# Managed Landing Zone Subcategory **Topics** + [Application Account \$1 Create VPC](deployment-managed-application-account-create-vpc.md) + [Application Account \$1 Create VPC Additional CIDR and Subnets](deployment-managed-application-account-create-vpc-additional-cidr-and-subnets.md) + [Management Account \$1 Create Accelerate Account](deployment-managed-management-account-create-accelerate-account.md) + [Management Account \$1 Create Application Account (With VPC)](deployment-managed-management-account-create-application-account-with-vpc.md) + [Management Account \$1 Create Custom OUs](deployment-managed-management-account-create-custom-ous.md) + [Management Account \$1 Create Custom SCP (Managed Automation)](deployment-managed-management-account-create-custom-scp-managed-automation.md) + [Management Account \$1 Create Customer-Managed Application Account](deployment-managed-management-account-create-customer-managed-application-account.md) + [Management Account \$1 Create Developer Mode Account (With VPC)](deployment-managed-management-account-create-developer-mode-account-with-vpc.md) + [Management Account \$1 Create StackSets Stack (Managed Automation)](deployment-managed-management-account-create-stacksets-stack-managed-automation.md) + [Management Account \$1 Create Tools Account (With VPC)](deployment-managed-management-account-create-tools-account-with-vpc.md) + [Networking Account \$1 Add Static Route](deployment-managed-networking-account-add-static-route.md) + [Networking Account \$1 Create Application Route Table (Managed Automation)](deployment-managed-networking-account-create-application-route-table-managed-automation.md) + [Networking Account \$1 Create Transit Gateway Route Table](deployment-managed-networking-account-create-transit-gateway-route-table.md) # Application Account \$1 Create VPC Create a VPC with up to 10 private subnets and up to 5 optional public subnets per availability zone (AZ) for two or three AZ's. **Full classification:** Deployment \$1 Managed landing zone \$1 Application account \$1 Create VPC ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-1j3503fres5a5 | | Current version | 3.0 | | Expected execution duration | 360 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create VPC #### Application account: Creating a VPC with the Console Screenshot of this change type in the AMS console: ![\[VPC creation details with ID, version, and description of subnet configuration options.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzAppAcctCreateVpcCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Application account: Creating a VPC with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Application account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-1j3503fres5a5" --change-type-version "3.0" --title "Application account VPC onboarding" --execution-parameters "{\"VpcName\": \"VPC_NAME\", \"Parameters\": { \"NumberOfAZs\": \"INTEGER\", \"VPCCIDR\": \"X.X.X.X/X\", \"PrivateSubnet1AZ1CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ2CIDR\": \"X.X.X.X/X\", \"RouteType\": \"ROUTE_TYPE\", \"TransitGatewayApplicationRouteTableName\": \"TABLE_NAME\"}}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateAppAcctVpcParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1j3503fres5a5" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateAppAcctVpcParams.json ``` 1. Modify and save the CreateAppAcctVpcParams file. For example, you can replace the contents with something like this: ``` { "VpcName": "TestVPC", "Parameters": { "NumberOfAZs": "INTEGER", "VPCCIDR": "x.x.x.x/x", "PrivateSubnet1AZ1CIDR": "x.x.x.x/x", "PrivateSubnet1AZ2CIDR": "x.x.x.x/x", "PrivateSubnet1AZ3CIDR": "x.x.x.x/x", "PublicSubnetAZ1CIDR": "x.x.x.x/x", "PublicSubnetAZ2CIDR": "x.x.x.x/x", "PublicSubnetAZ3CIDR": "x.x.x.x/x", "RouteType": "ROUTE_TYPE", "TransitGatewayApplicationRouteTableName": "ROUTE_TABLE_NAME" } } ``` 1. Output the RFC template JSON file to a file; this example names it CreateAppAcctVpcRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateAppAcctVpcRfc.json ``` 1. Modify and save the CreateAppAcctVpcRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "3.0", "ChangeTypeId": "ct-1j3503fres5a5", "Title": "App-Acct-Vpc-RFC" } ``` 1. Create the RFC, specifying the CreateAppAcctVpcRfc file and the CreateAppAcctVpcParams file: ``` aws amscm create-rfc --cli-input-json file://CreateAppAcctVpcRfc.json --execution-parameters file://CreateAppAcctVpcParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips + **Important** To create an additional public subnet in a new availability zone (AZ), a private subnet must already be present. + This change type is now at version 3.0 and it has been automated (it is no longer manually run by AMS). The 2.0 version of this change type was a "managed automation" (manual) change type. + To learn more about AMS multi-account landing zone, see [ VPC sharing: A new approach to multiple accounts and VPC management](https://aws.amazon.com/blogs/networking-and-content-delivery/vpc-sharing-a-new-approach-to-multiple-accounts-and-vpc-management/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-1j3503fres5a5](schemas.md#ct-1j3503fres5a5-schema-section). ## Example: Required Parameters ``` { "VpcName": "TestVPC", "Parameters": { "VPCCIDR": "10.0.0.0/22", "NumberOfAZs": 2, "PrivateSubnet1AZ1CIDR": "10.0.0.0/24", "PrivateSubnet1AZ2CIDR": "10.0.1.0/24" } } ``` ## Example: All Parameters ``` { "VpcName": "TestVPC", "Parameters": { "VPCCIDR": "10.0.0.0/22", "NumberOfAZs": 3, "RouteType": "isolated", "TransitGatewayApplicationRouteTableName": "applications", "PublicSubnetAZ1CIDR": "10.0.0.0/24", "PublicSubnetAZ2CIDR": "10.0.1.0/24", "PublicSubnetAZ3CIDR": "10.0.2.0/24", "PublicSubnet2AZ1CIDR": "10.0.0.0/24", "PublicSubnet2AZ2CIDR": "10.0.1.0/24", "PublicSubnet2AZ3CIDR": "10.0.2.0/24", "PublicSubnet3AZ1CIDR": "10.0.0.0/24", "PublicSubnet3AZ2CIDR": "10.0.1.0/24", "PublicSubnet3AZ3CIDR": "10.0.2.0/24", "PublicSubnet4AZ1CIDR": "10.0.0.0/24", "PublicSubnet4AZ2CIDR": "10.0.1.0/24", "PublicSubnet4AZ3CIDR": "10.0.2.0/24", "PublicSubnet5AZ1CIDR": "10.0.0.0/24", "PublicSubnet5AZ2CIDR": "10.0.1.0/24", "PublicSubnet5AZ3CIDR": "10.0.2.0/24", "PrivateSubnet1AZ1CIDR": "10.0.0.0/24", "PrivateSubnet1AZ2CIDR": "10.0.1.0/24", "PrivateSubnet1AZ3CIDR": "10.0.2.0/24", "PrivateSubnet2AZ1CIDR": "10.0.3.0/24", "PrivateSubnet2AZ2CIDR": "10.0.4.0/24", "PrivateSubnet2AZ3CIDR": "10.0.5.0/24", "PrivateSubnet3AZ1CIDR": "10.0.0.0/24", "PrivateSubnet3AZ2CIDR": "10.0.1.0/24", "PrivateSubnet3AZ3CIDR": "10.0.2.0/24", "PrivateSubnet4AZ1CIDR": "10.0.3.0/24", "PrivateSubnet4AZ2CIDR": "10.0.4.0/24", "PrivateSubnet4AZ3CIDR": "10.0.5.0/24", "PrivateSubnet5AZ1CIDR": "10.0.0.0/24", "PrivateSubnet5AZ2CIDR": "10.0.1.0/24", "PrivateSubnet5AZ3CIDR": "10.0.2.0/24", "PrivateSubnet6AZ1CIDR": "10.0.3.0/24", "PrivateSubnet6AZ2CIDR": "10.0.4.0/24", "PrivateSubnet6AZ3CIDR": "10.0.5.0/24", "PrivateSubnet7AZ1CIDR": "10.0.0.0/24", "PrivateSubnet7AZ2CIDR": "10.0.1.0/24", "PrivateSubnet7AZ3CIDR": "10.0.2.0/24", "PrivateSubnet8AZ1CIDR": "10.0.3.0/24", "PrivateSubnet8AZ2CIDR": "10.0.4.0/24", "PrivateSubnet8AZ3CIDR": "10.0.5.0/24", "PrivateSubnet9AZ1CIDR": "10.0.0.0/24", "PrivateSubnet9AZ2CIDR": "10.0.1.0/24", "PrivateSubnet9AZ3CIDR": "10.0.2.0/24", "PrivateSubnet10AZ1CIDR": "10.0.3.0/24", "PrivateSubnet10AZ2CIDR": "10.0.4.0/24", "PrivateSubnet10AZ3CIDR": "10.0.5.0/24" } } ``` # Application Account \$1 Create VPC Additional CIDR and Subnets Create an additional VPC CIDR, or subnets, or both, for an existing application account VPC. Add up to five public and twenty private subnet tiers to the additional CIDR, or to existing CIDRs under the VPC. A subnet tier is a set of subnets provisioned in two or three Availability Zones (AZ). **Full classification:** Deployment \$1 Managed landing zone \$1 Application account \$1 Create VPC Additional CIDR and Subnets ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-2ha68tpd7nr3y | | Current version | 1.0 | | Expected execution duration | 360 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create VPC CIDRs and subnets #### Application account: creating VPC CIDRs or Subnets with the Console Screenshot of this change type in the AMS console: ![\[Form for creating additional VPC CIDR or subnets for an application account VPC.