B2B Workload Account (xops)
Dedicated AWS account for B2B Commerce application infrastructure, including VPC, ECS containers, databases, and storage.
Account Responsibilities
Network Infrastructure
- VPC with public/private/isolated subnets
- NAT gateways for internet egress
- Transit gateway attachment to management hub
- VPC endpoints for AWS service access (S3, DynamoDB)
Application Tier
- ECS Fargate cluster for microservices
- Application Load Balancer (ALB) for request routing
- Auto Scaling for traffic-based capacity
- CloudWatch container logs
Data Tier
- Amazon RDS PostgreSQL for transactional data
- ElastiCache Redis for session/cache layer
- S3 buckets for document storage and backup
- Secrets Manager for database credentials
Security & Monitoring
- Security groups for network segress/ingress
- CloudWatch monitoring and alerting
- VPC Flow Logs for network troubleshooting
- CloudTrail forwarded to management account
Resource Configuration
# VPC foundation
module "vpc" {
source = "github.com/nnthanh101/terraform-aws/modules/terraform-aws-vpc"
name = "b2b"
cidr = "10.0.0.0/16"
azs = var.availability_zones # Set per-region deployment
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
one_nat_gateway_per_az = true
enable_flow_log = true
}
# ECS Cluster
resource "aws_ecs_cluster" "main" {
name = "b2b-cluster"
setting {
name = "containerInsights"
value = "enabled"
}
}
# RDS Database
module "rds" {
source = "github.com/nnthanh101/terraform-aws/modules/terraform_aws_rds"
engine = "postgres"
engine_version = "15.3"
instance_class = "db.t3.medium"
allocated_storage = 100
db_name = "b2bdb"
db_subnet_group_name = aws_db_subnet_group.private.name
vpc_security_group_ids = [aws_security_group.rds.id]
backup_retention_days = 30
multi_az = true
}
# Application S3 Bucket
module "app_bucket" {
source = "github.com/nnthanh101/terraform-aws/modules/terraform-aws-s3-bucket"
bucket_name = "b2b-app-data-${data.aws_caller_identity.current.account_id}"
versioning_enabled = true
server_side_encryption_algorithm = "AES256"
block_public_access = true
}
Architecture
Internet
↓
ALB (Public Subnet)
↓
ECS Fargate (Private Subnet)
├─ RDS (Isolated Subnet)
├─ ElastiCache (Private Subnet)
└─ S3 (via VPC Endpoint)
Cross-Account Access
Workload account assumes identity from management account via:
# Cross-account role in workload account
resource "aws_iam_role" "cross_account_admin" {
name = "CrossAccountAdmin"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.management_account_id}:root"
}
Action = "sts:AssumeRole"
}]
})
}
Billing & Cost Management
- Consolidated: Charges appear in management account consolidated bill
- Cost Allocation: All resources tagged with
CostCenter: B2B - Budget Alert: Configure threshold with SNS notification
- Savings Plan: 1-year compute savings plan covers baseline capacity
Compliance Implications
- Data Isolation: VPC isolation from other workloads
- Encryption: RDS encryption at rest, S3 server-side encryption
- Audit: All API calls logged to management account CloudTrail
- Network: Security groups enforce least-privilege access
- Backup: Daily automated RDS snapshots retained 30 days
Source Reference
Account configuration: terraform-aws/accounts/xops/
Related modules:
modules/terraform-aws-vpc/— Network foundationmodules/terraform_aws_rds/— Database tiermodules/terraform-aws-security-group/— Network segmentation