Skip to main content
Security Modules 0.71.0Last updated in version 0.69.2

AWS Organizations

View SourceRelease Notes

This Terraform Module allows you to create and manage your AWS Organization and all child AWS accounts as code.

AWS Organizations ArchitectureAWS Organizations Architecture

Features

  • Create a new AWS Organization

  • Provision new AWS accounts under your organization

  • Create account access IAM role in each child account.

  • Add tags to each child account

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples/aws-organizations: The examples/aws-organizations folder contains sample code optimized for learning, experimenting, and testing (but not production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

Manage

Day-to-day operations

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S AWS-ORGANIZATIONS MODULE
# ------------------------------------------------------------------------------------------------------

module "aws_organizations" {

source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/aws-organizations?ref=v0.71.0"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# Map of child accounts to create. The map key is the name of the account and
# the value is an object containing account configuration variables.
child_accounts = <any>

# Flag indicating whether the organization should be created.
create_organization = <bool>

# If set to ALLOW, the new account enables IAM users to access account billing
# information if they have the required permissions. If set to DENY, then only
# the root user of the new account can access account billing information.
default_iam_user_access_to_billing = <string>

# The name of an IAM role that Organizations automatically preconfigures in
# the new member account. This role trusts the mgmt account, allowing users in
# the mgmt account to assume the role, as permitted by the mgmt account
# administrator.
default_role_name = <string>

# List of AWS service principal names for which you want to enable integration
# with your organization. Must have `organizations_feature_set` set to ALL.
# See
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html
organizations_aws_service_access_principals = <list(string)>

# List of Organizations policy types to enable in the Organization Root. See
# https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html
organizations_enabled_policy_types = <list(string)>

# Specify `ALL` or `CONSOLIDATED_BILLING`.
organizations_feature_set = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# Default tags to add to accounts. Will be appended to ´child_account.*.tags´
default_tags = {}

}


Reference

Required

child_accountsanyrequired

Map of child accounts to create. The map key is the name of the account and the value is an object containing account configuration variables.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
Details

Ideally, this would be a map of (string, object), but object does not support optional properties, and we want
users to be able to specify, say, tags for some accounts, but not for others. We can't use a map(any) either, as that
would require the values to all have the same type, and due to optional parameters, that wouldn't work either. So,
we have to lamely fall back to any.

Details

Expected value for the `child_accounts` is a map of child accounts. The map key is the name of the account and
the value is another map with one required key (email) and several optional keys:

- email (required):
Email address for the account.

- parent_id:
Parent Organizational Unit ID or Root ID for the account
Defaults to the Organization default Root ID.

- role_name:
The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts
the mgmt account, allowing users in the mgmt account to assume the role, as permitted by the mgmt account
administrator. The role has administrator permissions in the new member account. Note that the Organizations API
provides no method for reading this information after account creation.
If no value is present and no ´default_role_name´ is provided, AWS automatically assigns a value.

- iam_user_access_to_billing:
If set to ´ALLOW´, the new account enables IAM users to access account billing information if they have the required
permissions. If set to ´DENY´, then only the root user of the new account can access account billing information.
Defaults to ´default_iam_user_access_to_billing´.

- tags:
Key-value mapping of resource tags.


Example:

child_accounts = {
security = {
email = "security-mgmt@acme.com",
parent_id = "my-org-unit-id",
role_name = "test-role",
iam_user_access_to_billing = "DENY",
tags = {
Tag-Key = "tag-value"
}
},
sandbox = {
email = "sandbox@acme.com"
}
}

Flag indicating whether the organization should be created.

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

default_role_namestringrequired

The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the mgmt account, allowing users in the mgmt account to assume the role, as permitted by the mgmt account administrator.

List of AWS service principal names for which you want to enable integration with your organization. Must have organizations_feature_set set to ALL. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html

List of Organizations policy types to enable in the Organization Root. See https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html

Specify ALL or CONSOLIDATED_BILLING.

Optional

default_tagsmap(string)optional

Default tags to add to accounts. Will be appended to ´child_account.*.tags´

{}