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzAppAcctCreateVpcCidrSubnetsCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Application account: creating VPC CIDRs or Subnets with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Application account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: To create only additional VPC CIDRs: ``` aws amscm create-rfc --change-type-id "ct-2ha68tpd7nr3y" --change-type-version "1.0" --title "Additional VPC CIDR Creation" --execution-parameters "{\"VPCId\": \"VPC_ID\", \"Parameters\": { \"VPCCIDR\": \"X.X.X.X/X\"}}" ``` To create only additional subnets: ``` aws amscm create-rfc --change-type-id "ct-2ha68tpd7nr3y" --change-type-version "1.0" --title "Additional VPC Subnet Creation" --execution-parameters "{\"VPCId\": \"VPC_ID\", \"Parameters\": {\"PrivateRouteTableAZ1ID\": \"Transit Gateway Route Table AZ1 Name\", \"PrivateRouteTableAZ2ID\": \"Transit Gateway Route Table AZ2 Name\", \"PrivateSubnet1AZ1CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ2CIDR\": \"X.X.X.X/X\"}}" ``` To create additional VPC CIDR and subnets: ``` aws amscm create-rfc --change-type-id "ct-2ha68tpd7nr3y" --change-type-version "1.0" --title "Additional VPC CIDR and subnet Creation" --execution-parameters "{\"VPCId\": \"VPC_ID\", \"Parameters\": { \"VPCCIDR\": \"X.X.X.X/X\", \"PrivateRouteTableAZ1ID\": \"Transit Gateway Route Table AZ1 Name\", \"PrivateRouteTableAZ2ID\": \"Transit Gateway Route Table AZ2 Name\", \"PrivateSubnet1AZ1CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ2CIDR\": \"X.X.X.X/X\"}}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateAppAcctVpcCidrSubnetParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-2ha68tpd7nr3y" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateAppAcctVpcCidrSubnetParams.json ``` 1. Modify and save the CreateAppAcctVpcCidrSubnetParams file. For example, you can replace the contents with something like this: To create only additional VPC CIDRs: ``` { { "VPCId": "VPC_ID", "Parameters": { "VPCCIDR": "x.x.x.x/x", } } } ``` To create only additional subnets: ``` { "VPCId": "VPC_ID", "Parameters": { "PrivateRouteTableAZ1ID": "Transit Gateway Route Table AZ1 Name", "PrivateRouteTableAZ2ID": "Transit Gateway Route Table AZ2 Name", "PrivateSubnet1AZ1CIDR": "x.x.x.x/x", "PrivateSubnet1AZ2CIDR": "x.x.x.x/x" } } ``` To create additional VPC CIDR and subnets: ``` { "VPCId": "VPC_ID", "Parameters": { "VPCCIDR": "x.x.x.x/x", "PrivateRouteTableAZ1ID": "Transit Gateway Route Table AZ1 Name", "PrivateRouteTableAZ2ID": "Transit Gateway Route Table AZ2 Name", "PrivateSubnet1AZ1CIDR": "x.x.x.x/x", "PrivateSubnet1AZ2CIDR": "x.x.x.x/x" } } ``` 1. Output the RFC template JSON file to a file; this example names it CreateAppAcctVpcCidrSubnetRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateAppAcctVpcCidrSubnetRfc.json ``` 1. Modify and save the CreateAppAcctVpcCidrSubnetRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "1.0", "ChangeTypeId": "ct-2ha68tpd7nr3y", "Title": "App-Acct-Vpc-Cidr-Subnets-RFC" } ``` 1. Create the RFC, specifying the CreateAppAcctVpcCidrSubnetRfc file and the CreateAppAcctVpcCidrSubnetParams file: ``` aws amscm create-rfc --cli-input-json file://CreateAppAcctVpcCidrSubnetRfc.json --execution-parameters file://CreateAppAcctVpcCidrSubnetParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips + **Important** To create an additional public subnet in a new availability zone (AZ), a private subnet must already be present. + To use this CT to create additional public subnets in an already-provisioned VPC, the VPC must already have public subnets inside it. If this is not the case, contact AMS to deploy those public subnets inside the VPC first. + To learn more about AMS multi-account landing zone, see [ VPC sharing: A new approach to multiple accounts and VPC management](https://aws.amazon.com/blogs/networking-and-content-delivery/vpc-sharing-a-new-approach-to-multiple-accounts-and-vpc-management/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-2ha68tpd7nr3y](schemas.md#ct-2ha68tpd7nr3y-schema-section). ## Example: Required Parameters ``` Example not available. ``` ## Example: All Parameters ``` Example not available. ``` # Management Account \$1 Create Accelerate Account Create an Accelerate account in your AMS-managed landing zone. Accelerate provides patching, backup, monitoring and reports, but no requests for change. **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create Accelerate account ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-2p93tyd5angmi | | Current version | 1.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create an Accelerate account #### Management account: Creating an Accelerate account with the Console Screenshot of this change type in the AMS console: ![\[Details for creating an Accelerate account in AMS-managed landing zone with ID and execution mode.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzAccAcctCreateCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating an Accelerate account with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-2p93tyd5angmi" --change-type-version "1.0" --title "Create Accelerate account" --execution-parameters "{\"AccountName\": \"account-name-1\",\"Regions\": [\"us-east-1\", \"us-east-2\"],\"AccountEmail\": \"account-email-1@example.com\", \"AccelerateOUName\":\"accelerate\", \"SupportLevel\":\"plus\", \"EnablePatch\":true}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateAccAcctParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1zdasmc2ewzrs" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateAccAcctParams.json ``` 1. Modify and save the CreateAccAcctParams file. For example, you can replace the contents with something like this: ``` { "AccountName": "AccountName", "AccountEmail": "nobody@amazon.com", "AccelerateOUName": "accelerate", "Regions": [ "ap-northeast-1", "ap-northeast-2" ], "SupportLevel": "plus", "EnablePatch": true } ``` 1. Output the RFC template JSON file to a file; this example names it CreateAccAcctRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateAccAcctRfc.json ``` 1. Modify and save the CreateAccAcctRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "1.0", "ChangeTypeId": "ct-2p93tyd5angmi", "Title": "Create-Accelerate-Acct" } ``` 1. Create the RFC, specifying the CreateAccAcct Rfc file and the CreateAccAcctParams file: ``` aws amscm create-rfc --cli-input-json file://CreateAccAcctRfc.json --execution-parameters file://CreateAccAcctParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips To learn more about AMS Accelerate, see [What is AMS Accelerate?](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/what-is-acc.html). