Attach Service Control Policy to AWS Organizations
I am wondering how we may attach SCPs to OUs in the Gruntwork codebase. My understanding is that we would need to use this module (https://github.com/gruntwork-io/terraform-aws-security/tree/v0.22.2/modules/aws-organizations), create the OU, create the SCP and attach an aws_organizations_policy (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy). We also need to add SCP as an enabled policy type. Any recommendations on how we might approach this?
We currently don't offer a module to manage organizational units (OU) or SCPs, so what you have laid out in your understanding is correct: you will need to create a terraform module that uses the raw terraform resources to manage the OUs and SCPs. However, this is a gap in our module catalog that we can address, so I have filed https://github.com/gruntwork-io/terraform-aws-security/issues/633 for us to consider implementing a dedicated module for managing OUs with child accounts and SCPs. --- In the meantime, the best approach to implement this would be to create a module that manages the OU with SCP and which takes in the AWS Organization root ID to hook the OU to. The following is a skeleton that you can use: ```hcl module "organization" { source = "git::git@github.com:gruntwork-io/module-security.git//modules/aws-organizations?ref=v0.62.3" organizations_feature_set = "ALL" organizations_enabled_policy_types = ["SERVICE_CONTROL_POLICY"] # ... other args omitted for brevity ... } resource "aws_organizations_organizational_unit" "unit" { name = var.org_unit_name parent_id = module.organization.root_id } # Replicate for any accounts you wish to invite under the OU resource "aws_organizations_account" "unit_child" { parent_id = aws_organizations_organizational_unit.unit.id # ... other args omitted for brevity ... } # Replicate the following for any SCPs you wish to attach to the OU resource "aws_organizations_policy" "scp_policy" { name = "Policy Name" description = "Policy description" content = data.aws_iam_policy_document.scp_policy.json } resource "aws_organizations_policy_attachment" "scp_policy" { policy_id = aws_organizations_policy.scp_policy.id target_id = aws_organizations_organizational_unit.unit.id } data "aws_iam_policy_document" "scp_policy" { # ... args omitted for brevity ... } ```