox OU with multiple user sandboxes and a Security OU that handles log archives and security tooling. Finally, we have a Workloads OU that includes NonProd and Prod OUs.
For each pull request, we plan to replicate our production application, run tests on it, and then spin it down afterward. I'm debating whether to put this ephemeral infrastructure in an existing account/OU or create a new one. I'm leaning towards setting up a new "Ephemeral" OU within the Workloads OU for this purpose. Does that sound reasonable?
2 Answers
Yes, setting up a Test account under your Workloads OU sounds like a great idea! This way, any policies you place on workloads will naturally apply to your testing as well.
Honestly, it doesn't make much of a difference where you put it. OUs are primarily for applying Service Control Policies (SCPs) for multiple accounts, and while useful for IAM setups, they don't affect the individual account's functioning much. There are best practices, but I wouldn't stress over it too much!
I get that, but I'm keen to follow best practices! Just want to ensure I'm not overlooking anything important.
Thanks for the input! Should I create a separate OU specifically for this under Workloads, or is it fine to just put the account directly in there?