Powered by

# Organization Structure

See below image for structure. Active accounts have resources shared with them. Retired accounts will not have resources shared with them. Whenever an account is created, it is created under the root OU, the accounts you see there are essentially pre-made accounts ready to be assigned to a JetRails Organization. When a JetRails Organization is created and assigned an AWS Organization, said AWS Organization gets moved to the active OU. When a JetRails Organization gets deleted, it should get moved to the retired OU automatically (but not closed automatically).

Organization Structure
Organization Structure

The below flowchart describes the lifecycle of an AWS account. The actions that are described with a solid black line are all handled within the management account cloudformation stack. The lines described with dotted lines originate from API calls from the jetrails/api project.

sequenceDiagram
    participant Root
    participant Aging
    participant Pending
    participant Active
    participant Retired
    participant Closed

    Root->>Root: Create New Accounts Until <br/> Root + Aging + Pending = Desired <br/> Tag AutoPilot=true
    Root->>Aging: Move New Accounts Attached To Root <br/> If AutoPilot=true && Protected missing
    Aging->Aging: StackSet Deploys Priming Stack
    Aging->Aging: StackSet Deploys Backup Stack
    Aging->Aging: StackSet Deploys PrefixList Stack
    Aging->>Pending: Move Accounts Older Than 4 Hours
    Pending->Pending: StackSet Deletes Priming Stack
    Pending-->>Active: Assign Account To Organization <br/> Tag Account With Organization ID <br/> Move To Active
    Active-->>Retired: Mark Organization Retired <br/> Move to Retired
    Retired->Retired: StackSet Deletes Prefix List Stack
    Retired->Retired: StackSet Deploys Clean Up Stack
    Retired-->Retired: After 5 Days <br/> Tag CloseAccount=true <br/> Mark Organization Closed
    Retired->>Closed: When Tag CloseAccount=true <br/> Close Account <br/> Request Must Be Successful <br/> Move To Retired
    Closed->Closed: StackSet Deletes Clean Up Stack
    Closed->Closed: StackSet Deletes Backup Stack
    Closed->Closed: AWS Closes Account After 90 Days

# Organizational Limits

Every organization needs to submit a support ticket to AWS to increase the EIP limit. Luckily it can be done via the Service Quotas service. Check out this article https://docs.aws.amazon.com/servicequotas/latest/userguide/organization-templates.html for more information. Please ensure that the following are added to the service quota template:

Resource Default Limit Requested Limit URL
Elastic IP Addresses 5 20 Service Quota Link
Security Group Rules 60 200 Service Quota Link

Note This only applies to new organizations that are created, existing organizations need to request this increase manually.

© Copyright 2025. All rights reserved.