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-2p93tyd5angmi](schemas.md#ct-2p93tyd5angmi-schema-section). ## Example: Required Parameters ``` { "AccountName": "AccountName", "AccountEmail": "nobody@amazon.com", "AccelerateOUName": "accelerate", "Regions": [ "ap-northeast-1", "ap-northeast-2" ], "SupportLevel": "plus", "EnablePatch": true } ``` ## Example: All Parameters ``` { "AccountName": "AccountName", "AccountEmail": "nobody@amazon.com", "AccelerateOUName": "accelerate", "Regions": [ "ap-northeast-1", "ap-northeast-2" ], "SupportLevel": "plus", "EnablePatch": true } ``` # Management Account \$1 Create Application Account (With VPC) Create a managed AWS landing zone application account and a VPC with up to 10 private subnets and up to 5 optional public subnets per availability zone (AZ) for two or three AZ's. Optionally, also create an AWS Backup plan with up to four different rules. Managed AWS landing zone core accounts must already be onboarded to AWS Managed Services (AMS). **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create application account (with VPC) ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-1zdasmc2ewzrs | | Current version | 2.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create an Application account with VPC #### Management account: Creating an application account (with VPC) with the Console Screenshot of this change type in the AMS console: ![\[Application account creation interface with description, ID, and version details.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzMastAcctCreateAppAcctVpcCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating an application account (with VPC) with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-1zdasmc2ewzrs" --change-type-version "2.0" --title "Application account onboarding" --execution-parameters "{\"AccountName \": \"ACCOUNT_NAME\",\"AccountEmail\": \"EMAIL_ADDRESS\",\"ApplicationOUName\": \"APP_ACCOUNT_OU_NAME:CHILD_OU_NAME\",\"SupportLevel\": \"LEVEL\",\"VpcName\": \"VPC_NAME\",\"NumberOfAZs\": \"INTEGER\",\"VpcCIDR\": \"X.X.X.X/X\", \"PrivateSubnet1AZ1CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ2CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ3CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ1CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ2CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ3CIDR\": \"X.X.X.X/X\", \"RouteType\": \"ROUTE_TYPE\", \"TransitGatewayApplicationRouteTableName\": \"TABLE_NAME\"}" ``` With backup parameters: ``` aws amscm create-rfc --change-type-id "ct-1zdasmc2ewzrs" --change-type-version "2.0" --title "Application account onboarding" --execution-parameters "{\"AccountName \": \"ACCOUNT_NAME\",\"AccountEmail\": \"EMAIL_ADDRESS\",\"ApplicationOUName\": \"APP_ACCOUNT_OU_NAME:CHILD_OU_NAME\",\"SupportLevel\": \"LEVEL\",\"VpcName\": \"VPC_NAME\",\"NumberOfAZs\": \"INTEGER\",\"VpcCIDR\": \"X.X.X.X/X\", \"PrivateSubnet1AZ1CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ2CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ3CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ1CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ2CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ3CIDR\": \"X.X.X.X/X\", \"RouteType\": \"ROUTE_TYPE\", \"TransitGatewayApplicationRouteTableName\": \"TABLE_NAME\", \"BackupPlanName\":\"PLAN_NAME\", \"ResourceTagKey\": \"TAG_KEY\", \"ResourceTagValue\":\"TAG_VALUE\", "\BackupRule1ScheduleExpression\": \"cron(0 2 ? * * *)\"}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateMgmtAcctAppAcctWithVpcParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1zdasmc2ewzrs" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateMgmtAcctAppAcctWithVpcParams.json ``` 1. Modify and save the CreateMgmtAcctAppAcctWithVpcParams file. For example, you can replace the contents with something like this: ``` { "AccountName": "ACCOUNT_NAME", "AccountEmail": "ACCOUNT_EMAIL", "ApplicationOUName": "APPLICATION_OU_NAME:CHILD_OU_NAME", "SupportLevel": "PLUS_or_PREMIUM", "VpcName": "VPC_NAME", "NumberOfAZs": "TWO_or_THREE", "VpcCIDR": "x.x.x.x/x", "PrivateSubnet1AZ1CIDR": "x.x.x.x/x", "PrivateSubnet1AZ2CIDR": "x.x.x.x/x", "PrivateSubnet1AZ3CIDR": "x.x.x.x/x", "PublicSubnetAZ1CIDR": "x.x.x.x/x", "PublicSubnetAZ2CIDR": "x.x.x.x/x", "PublicSubnetAZ3CIDR": "x.x.x.x/x", "RouteType": "ROUTABLE_or_ISOLATED", "TransitGatewayApplicationRouteTableName": "ROUTE_TABLE_NAME" } ``` With backup AND patch parameters: ``` { "AccountName": "ACCOUNT_NAME", "AccountEmail": "ACCOUNT_EMAIL", "ApplicationOUName": "APPLICATION_OU_NAME:CHILD_OU_NAME", "SupportLevel": "PLUS_or_PREMIUM", "VpcName": "VPC_NAME", "NumberOfAZs": "TWO_or_THREE", "VpcCIDR": "x.x.x.x/x", "PrivateSubnet1AZ1CIDR": "x.x.x.x/x", "PrivateSubnet1AZ2CIDR": "x.x.x.x/x", "PrivateSubnet1AZ3CIDR": "x.x.x.x/x", "PublicSubnetAZ1CIDR": "x.x.x.x/x", "PublicSubnetAZ2CIDR": "x.x.x.x/x", "PublicSubnetAZ3CIDR": "x.x.x.x/x", "RouteType": "ROUTABLE_or_ISOLATED", "TransitGatewayApplicationRouteTableName": "ROUTE_TABLE_NAME", "BackupPlanName": "PLAN_NAME", "ResourceTagKey": "TAG_KEY", "ResourceTagValue": "TAG_VALUE", "BackupRule1ScheduleExpression": "cron(0 2 ? * * *)," "PatchOrchestratorFirstTagKey": "TAG_KEY", "PatchOrchestratorDefaultMaintenanceWindowCutoff": "INTEGER", "PatchOrchestratorDefaultMaintenanceWindowDuration": "INTEGER", "PatchOrchestratorDefaultMaintenanceWindowSchedule": "cron(0 18 * * ? *)," "PatchOrchestratorDefaultMaintenanceWindowTimeZone": "TIME_ZONE", "PatchOrchestratorDefaultPatchBackupRetentionInDays": "INTEGER", "PatchOrchestratorNotificationEmails": "DISTRO_EMAIL" } ``` 1. Output the RFC template JSON file to a file; this example names it CreateMgmtAcctAppAcctWithVpcRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateMgmtAcctAppAcctWithVpcRfc.json ``` 1. Modify and save the CreateMgmtAcctAppAcctWithVpcRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "2.0", "ChangeTypeId": "ct-1zdasmc2ewzrs", "Title": "Management-Acct-App-Acct-With-Vpc-RFC" } ``` 1. Create the RFC, specifying the CreateMgmtAcctAppAcctWithVpcRfc file and the CreateMgmtAcctAppAcctWithVpcParams file: ``` aws amscm create-rfc --cli-input-json file://CreateMgmtAcctAppAcctWithVpcRfc.json --execution-parameters file://CreateMgmtAcctAppAcctWithVpcParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips **Note** The minimum value for this parameter has changed from 60 to 1. **Important** This change type has been automated and you can now configure the VPC to have up to 10 private subnets and up to 5 public subnets. Additionally, you can now configure backup and patching. To learn more about AMS multi-account landing zone, see [AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/zjojREBQq20/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/zjojREBQq20) ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-1zdasmc2ewzrs](schemas.md#ct-1zdasmc2ewzrs-schema-section). ## Example: Required Parameters ``` { "AccountName": "AccountName", "AccountEmail": "nobody@amazon.com", "SupportLevel": "plus", "VpcName": "TestVPC", "VpcCIDR": "10.0.0.0/22", "NumberOfAZs": 