DEV-3477: Account Documentation (#785)

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

Author: milldr

docs/layers/accounts/deploy-accounts.mdx

@@ -41,7 +41,7 @@ This step-by-step process outlines how to deploy AWS accounts using `atmos` work
   </Step>
 
   <Step>
-    ## <StepNumber/> Deploy the AWS Organization:
+    ## <StepNumber/> Deploy the AWS Organization
 
     <AtmosWorkflow workflow="deploy/organization" fileName="accounts" />
 
@@ -50,34 +50,109 @@ This step-by-step process outlines how to deploy AWS accounts using `atmos` work
   <Step>
     ## <StepNumber/> Confirm the Root Account is configured as an Organization
 
-    The previous step will create the AWS Organization and configure the `core-root` account as the "root" account. Take the time now to verify that the root account is configured as an AWS Organization. and that [AWS RAM for Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-ram.html) is enabled, which is required for connecting the Organization.
+    The previous step will create the AWS Organization and configure the `core-root` account as the "root" account. Take the time now to verify that the root account is configured as an AWS Organization and that [AWS RAM for Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-ram.html) is enabled, which is required for connecting the Organization.
+
+    **Check Organization Status:**
+
+    ```bash
+    # Check if AWS Organization exists and get its details
+    aws organizations describe-organization
+
+    # Or specifically check if RAM for Organizations is enabled
+    aws organizations describe-organization --query 'Organization.FeatureSet'
+    ```
+
+    The `FeatureSet` should return `ALL` if RAM for Organizations is enabled, or `CONSOLIDATED_BILLING` if it's not enabled.
+  </Step>
+
+ <Step>
+    ## <StepNumber/> Confirm Root Account Name
+
+    After deploying the AWS Organization, verify the **account name** of the root (a.k.a. management/payer) account and ensure it's set in the `account-map` catalog. This is the human-readable **account name**, not the account alias. While we default to `root`, it may have been set to your company name or another custom label when the account was originally created.
+
+    <details>
+      <summary><strong>Why this is needed?</strong></summary>
+      
+      The root account has two different names:
+      
+      - **AWS Account Name**: The name you typed when originally creating the AWS account (often "root" but can be different)
+      - **Account Alias**: The deterministic name set in the account configuration (e.g., "core-root")
+    </details>
+
+    The account-map component needs to know the actual AWS account name to properly map accounts.
+
+    **To find your root account name:**
+
+    ```bash
+    # Make sure you're using a user with access to your root account, such as SuperAdmin
+    aws organizations list-accounts \
+      --query "Accounts[?Id=='$(aws organizations describe-organization --query 'Organization.MasterAccountId' --output text)'].Name" \
+      --output text
+    ```
+
+    **To configure the account-map:**
+
+    Update `stacks/catalog/account-map.yaml` to set the correct root account name:
+
+    ```yaml
+    components:
+      terraform:
+        account-map:
+          vars:
+            root_account_aws_name: "your-actual-root-account-name"  # The name from the AWS Organizations output
+            root_account_account_name: "core-root"  # This should always be "core-root"
+    ```
+
+    <Note title="Common Issue">
+      If you encounter an error such as the following in subsequent deployments, it's usually because the `root_account_aws_name` is not correctly set in the `account-map` configuration.
+      
+      ```console
+      The given key does not identify an element in this collection value
+      ```
+    </Note>
   </Step>
 
   <Step>
     ## <StepNumber/> Raise Account Limits
 
     If you haven't already completed the Account Quota increase, now is the time to do so. To deploy all accounts, we need to request an increase of the Account Quota from AWS support, which requires an AWS Organization to be created first.
 
-    From the `root` account (not `SuperAdmin`), increase the [account quota to 20+](https://us-east-1.console.aws.amazon.com/servicequotas/home/services/organizations/quotas) for the Cloud Posse reference architecture, or more depending on your business use-case
+    From the `root` account (not `SuperAdmin`), increase the [account quota to 20+](https://us-east-1.console.aws.amazon.com/servicequotas/home/services/organizations/quotas) for the Cloud Posse reference architecture, or more depending on your business use-case.
 
+    **Alternative: Use AWS CLI**
+
+    You can also use the AWS CLI to request the quota increase:
+
+    ```bash
+    aws service-quotas request-service-quota-increase \
+      --service-code organizations \
+      --quota-code L-29A42BEB \
+      --desired-value 20
+    ```
+
+    Where `L-29A42BEB` is the quota code for "Accounts per organization".
+
+    <Note title="Terraform Alternative">
+      This quota increase can also be requested through our [account-quotas](/components/library/aws/account-quotas/) component, but it's generally faster to handle this manually or through the API since it's a one time request.
+    </Note>
   </Step>
 
