Skip to content

Latest commit

 

History

History
159 lines (118 loc) · 12 KB

README.md

File metadata and controls

159 lines (118 loc) · 12 KB
Raw

Fixit Cloud ☁️ Module: AWS Organization

Terraform module for defining an AWS Organization and related resources.

Table of Contents

Usage Examples

Trusted AWS Service Principals

You can use trusted access to enable supported AWS services to perform tasks in your Organization and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM Users or Roles. When you enable access, the trusted service can create an IAM Service-Linked Role in every account in your Organization whenever that Role is needed. That Role has a permissions policy that allows the trusted service to do the tasks that are described in that service's documentation. This enables you to specify settings and configuration details that you would like the trusted service to maintain in your Organization's Accounts on your behalf. The trusted service only creates Service-Linked Roles when it needs to perform management actions on Accounts, and not necessarily in all Accounts of the Organization.

For more info, please review the list of AWS services which work with AWS Organizations.

Useful Links

⚙️ Module Usage

Usage Examples

Requirements

Name Version
terraform 1.3.2
aws ~> 4.34.0

Providers

Name Version
aws ~> 4.34.0

Modules

No modules.

Resources

Name Type
aws_accessanalyzer_analyzer.this resource
aws_organizations_account.map resource
aws_organizations_delegated_administrator.map resource
aws_organizations_organization.this resource
aws_organizations_organizational_unit.Level_1_OUs resource
aws_organizations_organizational_unit.Level_2_OUs resource
aws_organizations_organizational_unit.Level_3_OUs resource
aws_organizations_organizational_unit.Level_4_OUs resource
aws_organizations_organizational_unit.Level_5_OUs resource
aws_organizations_policy.map resource
aws_organizations_policy_attachment.map resource
aws_ssoadmin_account_assignment.map resource
aws_ssoadmin_managed_policy_attachment.AdministratorAccess resource
aws_ssoadmin_permission_set.AdministratorAccess resource
aws_identitystore_group.Admins_SSO_Group data source
aws_ssoadmin_instances.this data source

Inputs

Name Description Type Default Required
admin_sso_config Map of SSO Administrator Object for configuring administrator access to accounts via AWS SSO. 
object({
    sso_group_name             = string
    permission_set_name        = optional(string)
    permission_set_description = optional(string)
    permission_set_tags        = optional(map(string))
    session_duration           = optional(number)
  })
 n/a yes
delegated_administrators Map of AWS service principals to delegated administrator account names. Delegated
admin accounts must already be members of the root account's Organization.		 map(string) {} no
member_accounts Map of Organization Account names to config objects. Note that AWS Organization
best practices entails attaching organization policies to OUs - not accounts - so
this module does not permit member accounts to have a "parent" value of "root".
The "should_allow_iam_user_access_to_billing" property defaults to "true",
and "org_account_access_role_name" defaults to "OrganizationAccountAccessRole".		 
map(
    # map keys: account names
    object({
      parent                                  = string
      email                                   = string
      should_allow_iam_user_access_to_billing = optional(bool)
      org_account_access_role_name            = optional(string)
      tags                                    = optional(map(string))
    })
  )
 n/a yes
org_access_analyzer Config object for the Organization's Access Analyzer. 
object({
    name = string
    tags = optional(map(string))
  })
 n/a yes
organization_config Config object for an AWS Organization. "enabled_policy_types" must be one
of "AISERVICES_OPT_OUT_POLICY", "BACKUP_POLICY", "SERVICE_CONTROL_POLICY",
or "TAG_POLICY".		 
object({
    org_trusted_services = list(string)
    enabled_policy_types = list(string)
  })
 n/a yes
organization_policies Map organization policy names to config objects. The "target" property indicates
to which organization entity the policy should be attached; valid values are "root"
and the name of any OU. The "type" for each policy config object can be one one of
the following: SERVICE_CONTROL_POLICY, AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY,
or TAG_POLICY. "statement" must be a valid JSON string. Please refer to AWS docs
for info regarding how to structure each policy type.		 
map(
    # map keys: organization policy names
    object({
      target      = string
      type        = string
      description = optional(string)
      statement   = string
      tags        = optional(map(string))
    })
  )
 null no
organizational_units Map of Organizational Unit names to config objects. "parent" must be
"root" or the name of another OU within var.organizational_units.		 
map(
    # map keys: OU names
    object({
      parent = string
      tags   = optional(map(string))
    })
  )
 n/a yes

Outputs

Name Description
Delegated_Administrators Map of Delegated Admin resource objects.
Org_Access_Analyzer The Organization's Access Analyzer resource object.
Organization The AWS Organization resource object.
Organization_Member_Accounts Map of Organization Member Account resource objects.
Organization_Policies Map of Organization Policy resource objects.
Organizational_Units Map of Organizational Unit resource objects.
SSO_Admin_Account_Assignments Map of SSO Admin Account Assignment resource objects.
SSO_Admin_Managed_Policy_Attachment The SSO Admin Permission Set resource object.
SSO_Admin_Permission_Set The SSO Admin Permission Set resource object for "AdministratorAccess".

📝 License

All scripts and source code contained herein are for commercial use only by Nerdware, LLC.

See LICENSE for more information.

💬 Contact

Trevor Anderson - @TeeRevTweets - [email protected]

     

Dare Mighty Things.