2, "PrivateSubnet1AZ1CIDR": "10.0.0.0/24", "PrivateSubnet1AZ2CIDR": "10.0.1.0/24", "BackupPlanName": "default-backup-plan", "ResourceTagKey": "Backup", "ResourceTagValue": "True", "BackupRule1ScheduleExpression": "cron(0 2 ? * * )" } ``` ## Example: All Parameters ``` { "AccountName": "AccountName", "AccountEmail": "nobody@amazon.com", "ApplicationOUName": "applications", "SupportLevel": "plus", "VpcName": "TestVPC", "VpcCIDR": "10.0.0.0/22", "NumberOfAZs": 3, "RouteType": "isolated", "TransitGatewayApplicationRouteTableName": "defaultAppRouteTable", "PublicSubnetAZ1CIDR": "10.0.0.0/24", "PublicSubnetAZ2CIDR": "10.0.1.0/24", "PublicSubnetAZ3CIDR": "10.0.2.0/24", "PublicSubnet2AZ1CIDR": "10.0.0.0/24", "PublicSubnet2AZ2CIDR": "10.0.1.0/24", "PublicSubnet2AZ3CIDR": "10.0.2.0/24", "PublicSubnet3AZ1CIDR": "10.0.0.0/24", "PublicSubnet3AZ2CIDR": "10.0.1.0/24", "PublicSubnet3AZ3CIDR": "10.0.2.0/24", "PublicSubnet4AZ1CIDR": "10.0.0.0/24", "PublicSubnet4AZ2CIDR": "10.0.1.0/24", "PublicSubnet4AZ3CIDR": "10.0.2.0/24", "PublicSubnet5AZ1CIDR": "10.0.0.0/24", "PublicSubnet5AZ2CIDR": "10.0.1.0/24", "PublicSubnet5AZ3CIDR": "10.0.2.0/24", "PrivateSubnet1AZ1CIDR": "10.0.0.0/24", "PrivateSubnet1AZ2CIDR": "10.0.1.0/24", "PrivateSubnet1AZ3CIDR": "10.0.2.0/24", "PrivateSubnet2AZ1CIDR": "10.0.3.0/24", "PrivateSubnet2AZ2CIDR": "10.0.4.0/24", "PrivateSubnet2AZ3CIDR": "10.0.5.0/24", "PrivateSubnet3AZ1CIDR": "10.0.0.0/24", "PrivateSubnet3AZ2CIDR": "10.0.1.0/24", "PrivateSubnet3AZ3CIDR": "10.0.2.0/24", "PrivateSubnet4AZ1CIDR": "10.0.3.0/24", "PrivateSubnet4AZ2CIDR": "10.0.4.0/24", "PrivateSubnet4AZ3CIDR": "10.0.5.0/24", "PrivateSubnet5AZ1CIDR": "10.0.0.0/24", "PrivateSubnet5AZ2CIDR": "10.0.1.0/24", "PrivateSubnet5AZ3CIDR": "10.0.2.0/24", "PrivateSubnet6AZ1CIDR": "10.0.3.0/24", "PrivateSubnet6AZ2CIDR": "10.0.4.0/24", "PrivateSubnet6AZ3CIDR": "10.0.5.0/24", "PrivateSubnet7AZ1CIDR": "10.0.0.0/24", "PrivateSubnet7AZ2CIDR": "10.0.1.0/24", "PrivateSubnet7AZ3CIDR": "10.0.2.0/24", "PrivateSubnet8AZ1CIDR": "10.0.3.0/24", "PrivateSubnet8AZ2CIDR": "10.0.4.0/24", "PrivateSubnet8AZ3CIDR": "10.0.5.0/24", "PrivateSubnet9AZ1CIDR": "10.0.0.0/24", "PrivateSubnet9AZ2CIDR": "10.0.1.0/24", "PrivateSubnet9AZ3CIDR": "10.0.2.0/24", "PrivateSubnet10AZ1CIDR": "10.0.3.0/24", "PrivateSubnet10AZ2CIDR": "10.0.4.0/24", "PrivateSubnet10AZ3CIDR": "10.0.5.0/24", "DirectAlertsEmail": "test@amazon.com", "SamlMetadataDocumentURL": "https://test.com", "BackupPlanName": "default-backup-plan", "ResourceTagKey": "Backup", "ResourceTagValue": "True", "BackupRule1ScheduleExpression": "cron(0 2 ? * * )", "PatchOrchestratorFirstTagKey": "AppId", "PatchOrchestratorSecondTagKey": "Environment", "PatchOrchestratorDefaultMaintenanceWindowCutoff": 1, "PatchOrchestratorDefaultMaintenanceWindowDuration": 4, "PatchOrchestratorDefaultMaintenanceWindowSchedule": "cron(0 18 * * ? *)", "PatchOrchestratorDefaultMaintenanceWindowTimeZone": "UTC", "PatchOrchestratorDefaultPatchBackupRetentionInDays": 60, "PatchOrchestratorNotificationEmails": ["user@test.com"] } ``` # Management Account \$1 Create Custom OUs Create multiple custom AWS organizational units (OU) under the following paths, "customer-managed", "applications:managed", "applications:tools" and "applications:development". **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create custom OUs ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-1ksyoxreh35tu | | Current version | 2.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create a custom OU #### Management account: Creating a Management account custom OU with the console Screenshot of this change type in the AMS console: ![\[Create Custom OUs panel showing description, ID, and version for AWS organizational units.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzMgmtAcctCreateOuCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating a Management account custom OU with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc \ --change-type-id "ct-1ksyoxreh35tu" \ --change-type-version "2.0" --title "New OU Creation" \ --execution-parameters "{\"CustomOUPaths\": [ \"applications:managed:OU1:OU2:OU3\", \"applications:managed:OU1:OU2:OU3\"]}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it MgmtAcctCreateOuParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1ksyoxreh35tu" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > MgmtAcctCreateOuParams.json ``` 1. Modify and save the MgmtAcctCreateOuParams file. For example, you can replace the contents with something like this: ``` { "CustomOUPaths": ["applications:managed:healthcare", "customer-managed:CustomOU", "applications:tools:automation", "applications:development:healthcare"] } ``` 1. Output the RFC template JSON file to a file; this example names it MgmtAcctCreateOuRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > MgmtAcctCreateOuRfc.json ``` 1. Modify and save the MgmtAcctCreateOuRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "2.0", "ChangeTypeId": "ct-1ksyoxreh35tu", "Title": "Management-Acct-Create-OU-RFC" } ``` 1. Create the RFC, specifying the MgmtAcctCreateOu Rfc file and the MgmtAcctCreateOuParams file: ``` aws amscm create-rfc --cli-input-json file://MgmtAcctCreateOuRfc.json --execution-parameters file://MgmtAcctCreateOuParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips **Note** This change type is now at version 2.0. A new parameter, **CustomOUPath** replaces the previous **CustomOUName** parameter, and the change type is now automated and not manually executed. To learn more about AMS multi-account landing zone, see [ AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). For information on creating OUs, see [ Managing organizational units (OUs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-1ksyoxreh35tu](schemas.md#ct-1ksyoxreh35tu-schema-section). ## Example: Required Parameters ``` Example not available. ``` ## Example: All Parameters ``` Example not available. ``` # Management Account \$1 Create Custom SCP (Managed Automation) Create a custom service control policy (SCP) to manage permissions across AWS organization. **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create custom SCP (managed automation) ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-33ste5yc7hprs | | Current version | 1.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required if submitter | | Execution mode | Manual | ## Additional Information ### Create a service control policy (SCP) (Managed Automation) #### Management account: Creating a Management account custom SCP with the console Screenshot of this change type in the AMS console: ![\[alt text not found\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzMastAcctCreateScpCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating a Management account custom SCP with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc \ --change-type-id "ct-33ste5yc7hprs" \ --change-type-version "1.0" --title "New SCP Creation" \ --execution-parameters "{\"TargetId\":\"ou-hlzm-8ievlm9x\", \"CustomServiceControlPolicy\":\"Test\", \"SCPDescription\":\"Test SCP\"}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateMasterAcctScpParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-33ste5yc7hprs" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateMasterAcctScpParams.json ``` 1. Modify and save the CreateMasterAcctScpParams file. For example, you can replace the contents with something like this: ``` { "TargetId":"ou-hlzm-8ievlm9x", "CustomServiceControlPolicy":"MySCP", "SCPDescription":"Test