IaC Insights
Posts
Setting Up A Greenfield Project On AWS

Setting Up A Greenfield Project On AWS

What kinds of things should you consider when you are standing up a greenfield project/organization on AWS?

Matt Gowie
July 08, 2025

Hey folks,

What should you think about when you are standing up a greenfield project/organization on AWS? Someone asked a question in a community I’m a part of, and I have opinions.

First, a disclaimer. This is very TF focused, as opposed to Pulumi or CDK. That said, here are my recommendations for a zero to one type of project.

First, let’s talk about common account structure, permissions and access.

Don't do SSH. Instead, use AWS SSM. SSH keys are a pain and, frankly, a thing of the past. Masterpoint has a module that deploys an EC2 ASG and removes the need for a traditional bastion instance. Note: not my favorite Masterpoint module, but it is feature complete.
Put some thought and research into your account hierarchy. At a minimum, start with the root/management account and provision nothing in there. Then create additional accounts for your workloads (dev, stage, prod) that your team will get access to.
Don't use IAM Users and Groups. Instead, use AWS IAM Identity Center (previously known as AWS SSO). Here’s a TF module to configure AWS IAM Identity Center. When managing SSO sessions locally, using Identity Center is not too bad when you're just one organization. My team and I use Leapp and are big fans.

Here are some useful TF modules for common AWS infrastructure. No need to reinvent the wheel.

VPC and Subnets for foundational network infrastructure; use Cloud Posse's component if you want a ready to go root module.
S3 Buckets for reliable object storage
CloudTrail for logging and auditing

While not AWS infrastructure, these TF modules help you manage other services commonly used in a zero-to-one scenario.

You’ll want to handle GitHub users and groups (one alternative is to use an IdP, but sometimes enterprise is pricey and not worth it). You’ll also want to configure your GitHub repos.
Managing Google Workspace users and groups (this is a fairly new release from us).

Finally, you’ll want to manage your TF state in S3 and use DynamoDB to manage locking. Here’s a standalone TF module and one that works well with atmos.

Configuring these modules should get you well on your way to a solid greenfield architecture using TF.

May your architecture not paint you into a corner,

Matt @ Masterpoint

PS If you’ve found this newsletter helpful, please forward it to a friend. Want to chat through some tricky IaC issue that you or your org are running into? Grab some time on my calendar here.