JBOT - Just a Bunch Of Terraform. But to manage your AWS organization
This is a (hobby) attempt to create the features that the AWSome org-formation has, but natively in Terraform.
Features:
- Create AWS Organization
- Create Organizational units
- Add parent Organizational Units (Max 5 levels deep!)
- Attach Organization Policies
- Create Organization member accounts
- Add member accounts to organizational units
- Attach Organization Policies
- Configure delegated administrators
- Configure enabled policy types
- Create Organization Policies
- Defaults to Service Control Policies
Wishlist:
- An analogue for
org-formation initwhich imports the organization - AWS Account contact information
- AWS Service Quota, ie. max accounts in the org
- More docs and examples
- Add option to automatically create (Github) OIDC providers, like: https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/submodules/iam-github-oidc-provider
Read up on how to install and use terraform for yourself first. Installation, deployment and state management are all context dependent
See _example for example usage as a module
Make sure your AWS CLI profile is active for the management account
- Run
terraform init - Run
terraform import aws_organizations_organization.org o-fx0z31337(Enter your own organization ID) - Run
terraform plan - Review if there are changes, add changes to the relevant variable
- Run
terraform plan- should sayNo Changes.
Start off by importing the management account
- Enter the email and account name for the management account in the
accountsvariable - Run
terraform import aws_organizations_account.account[\"management\"] 111111111111(enter the AWS account ID for your management account) - Run
terraform plan - Review if there are changes, add changes to the
accountsvariable - Run
terraform plan- should sayNo Changes. - Repeat for all existing accounts or add new accounts
- If the plan requires an OU Id, import
Organizational Unitsfirst
This assumes you're familiar with importing now.
- Add your ous to the
ousvariable - Run e.g.
terraform import ous.aws_organizations_organizational_unit.first_level_ou[\"my-ou"] ou-7hga-gvgt31337 - Repeat for all OUs
| Name | Version |
|---|---|
| terraform | >= 1.4.0 |
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accounts | A map of accounts. The key is used for the account name | map(object({ |
{} |
no |
| aws_service_access_principals | List of trusted service access principals | list(any) |
[] |
no |
| delegated_administrators | Used to delegate administration of a service for the whole organization. ie. securityhub | map(object({ |
{} |
no |
| enabled_policy_types | Which policy types to enable for the organization. See https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html | list(string) |
[] |
no |
| feature_set | Enable all features for the organization | string |
"ALL" |
no |
| ous | A map of the organizational units. The key is used for the OU name | map(object({ |
{} |
no |
| policies | Organization policies | map(object({ |
{} |
no |
| Name | Description |
|---|---|
| accounts | Account names and account IDs |
| ous | Organizational units and OU Ids |