SCP" } ``` 1. Output the RFC template JSON file to a file; this example names it CreateMasterAcctScpRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateMasterAcctScpRfc.json ``` 1. Modify and save the CreateMasterAcctScpRfc file. For example, you can replace the contents with something like this: ``` { "ChangeTypeId": "ct-33ste5yc7hprs", "ChangeTypeVersion": "1.0", "Title": "New SCP Creation" } ``` 1. Create the RFC, specifying the CreateMasterAcctCreateScp Rfc file and the CreateMasterAcctScpParams.json file: ``` aws amscm create-rfc --cli-input-json file://CreateMasterAcctScpRfc.json --execution-parameters file://CreateMasterAcctScpParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips This is a manual change type (an AMS operator must review and run the CT), which means that the RFC can take longer to run and you might have to communicate with AMS through the RFC details page correspondance option. Additionally, if you schedule a manual change type RFC, be sure to allow at least 24 hours, if approval does not happen before the scheduled start time, the RFC is rejected automatically. To learn more about AMS multi-account landing zone, see [AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). **Note** Make sure that you refer to and use the curated Service Control Policies (SCPs) library that fits your business requirements. Provide the unique ID from the library in the form of `SCP-AMS-XXX` in the RFC title. For more information, see [Curated SCPs and Config Rules](https://docs.aws.amazon.com/managedservices/latest/userguide/scp-library-compliance.html). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-33ste5yc7hprs](schemas.md#ct-33ste5yc7hprs-schema-section). ## Example: Required Parameters ``` { "TargetId": "ou-96dv-e18n036l", "CustomServiceControlPolicy": "" } ``` ## Example: All Parameters ``` { "TargetId": "ou-96dv-e18n036l", "CustomServiceControlPolicy": "", "SCPDescription": "Description of the custom Service Control Policy (SCP) that needs to be attached to the provided target.", "Priority": "Medium" } ``` # Management Account \$1 Create Customer-Managed Application Account Create a customer-managed application account in a multi-account AWS landing zone. Customer-managed accounts give you full control to operate the infrastructure within the centralized architecture managed by AMS. Multi-account AWS landing zone core accounts must already be onboarded to AWS Managed Services (AMS). **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create customer-managed application account ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-3pwbixz27n3tn | | Current version | 1.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create a Customer Managed application account #### Management account: Creating a Management account customer-managed application account with the Console Screenshot of this change type in the AMS console: ![\[Description and details for creating a customer-managed application account in AWS.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzMgmtAcctCreateCustManAppAcctCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating a Management account customer-managed application account with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc \ --change-type-id "ct-3pwbixz27n3tn" \ --change-type-version "1.0" --title "New customer-managed account creation" \ --execution-parameters "{\"AccountName\":\"test\", \"AccountEmail\":\"test@test.com\", \"CustomerManagedOUName\":\"customer-managed\"}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it NewCustomerManagedAccountParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1zdasmc2ewzrs" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > NewCustomerManagedAccountParams.json ``` 1. Modify and save the NewCustomerManagedAccountParams file. For example, you can replace the contents with something like this: ``` { "AccountName":"test", "AccountEmail":"test@test.com", "CustomerManagedOUName":"customer-managed" } ``` 1. Output the RFC template JSON file to a file; this example names it NewCustomerManagedAccountRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > NewCustomerManagedAccountRfc.json ``` 1. Modify and save the NewCustomerManagedAccountRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeId": "ct-3pwbixz27n3tn", "ChangeTypeVersion": "1.0", "Title": "New customer-managed account creation" } ``` 1. Create the RFC, specifying the NewCustomerManagedAccount Rfc file and the NewCustomerManagedAccountParams file: ``` aws amscm create-rfc --cli-input-json file://NewCustomerManagedAccountRfc.json --execution-parameters file://NewCustomerManagedAccountParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips To learn more about AMS multi-account landing zone, see [AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-3pwbixz27n3tn](schemas.md#ct-3pwbixz27n3tn-schema-section). ## Example: Required Parameters ``` Example not available. ``` ## Example: All Parameters ``` Example not available. ``` # Management Account \$1 Create Developer Mode Account (With VPC) Create a managed AWS landing zone developer mode account and a VPC with up to 10 private subnets and up to 5 optional public subnets per availability zone (AZ) for two or three AZ's. Optionally, also create an AWS Backup plan with up to four different rules. Managed AWS landing zone core accounts must already be onboarded to AWS Managed Services (AMS). **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create developer mode account (with VPC) ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-38xcr0q86k9lh | | Current version | 1.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create Developer mode account with VPC #### Management account: Creating a developer mode account with VPC with the console Screenshot of this change type in the AMS console: ![\[AWS console interface showing details for creating a developer mode account with VPC.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzMgmtAcctCreateDevModeAcctCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating a developer mode account with VPC with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-38xcr0q86k9lh" --change-type-version "1.0" --title "Dev Mode account onboarding" --execution-parameters "{\"AccountName \": \"ACCOUNT_NAME\",\"AccountEmail\": \"/\",\"DeveloperModeOUName\": \"Development_OU_NAME:CHILD_OU_NAME\",\"SupportLevel\": \"LEVEL\",\"VpcName\": \"VPC_NAME\",\"NumberOfAZs\": \"INTEGER\",\"VpcCIDR\": \"X.X.X.X/X\", \"PrivateSubnet1AZ1CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ2CIDR\": \"X.X.X.X/X\",\"PrivateSubnet1AZ3CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ1CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ2CIDR\": \"X.X.X.X/X\",\"PublicSubnetAZ3CIDR\": \"X.X.X.X/X\", \"RouteType\": \"ROUTE_TYPE\", \"TransitGatewayApplicationRouteTableName\": \"TABLE_NAME\", \"BackupPlanName\":\"PLAN_NAME\", \"ResourceTagKey\": \"TAG_KEY\", \"ResourceTagValue\":\"TAG_VALUE\", "\BackupRule1ScheduleExpression\": \"cron(0 2 ? * * *)\"}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateDevModeAcctWithVpcParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-38xcr0q86k9lh" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateDevModeAcctWithVpcParams.json ``` 1. Modify and save the CreateDevModeAcctWithVpcParams file. For example, you can replace the contents with something like this: ``` { "AccountName": "ACCOUNT_NAME", "AccountEmail": "ACCOUNT_EMAIL", "DeveloperModeOUName": "DEVELOPER_MODE_OU_NAME:CHILD_OU_NAME", "SupportLevel": "PLUS_or_PREMIUM", "VpcName": "VPC_NAME", "NumberOfAZs": "TWO_or_THREE", "VpcCIDR": "x.x.x.x/x", "PrivateSubnet1AZ1CIDR": "x.x.x.x/x", "PrivateSubnet1AZ2CIDR": "x.x.x.x/x", "PrivateSubnet1AZ3CIDR": "x.x.x.x/x", "PublicSubnetAZ1CIDR": "x.x.x.x/x", "PublicSubnetAZ2CIDR": "x.x.x.x/x", "PublicSubnetAZ3CIDR": "x.x.x.x/x", "RouteType": "ROUTABLE_or_ISOLATED", "TransitGatewayApplicationRouteTableName": "ROUTE_TABLE_NAME" } ``` 1. Output the RFC template JSON file to a file; this example names it CreateDevModeAcctWithVpcRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateDevModeAcctWithVpcRfc.json ``` 1. Modify and save the CreateDevModeAcctWithVpcRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeId": "ct-38xcr0q86k9lh", "ChangeTypeVersion": "1.0", "Title": "Create developer mode account with VPC" } ``` 1. Create the RFC, specifying the CreateDevModeAcctWithVpcRfc file and the CreateDevModeAcctWithVpcParams file: ``` aws amscm create-rfc --cli-input-json file://CreateDevModeAcctWithVpcRfc.json --execution-parameters file://CreateDevModeAcctWithVpcParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips To learn more about developer mode, see [Developer mode](https://docs.aws.amazon.com/managedservices/latest/userguide/developer-mode.html). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-38xcr0q86k9lh](schemas.md#ct-38xcr0q86k9lh-schema-section). ## Example: Required Parameters ``` Example not available. ``` ## Example: All Parameters ``` Example not available. ``` # Management Account \$1 Create StackSets Stack (Managed Automation) Create AWS CloudFormation (CFN) StackSets stacks and deploy the stack instances. Use the CloudFormation StackSets feature to create stacks across multiple accounts. **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create StackSets stack (managed automation) ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-16pknsfa8lul7 | | Current version | 1.0 | | Expected execution duration | 240 minutes | | AWS approval | Required | | Customer approval | Not required if submitter | | Execution mode | Manual | ## Additional Information ### Create a Stacksets stack #### Creating a Stacksets stack with the console Screenshot of this change type in the AMS console: ![\[alt text not found\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiManLzStckstsStckCreateCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Creating a Stacksets stack with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-16pknsfa8lul7" --change-type-version "1.0" --title "Create StackSets Stack" --execution-parameters "{\"Name\": \"Stackset name\", \"Region\": \"us-east-1\", \"OuId"\: \"ou-cccc-00000000\"}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it UpdateStacksetsStackParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1v9g9n30woc8h" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > UpdateStacksetsStackParams.json ``` 1. Modify and save the UpdateStacksetsStackParams file. For example, you can replace the contents with something like this: ``` { "CloudFormationTemplate": "template", "CloudFormationTemplateS3Endpoint": "S3 link of the template", "Description": "Create Stackset", "Name": "test-stackset", "OuId": ["ou-cccc-00000000"], "Region": "us-east-1", "Parameters": [ { "Name": "test-value", "Value": "test-value" } ], "Tags": [ { "Key": "key1", "Value": "value1" }, { "Key": "key2", "Value": "value2" } ], "Priority": "High" } ``` 1. Output the RFC template JSON file to a file; this example names it UpdateStacksetsStackRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > UpdateStacksetsStackRfc.json ``` 1. Modify and save the UpdateStacksetsStackRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "1.0", "ChangeTypeId": "ct-16pknsfa8lul7", "Title": "Create StackSets Stack " } ``` 1. Create the RFC, specifying the UpdateStacksetsStack Rfc file and the UpdateStacksetsStackParams file: ``` aws amscm create-rfc --cli-input-json file://UpdateStacksetsStackRfc.json --execution-parameters file://UpdateStacksetsStackParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips + For CloudFormation details, see [Create a stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html) + For general CloudFormation information on stack sets, see [StackSets concepts](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html) + To learn more about AMS multi-account landing zone, see [ AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-16pknsfa8lul7](schemas.md#ct-16pknsfa8lul7-schema-section). ## Example: Required Parameters ``` { "Description": "AMSTestCT - Create a test stackset", "Name": "test-stackset", "OuId": ["ou-cccc-00000000"], "Region": "us-east-1" } ``` ## Example: All Parameters ``` { "CloudFormationTemplate": "template", "CloudFormationTemplateS3Endpoint": "https://s3.amazonaws.com/cf-templates-33kj7hiuwdk9-us-east-1/2017261mYA-stm-dynamic-sqs-no-params-sept-2017.template", "Description": "AMSTestCT - Create a test stackset", "Name": "test-stackset", "OuId": ["ou-cccc-00000000"], "Region": "us-east-1", "Parameters": [ { "Name": "test-value", "Value": "test-value" } ], "Tags": [ { "Key": "key1", "Value": "value1" }, { "Key": "key2", "Value": "value2" } ], "Priority": "High" } ``` # Management Account \$1 Create Tools Account (With VPC) Create a managed AWS landing zone tools account and a VPC with a private subnet, an isolated private subnet, and a public subnet. Optionally, also create an AWS Backup plan with up to four different rules. Managed AWS landing zone core accounts must already be onboarded to AWS Managed Services (AMS). **Full classification:** Deployment \$1 Managed landing zone \$1 Management account \$1 Create tools account (with VPC) ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-2j7q1hgf26x5c | | Current version | 2.0 | | Expected execution duration | 3600 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create Tools account with VPC #### Management account: Creating a Management account Tools account with the console Screenshot of this change type in the AMS console: ![\[Description of a change type for creating AWS tools account with VPC and optional backup plan.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzMastAcctCreateToolsAcctVpcCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Management account: Creating a Management account Tools account with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: **Note** Run this change type from your Management account. Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc \ --change-type-id "ct-2j7q1hgf26x5c" \ --change-type-version "1.0" --title "New tools account creation" \ --execution-parameters "{\"AccountName\": \"tools\",\"AccountEmail\": \"test@test.com\",\"ApplicationOUName\": \"applications:tools\",\"TransitGatewayApplicationRouteTableName\": \"defaultAppRouteDomain\",\"SupportLevel\": \"plus\",\"VpcName\": \"testvpc4\",\"VpcCIDR\": \"10.106.0.0/24\", \"PrivateSubnetIsolatedCIDR\": \"10.106.0.128/26\", \"PrivateSubnetCIDR\":\"10.106.0.192/26\",\"PublicSubnetCIDR\":\"10.106.0.192/26\",\"DirectAlertsEmail\": \"test@test.com\",\"BackupRule1ScheduleExpression\": \"cron(0 2 ? * * )\",\"BackupPlanName\": \"test\",\"ResourceTagKey\": \"backup\",\"ResourceTagValue\": \"true\"}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it NewToolsAccountParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-2j7q1hgf26x5c" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > NewToolsAccountParams.json ``` 1. Modify and save the NewToolsAccountParams file. For example, you can replace the contents with something like this: ``` { "AccountName":"tools", "AccountEmail":"test@test.com", "ApplicationOUName":"applications:tools", "TransitGatewayApplicationRouteTableName": "defaultAppRouteDomain", "SupportLevel": "plus", "VpcName": "testvpc4", "VpcCIDR": "10.106.0.0/24", "PrivateSubnetIsolatedCIDR": "10.106.0.128/26", "PrivateSubnetCIDR":"10.106.0.192/26", "PublicSubnetCIDR":"10.106.0.192/26", "DirectAlertsEmail": "test@test.com", "BackupRule1ScheduleExpression": "cron(0 2 ? * * )", "BackupPlanName": "test", "ResourceTagKey": "backup", "ResourceTagValue": "true" } ``` 1. Output the RFC template JSON file to a file; this example names it NewToolsAccountRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > NewToolsAccountRfc.json ``` 1. Modify and save the NewToolsAccountRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeId": "ct-2j7q1hgf26x5c", "ChangeTypeVersion": "2.0", "Title": "New tools account with VPC creation" } ``` 1. Create the RFC, specifying the NewToolsAccount Rfc file and the NewToolsAccountParams file: ``` aws amscm create-rfc --cli-input-json file://NewToolsAccountRfc.json --execution-parameters file://NewToolsAccountParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips **Note** This change type is updated to version 2.0 with changes to input parameters. To learn more about AMS multi-account landing zone, see [ AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-2j7q1hgf26x5c](schemas.md#ct-2j7q1hgf26x5c-schema-section). ## Example: Required Parameters ``` Example not available. ``` ## Example: All Parameters ``` Example not available. ``` # Networking Account \$1 Add Static Route Create a static route on transit gateway (TGW) route table. Use this change type for multi-account landing zone (MALZ) Networking accounts only. **Full classification:** Deployment \$1 Managed landing zone \$1 Networking account \$1 Add static route ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-3r2ckznmt0a59 | | Current version | 1.0 | | Expected execution duration | 60 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Add a static route #### Networking account: Adding a static route with the Console Screenshot of this change type in the AMS console: ![\[Interface for adding a static route to Transit Gateway Route Table, showing description and ID.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiManLzNetAcctAddStaticRouteCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Networking account: Adding a static route with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-3r2ckznmt0a59" --change-type-version "1.0" --title "Create a static route on Transit Gateway Route Table" --execution-parameters "{\"DocumentName\": \"AWSManagedServices-CreateRouteInTGWRouteTable\",\"Region\": \"us-east-1\",\"Parameters\": {\"TransitGatewayAttachmentId\": [\"tgw-attach-0878cf82a40721d19\"],\"TransitGatewayRouteTableId\": [\"tgw-rtb-06ddc751c0c0c881c\"], \"Blackhole\": [\"false"], \"DestinationCidrBlock\": [\"10.0.0.0/24\"]}}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it AddStaticRouteParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-3r2ckznmt0a59" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > AddStaticRouteParams.json ``` 1. Modify and save the AddStaticRouteParams file. For example, you can replace the contents with something like this: ``` { "DocumentName": "AWSManagedServices-CreateRouteInTGWRouteTable", "Region": "us-east-1", "Parameters": { "DestinationCidrBlock" : [ "10.0.0.0/24" ], "Blackhole" : [ "false" ], "TransitGatewayAttachmentId": [ "tgw-attach-0878cf82a40721d19" ], "TransitGatewayRouteTableId": [ "tgw-rtb-06ddc751c0c0c881c" ] } } ``` 1. Output the RFC template JSON file to a file; this example names it AddStaticRouteRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > AddStaticRouteRfc.json ``` 1. Modify and save the AddStaticRouteRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "1.0", "ChangeTypeId": "ct-3r2ckznmt0a59", "Title": "Create a static route on Transit Gateway Route Table" } ``` 1. Create the RFC, specifying the AddStaticRouteRfc file and the AddStaticRouteParams file: ``` aws amscm create-rfc --cli-input-json file://AddStaticRouteRfc.json --execution-parameters file://AddStaticRouteParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips Before you run this Change Type, confirm the following points: + The TGW route table exists and is available. + The TGW route table is not `DMZBastionsRouteDomain` or `EgressRouteDomain`. + The TGW attachment exists. + The CIDR is not default (0.0.0.0/0), invalid, or that the route already exists. **Note** This Change Type is only valid in Multi-account Landing Zone (MALZ) Networking accounts. To learn more about AMS multi-account landing zone, see [AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-3r2ckznmt0a59](schemas.md#ct-3r2ckznmt0a59-schema-section). ## Example: Required Parameters ``` { "DocumentName": "AWSManagedServices-CreateRouteInTGWRouteTable", "Region": "us-east-1", "Parameters": { "DestinationCidrBlock": ["10.0.2.0/24"], "TransitGatewayRouteTableId": [ "tgw-rtb-06ddc751c0c0c881c" ] } } ``` ## Example: All Parameters ``` { "DocumentName": "AWSManagedServices-CreateRouteInTGWRouteTable", "Region": "us-east-1", "Parameters": { "Blackhole": [false], "DestinationCidrBlock": ["10.0.2.0/24"], "TransitGatewayAttachmentId": [ "tgw-attach-0878cf82a40721d19" ], "TransitGatewayRouteTableId": [ "tgw-rtb-06ddc751c0c0c881c" ] } } ``` # Networking Account \$1 Create Application Route Table (Managed Automation) Create a custom AWS Transit Gateway (TGW) route table for the application accounts in the networking account. By default, the route table does not connect to the on-premise network, but contains preset routes. To request connections to the on-premise network, submit a Management\$1Other\$1Other\$1Update change type. **Full classification:** Deployment \$1 Managed landing zone \$1 Networking account \$1 Create application route table (managed automation) ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-1urj94c3hdfu5 | | Current version | 1.0 | | Expected execution duration | 240 minutes | | AWS approval | Required | | Customer approval | Not required if submitter | | Execution mode | Manual | ## Additional Information ### Create application route table (Managed Automation) #### Networking account: creating an application route table with the Console (Managed Automation) Screenshot of this change type in the AMS console: ![\[alt text not found\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzNetAcctCreateAppAcctRouteTableRrCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Networking account: creating an application route table with the CLI (Managed Automation) How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-1urj94c3hdfu5" --change-type-version "1.0" --title "Create Application TGW route table" --execution-parameters "{\"TransitGatewayApplicationRouteTableName\":\"TABLE_NAME\", \"AddPresetStaticRoutes\": true}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateRouteTableParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1urj94c3hdfu5" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateRouteTableParams.json ``` 1. Modify and save the CreateRouteTableParams file. For example, you can replace the contents with something like this: ``` { "TransitGatewayApplicationRouteTableName": "ROUTE_TABLE_NAME", "AddPresetStaticRoutes": true } ``` 1. Output the RFC template JSON file to a file; this example names it CreateRouteTableRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateRouteTableRfc.json ``` 1. Modify and save the CreateRouteTableRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "1.0", "ChangeTypeId": "ct-1urj94c3hdfu5", "Title": "Create-TG-Route-Table-RFC" } ``` 1. Create the RFC, specifying the CreateRouteTableRfc file and the CreateRouteTableParams file: ``` aws amscm create-rfc --cli-input-json file://CreateRouteTableRfc.json --execution-parameters file://CreateRouteTableParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips This is a manual change type (an AMS operator must review and run the CT), which means that the RFC can take longer to run and you might have to communicate with AMS through the RFC details page correspondance option. Additionally, if you schedule a manual change type RFC, be sure to allow at least 24 hours, if approval does not happen before the scheduled start time, the RFC is rejected automatically. + This change type is manual. To use the automated version of this change type, see [ Networking Account \$1 Create Application Route Table](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-managed-networking-account-create-application-route-table.html). + By default, the route table does not connect to on-premise network, but contains preset routes. To request connections to the on-premise network, submit a Deployment \$1 Managed landing zone \$1 Networking account \$1 Add static route change type, with the route table ID, to add routes to it. If you set the **AddPresetStaticRoutes** parameter to False, the route table that created is empty and you must file a Deployment \$1 Managed landing zone \$1 Networking account \$1 Add static route change type, with the route table ID, to add routes to it. + To learn more about AMS multi-account landing zone, see [ AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-1urj94c3hdfu5](schemas.md#ct-1urj94c3hdfu5-schema-section). ## Example: Required Parameters ``` { "TransitGatewayApplicationRouteTableName": "routeTableName" } ``` ## Example: All Parameters ``` { "TransitGatewayApplicationRouteTableName": "routeTableName", "AddPresetStaticRoutes": true, "Priority": "Medium" } ``` # Networking Account \$1 Create Transit Gateway Route Table Create a transit gateway (TGW) route table. Use this change type for multi-account landing zone (MALZ) Networking accounts only. **Full classification:** Deployment \$1 Managed landing zone \$1 Networking account \$1 Create transit gateway route table ## Change Type Details **** | | | | --- |--- | | Change type ID | ct-3dscwaeyi6cup | | Current version | 1.0 | | Expected execution duration | 60 minutes | | AWS approval | Required | | Customer approval | Not required | | Execution mode | Automated | ## Additional Information ### Create application route table (Managed Automation) #### Networking account: creating an application route table with the Console (Managed Automation) Screenshot of this change type in the AMS console: ![\[Create Application Account Route Table interface showing ID, execution mode, version, and classification details.\]](http://docs.aws.amazon.com/managedservices/latest/ctref/images/guiMalzNetAcctCreateAppAcctRouteTableRrCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. #### Networking account: creating an application route table with the CLI (Managed Automation) How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). *INLINE CREATE*: Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc --change-type-id "ct-1urj94c3hdfu5" --change-type-version "1.0" --title "Create Application TGW route table" --execution-parameters "{\"TransitGatewayApplicationRouteTableName\":\"TABLE_NAME\", \"AddPresetStaticRoutes\": true}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateRouteTableParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-1urj94c3hdfu5" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateRouteTableParams.json ``` 1. Modify and save the CreateRouteTableParams file. For example, you can replace the contents with something like this: ``` { "TransitGatewayApplicationRouteTableName": "ROUTE_TABLE_NAME", "AddPresetStaticRoutes": true } ``` 1. Output the RFC template JSON file to a file; this example names it CreateRouteTableRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > CreateRouteTableRfc.json ``` 1. Modify and save the CreateRouteTableRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeVersion": "1.0", "ChangeTypeId": "ct-1urj94c3hdfu5", "Title": "Create-TG-Route-Table-RFC" } ``` 1. Create the RFC, specifying the CreateRouteTableRfc file and the CreateRouteTableParams file: ``` aws amscm create-rfc --cli-input-json file://CreateRouteTableRfc.json --execution-parameters file://CreateRouteTableParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. #### Tips This is a manual change type (an AMS operator must review and run the CT), which means that the RFC can take longer to run and you might have to communicate with AMS through the RFC details page correspondance option. Additionally, if you schedule a manual change type RFC, be sure to allow at least 24 hours, if approval does not happen before the scheduled start time, the RFC is rejected automatically. + This change type is manual. To use the automated version of this change type, see [ Networking Account \$1 Create Application Route Table](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-managed-networking-account-create-application-route-table.html). + By default, the route table does not connect to on-premise network, but contains preset routes. To request connections to the on-premise network, submit a Deployment \$1 Managed landing zone \$1 Networking account \$1 Add static route change type, with the route table ID, to add routes to it. If you set the **AddPresetStaticRoutes** parameter to False, the route table that created is empty and you must file a Deployment \$1 Managed landing zone \$1 Networking account \$1 Add static route change type, with the route table ID, to add routes to it. + To learn more about AMS multi-account landing zone, see [ AWS Managed Services (AMS) Now Offers Managed Landing Zones](https://aws.amazon.com/about-aws/whats-new/2019/10/aws-managed-services-now-offers-managed-landing-zones/). ## Execution Input Parameters For detailed information about the execution input parameters, see [Schema for Change Type ct-3dscwaeyi6cup](schemas.md#ct-3dscwaeyi6cup-schema-section). ## Example: Required Parameters ``` { "DocumentName": "AWSManagedServices-CreateTGWRouteTable", "Region": "us-east-1", "Parameters": { "TransitGatewayRouteTableName": "NewApplicationRouteTable1", "TransitGatewayId": "tgw-0123456789abcdefg", "TGWRouteTableType": "createApplicationRouteDomain" } } ``` ## Example: All Parameters ``` { "DocumentName": "AWSManagedServices-CreateTGWRouteTable", "Region": "us-east-1", "Parameters": { "TransitGatewayRouteTableName": "NewApplicationRouteTable", "TransitGatewayId": "tgw-0123456789abcdefg", "TGWRouteTableType": "createApplicationRouteDomain" } } ```