AWS Organizations
This Terraform Module allows you to create and manage your AWS Organization and all child AWS accounts as code.
AWS Organizations Architecture
Features
-
Create a new AWS Organization
-
Provision new AWS accounts under your organization
-
Create account access IAM role in each child account.
-
Add tags to each child account
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples/aws-organizations: The
examples/aws-organizations
folder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Production deployment
If you want to deploy this repo in production, check out the following resources:
-
Coming soon. We have not yet added this module to the Acme example Reference Architecture.
Manage
Day-to-day operations
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S AWS-ORGANIZATIONS MODULE
# ------------------------------------------------------------------------------------------------------
module "aws_organizations" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/aws-organizations?ref=v0.74.5"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Map of child accounts to create. The map key is the name of the account and
# the value is an object containing account configuration variables.
child_accounts = <any>
# Flag indicating whether the organization should be created.
create_organization = <bool>
# If set to ALLOW, the new account enables IAM users to access account billing
# information if they have the required permissions. If set to DENY, then only
# the root user of the new account can access account billing information.
default_iam_user_access_to_billing = <string>
# The name of an IAM role that Organizations automatically preconfigures in
# the new member account. This role trusts the mgmt account, allowing users in
# the mgmt account to assume the role, as permitted by the mgmt account
# administrator.
default_role_name = <string>
# List of AWS service principal names for which you want to enable integration
# with your organization. Must have `organizations_feature_set` set to ALL.
# See
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html
organizations_aws_service_access_principals = <list(string)>
# List of Organizations policy types to enable in the Organization Root. See
# https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html
organizations_enabled_policy_types = <list(string)>
# Specify `ALL` or `CONSOLIDATED_BILLING`.
organizations_feature_set = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Default tags to add to accounts. Will be appended to ´child_account.*.tags´
default_tags = {}
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S AWS-ORGANIZATIONS MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/aws-organizations?ref=v0.74.5"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Map of child accounts to create. The map key is the name of the account and
# the value is an object containing account configuration variables.
child_accounts = <any>
# Flag indicating whether the organization should be created.
create_organization = <bool>
# If set to ALLOW, the new account enables IAM users to access account billing
# information if they have the required permissions. If set to DENY, then only
# the root user of the new account can access account billing information.
default_iam_user_access_to_billing = <string>
# The name of an IAM role that Organizations automatically preconfigures in
# the new member account. This role trusts the mgmt account, allowing users in
# the mgmt account to assume the role, as permitted by the mgmt account
# administrator.
default_role_name = <string>
# List of AWS service principal names for which you want to enable integration
# with your organization. Must have `organizations_feature_set` set to ALL.
# See
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html
organizations_aws_service_access_principals = <list(string)>
# List of Organizations policy types to enable in the Organization Root. See
# https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html
organizations_enabled_policy_types = <list(string)>
# Specify `ALL` or `CONSOLIDATED_BILLING`.
organizations_feature_set = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Default tags to add to accounts. Will be appended to ´child_account.*.tags´
default_tags = {}
}
Reference
- Inputs
- Outputs
Required
Map of child accounts to create. The map key is the name of the account and the value is an object containing account configuration variables.
Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
Details
Ideally, this would be a map of (string, object), but object does not support optional properties, and we want
users to be able to specify, say, tags for some accounts, but not for others. We can't use a map(any) either, as that
would require the values to all have the same type, and due to optional parameters, that wouldn't work either. So,
we have to lamely fall back to any.
Details
Expected value for the `child_accounts` is a map of child accounts. The map key is the name of the account and
the value is another map with one required key (email) and several optional keys:
- email (required):
Email address for the account.
- parent_id:
Parent Organizational Unit ID or Root ID for the account
Defaults to the Organization default Root ID.
- role_name:
The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts
the mgmt account, allowing users in the mgmt account to assume the role, as permitted by the mgmt account
administrator. The role has administrator permissions in the new member account. Note that the Organizations API
provides no method for reading this information after account creation.
If no value is present and no ´default_role_name´ is provided, AWS automatically assigns a value.
- iam_user_access_to_billing:
If set to ´ALLOW´, the new account enables IAM users to access account billing information if they have the required
permissions. If set to ´DENY´, then only the root user of the new account can access account billing information.
Defaults to ´default_iam_user_access_to_billing´.
- tags:
Key-value mapping of resource tags.
Example:
child_accounts = {
security = {
email = "security-mgmt@acme.com",
parent_id = "my-org-unit-id",
role_name = "test-role",
iam_user_access_to_billing = "DENY",
tags = {
Tag-Key = "tag-value"
}
},
sandbox = {
email = "sandbox@acme.com"
}
}
Flag indicating whether the organization should be created.
If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.
default_role_name
stringThe name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the mgmt account, allowing users in the mgmt account to assume the role, as permitted by the mgmt account administrator.
organizations_aws_service_access_principals
list(string)List of AWS service principal names for which you want to enable integration with your organization. Must have organizations_feature_set
set to ALL. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html
organizations_enabled_policy_types
list(string)List of Organizations policy types to enable in the Organization Root. See https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html
Specify ALL
or CONSOLIDATED_BILLING
.
Optional
default_tags
map(string)Default tags to add to accounts. Will be appended to ´child_account.*.tags´
{}
A map of all accounts created by this module (NOT including the root account). The keys are the names of the accounts and the values are the attributes for the account as defined in the aws_organizations_account resource.
ARN of the master account.
Email address of the master account.
Identifier of the master account.
ARN of the organization.
Identifier of the organization.
Identifier of the root of this organization.