In this example with yaml conf we create 2 SCP policies: dev_control_access and deny_all, use json policy from folder: policies/scps/
module "aws_organization" {
source = "voidsolutionsorg/aws-organization/aws"
version = "1.0.0"
# variables are configured via yaml files inside "conf" folder
}# conf/aws_organization.yaml
---
# aws organization
feature_set: "ALL"
aws_service_access_principals: ["sso.amazonaws.com"]
enabled_policy_types: ["SERVICE_CONTROL_POLICY"]# conf/policies.yaml
---
policies:
- name: "dev_control_access"
template_file: "./policies/scps/dev_control_access.json"
- name: "deny_all"
template_file: "./policies/scps/deny_all.json"# conf/organizational_units.yaml
---
organizational_units:
- name: "CoreOU"
policies: []
children:
- name: "DevelopmentOU"
policies: ["dev_control_access"]
children: []
- name: "StageOU"
policies: []
children: []
- name: "ProductionOU"
policies: []
children: []
- name: "SandboxOU"
policies: ["deny_all"]
children: []# conf/accounts.yaml
---
accounts:
- name: "AccountInRootOU"
email: "test+root@example.org"
parent_id: ""
policies: ["deny_all"]
- name: "Development"
email: "test+dev@example.org"
parent_path: "CoreOU/DevelopmentOU"
- name: "Stage"
email: "test+stage@example.org"
parent_path: "CoreOU/StageOU"
- name: "Production"
email: "test+shared@example.org"
parent_path: "CoreOU/ProductionOU"In this example with standard tf variables we create 2 SCP policies: dev_control_access and deny_all, use json policy from folder: policies/scps/
module "aws_organization" {
source = "voidsolutionsorg/aws-organization/aws"
version = "1.0.0"
feature_set = "ALL"
aws_service_access_principals = ["sso.amazonaws.com"]
enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
policies = [
{
name : "dev_control_access",
template_file : "./policies/scps/dev_control_access.json",
},
{
name : "deny_all",
template_file : "./policies/scps/deny_all.json",
}
]
organizational_units = [
{
name : "CoreOU",
policies : [],
children : [
{
name : "DevelopmentOU",
policies : ["dev_control_access"],
children : []
},
{
name : "StageOU",
policies : [],
children : []
},
{
name : "ProductionOU",
policies : [],
children : []
}
]
},
{
name : "SandboxOU",
policies : [],
children : []
}
]
accounts = [
{
name : "AccountInRootOU",
email : "test+root@example.org",
parent_id : "",
policies : ["deny_all"]
},
{
name : "Development",
email : "test+dev@example.org",
parent_path : "CoreOU/DevelopmentOU"
},
{
name : "Stage",
email : "test+stage@example.org",
parent_path : "CoreOU/StageOU",
},
{
name : "Production",
email : "test+shared@example.org",
parent_path : "CoreOU/ProductionOU"
}
]
}- Complete AWS Organization using yaml config files
- Complete AWS Organization using Terraform variables
| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_organizations_account.account | resource |
| aws_organizations_organization.organization | resource |
| aws_organizations_organizational_unit.level_1_ous | resource |
| aws_organizations_organizational_unit.level_2_ous | resource |
| aws_organizations_organizational_unit.level_3_ous | resource |
| aws_organizations_organizational_unit.level_4_ous | resource |
| aws_organizations_organizational_unit.level_5_ous | resource |
| aws_organizations_policy.all | resource |
| aws_organizations_policy_attachment.accounts | resource |
| aws_organizations_policy_attachment.root | resource |
| aws_organizations_policy_attachment.unit | resource |
| aws_organizations_organization.organization | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accounts | The list of accounts | list(object({ |
[] |
no |
| aws_service_access_principals | A list of AWS service principals for which you want to enable integration with your organization. | list(string) |
[] |
no |
| enabled_policy_types | List of organization policy types to enable in the organization. Organization must have feature_set set to ALL. Valid policy types: AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY, and TAG_POLICY | list(string) |
[] |
no |
| feature_set | The feature set of the organization. One of 'ALL' or 'CONSOLIDATED_BILLING'. (default: ALL) | string |
"ALL" |
no |
| import_mode | Whether import mode is active, if true, resources can be imported smoothly (In that case, it is not possible to create resources safely, because outputs won't have valid outputs and all resources will be created in the root unit) WARNING: use import_mode only in case when you want to import resources, after importing, set import_mode to false or remove it | bool |
false |
no |
| organizational_units | The tree of organizational units to construct. Defaults to an empty tree. You must take care of the list format, which is explained in the Readme | any |
[] |
no |
| policies | The list of policies | list(object({ |
[] |
no |
| root_unit_policies | The list of policies for root unit | list(string) |
[] |
no |
| Name | Description |
|---|---|
| accounts | List of accounts |
| organization_arn | ARN of the organization |
| organization_id | Identifier of the organization |
| organizational_units | List of organization units which contain the root unit |
| policies | List of policies |
Module is maintained by Aleksa Siriški with help from the VoidSolutions team.
Module was originally made by Nikola Kolović with help from the CyberLab team.
Apache 2 Licensed. See LICENSE for full details.