A Terraform module which configures your AWS Organization and creates AWS accounts. Read this page for more information, and for a secure reference architecture by AWS, read this page.
module "organization" {
source = "blackbird-cloud/organization/aws"
version = "~> 2"
aws_service_access_principals = [
"sso.amazonaws.com",
"backup.amazonaws.com",
"securityhub.amazonaws.com",
"guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"aws-artifact-account-sync.amazonaws.com",
"health.amazonaws.com",
"member.org.stacksets.cloudformation.amazonaws.com",
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"ram.amazonaws.com",
"reporting.trustedadvisor.amazonaws.com",
"servicequotas.amazonaws.com",
"account.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"malware-protection.guardduty.amazonaws.com"
]
feature_set = "ALL"
organizational_units = [
{
name = "workloads"
accounts = []
tags = {}
organizational_units = [
{
name = "develop"
organizational_units = []
accounts = []
tags = {}
},
{
name = "production"
organizational_units = []
accounts = []
tags = {}
}
],
},
{
name = "infrastructure"
organizational_units = []
tags = {}
accounts = [
{
name = "monitoring"
email = "[email protected]"
delegated_administrator_services = []
},
]
},
{
name = "networking"
organizational_units = []
tags = {}
accounts = [
{
name = "networking"
email = "[email protected]"
delegated_administrator_services = []
},
]
},
{
name = "security"
organizational_units = []
tags = {}
accounts = [
{
name = "tools"
email = "[email protected]"
delegated_administrator_services = [
"config.amazonaws.com",
"guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"securityhub.amazonaws.com",
"config-multiaccountsetup.amazonaws.com"
]
},
{
name = "logs"
email = "[email protected]"
delegated_administrator_services = ["backup.amazonaws.com"]
}
]
},
]
organizations_policies = {}
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
primary_contact = {
address_line_1 = "My address"
address_line_2 = "My office unit"
city = "Amsterdam"
company_name = "My company"
country_code = "NL"
postal_code = "1234AB"
state_or_region = "Noord-Holland"
phone_number = "+316XXXXXXXX"
website_url = "https://www.website.com"
full_name = "Jane Doe"
}
billing_contact = {
name = "Jane Doe"
title = "Co-founder"
email_address = "[email protected]"
phone_number = "+316XXXXXXXX"
}
security_contact = {
name = "Jane Doe"
title = "Co-founder"
email_address = "[email protected]"
phone_number = "+316XXXXXXXX"
}
operations_contact = {
name = "Jane Doe"
title = "Co-founder"
email_address = "[email protected]"
phone_number = "+316XXXXXXXX"
}
}| Name | Version |
|---|---|
| terraform | >= 1 |
| aws | ~> 5 |
| Name | Version |
|---|---|
| aws | 5.4.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_service_access_principals | (Optional) List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. Some services do not support enablement via this endpoint, see warning in aws docs. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html | list(string) |
n/a | yes |
| billing_contact | email_address - (Required) An email address for the alternate contact. name - (Required) Name of the alternate contact. phone_number - (Required) Phone number for the alternate contact. title - (Required) Title for the alternate contact. | any |
n/a | yes |
| enabled_policy_types | (Optional) List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g., AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY, and TAG_POLICY), see the AWS Organizations API Reference. | list(string) |
[] |
no |
| feature_set | (Optional) Specify "ALL" (default) or "CONSOLIDATED_BILLING". | string |
n/a | yes |
| operations_contact | email_address - (Required) An email address for the alternate contact. name - (Required) Name of the alternate contact. phone_number - (Required) Phone number for the alternate contact. title - (Required) Title for the alternate contact. | any |
n/a | yes |
| organizational_units | List of Organizational units configuration, plus sub accounts. Organizational units can be nested 3 levels deep.[{<br> name = string<br> accounts: [{<br> name = string,<br> email = string,<br> close_on_deletion = bool,<br> iam_user_access_to_billing= bool,<br> delegated_administrator_services = list(string)<br> tags = map(string)<br> }]<br> organizational_units: list(ou)<br> tags : map(string)<br>}] |
list(any) |
n/a | yes |
| organizations_policies | Map of policies to attach to your organization. Key will be used as policy name, provide the stringified JSON at at the key content in the value of the map. |
map(any) |
{} |
no |
| primary_contact | address_line_1 - (Required) The first line of the primary contact address. address_line_2 - (Optional) The second line of the primary contact address, if any. address_line_3 - (Optional) The third line of the primary contact address, if any. city - (Required) The city of the primary contact address. company_name - (Optional) The name of the company associated with the primary contact information, if any. country_code - (Required) The ISO-3166 two-letter country code for the primary contact address. district_or_county - (Optional) The district or county of the primary contact address, if any. full_name - (Required) The full name of the primary contact address. phone_number - (Required) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation. postal_code - (Required) The postal code of the primary contact address. state_or_region - (Optional) The state or region of the primary contact address. This field is required in selected countries. website_url - (Optional) The URL of the website associated with the primary contact information, if any. | any |
n/a | yes |
| security_contact | email_address - (Required) An email address for the alternate contact. name - (Required) Name of the alternate contact. phone_number - (Required) Phone number for the alternate contact. title - (Required) Title for the alternate contact. | any |
n/a | yes |
| tags | (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. |
map(string) |
{} |
no |
| Name | Description |
|---|---|
| accounts | All AWS accounts. |
| organization | The AWS Organization |
| organizational_units | All AWS Organizational Units. |
| organizations_delegated_administrator | The AWS Organization delegated administrator assignments. |
| organizations_policies | The created Organization policies. |
We are Blackbird Cloud, Amsterdam based cloud consultancy, and cloud management service provider. We help companies build secure, cost efficient, and scale-able solutions.
Checkout our other 👉 terraform modules
Copyright © 2017-2023 Blackbird Cloud