   <Step>
     ## <StepNumber/> Deploy Accounts
 
-    <Note title="Important">
+    Again review the "account" configuration in `stacks/catalog/account.yaml`. In particular, check the email address and account names. In the next step, we will create and configure all accounts in the AWS Organization using the configuration in that stack file.
+
+    Once confident, begin the accounts deployment:
+
+    <AtmosWorkflow workflow="deploy/accounts" fileName="accounts" />
+
+    <Note title="Info">
       With the addition of support for dynamic Terraform roles, our `baseline` cold start refarch layer now depends
       on/requires that we have `aws-teams` and `aws-team-roles` stacks configured. This is because `account-map` uses those
       stacks to determine which IAM role to assume when performing Terraform in the account, and almost every other component
       uses `account-map` (indirectly) to chose the role to assume. However, these components do _not_ need to be deployed yet.
     </Note>
 
-    Again verify the "account" configuration in `stacks/catalog/account.yaml`. In the next step, we will create and configure all accounts in the AWS Organization using the configuration in that stack file.
-
-    Once confident, begin the accounts deployment:
-
-    <AtmosWorkflow workflow="deploy/accounts" fileName="accounts" />
-
     These deployments will create all AWS member accounts and store relevant account metadata as "mappings" in the Terraform
     outputs of the `account-map` component. Rather than querying this `account` component each time we need an Account ID or
     role, we provision a static component `account-map`.
@@ -86,14 +161,19 @@ This step-by-step process outlines how to deploy AWS accounts using `atmos` work
     Always run `atmos terraform apply account-map -s core-gbl-root` after provisioning accounts.
     </Note>
 
+  </Step>
+
+  <Step>
+    ## <StepNumber/> Deploy Accounts Settings
+
     Once you've created the accounts, you'll need to provision the baseline configuration within the accounts themselves. Run the following:
 
     <AtmosWorkflow workflow="deploy/account-settings" fileName="accounts" />
 
     The workflows will kick off several sequential Terraform runs to provision all the AWS member account settings for
     member accounts in the Organization.
   </Step>
-
+ 
   <Step>
     ### <StepNumber/> ClickOps to Complete Account Setup
 

docs/layers/accounts/faq.mdx

@@ -4,6 +4,7 @@ sidebar_label: FAQ
 sidebar_position: 10
 ---
 import Intro from '@site/src/components/Intro';
+import Steps from '@site/src/components/Steps';
 
 <Intro>
 Frequently asked questions about managing AWS accounts with Cloud Posse's reference architecture.
@@ -52,3 +53,67 @@ This component manages the state of all AWS accounts, so apply with extreme caut
 ### How can you create a Tenant?
 
 [Follow the documentation for creating a new Organizational Unit](/layers/accounts/tutorials/how-to-add-a-new-organizational-unit/)
+
+### Why does `account-map` fail with "The given key does not identify an element in this collection value"?
+
+This is a common error you may encounter when reading from `account-map`:
+
+```bash
+Acquiring state lock. This may take a few moments...
+module.iam_roles.module.account_map.data.utils_component_config.config[0]: Reading...
+module.iam_roles.module.account_map.data.utils_component_config.config[0]: Read complete after 0s [id=xyx]
+module.iam_roles.module.account_map.data.terraform_remote_state.data_source[0]: Reading...
+module.iam_roles.module.account_map.data.terraform_remote_state.data_source[0]: Read complete after 5s
+module.iam_roles.data.awsutils_caller_identity.current[0]: Reading...
+module.iam_roles.data.awsutils_caller_identity.current[0]: Read complete after 1s [id=123]
+
+Planning failed. Terraform encountered an error while generating this plan.
+
+╷
+│ Error: Invalid index
+│ 
+│   on ../account-map/modules/iam-roles/main.tf line 46, in locals:
+│   46:   is_root_user   = local.current_identity_account == local.account_map.full_account_map[local.root_account_name]
+│     ├────────────────
+│     │ local.account_map.full_account_map is map of string with 12 elements
+│     │ local.root_account_name is "core-root"
+│ 
+│ The given key does not identify an element in this collection value.
+╵
+Releasing state lock. This may take a few moments...```
+```
+
+This error typically occurs when the `root_account_aws_name` is not correctly configured in the `account-map` component. The root account has two different names:
+
+<Steps>
+- **AWS Account Name**: The name you typed when originally creating the AWS account (often "root" but can be different)
+- **Account Alias**: The deterministic name set in the account configuration (e.g., "core-root")
+</Steps>
+
+To fix this:
+
+<Steps>
+1. Find your root account name using AWS Organizations:
+   ```bash
+   aws organizations list-accounts \
+     --query "Accounts[?Id=='$(aws organizations describe-organization --query 'Organization.MasterAccountId' --output text)'].Name" \
+     --output text
+   ```
+
+2. Update `stacks/catalog/account-map.yaml`:
+   ```yaml
+   components:
+     terraform:
+       account-map:
+         vars:
+           root_account_aws_name: "your-actual-root-account-name"  # The name from step 1
+           root_account_account_name: "core-root"  # This should always be "core-root"
+   ```
+
+3. Reapply the account-map:
+   ```bash
+   atmos terraform apply account-map -s core-gbl-root
+   ```
+</Steps>
+
+For more details, see [the account deployment documentation](/layers/accounts/deploy-accounts/#confirm-root-account-name).