This module creates an AWS Organization, Organization units and Accounts.
The aim is for it to also create and manage AWS SSO (AWS Single Sign-on)
module "aws_organizations_and_sso" {
source = "github.com/chris-qa-org/terraform-aws-organzation-and-sso"
version = "0.1.0"
organization_config = {
units = {
"organization-unit-name" = {
accounts = {
"new-account-name" = {
email = "new@example.com"
},
"existing-account-name" = {
email = "existing@example.com"
set_iam_user_access_to_billing_setting = false ## See `set_iam_user_access_to_billing_setting` note in [Organization config]
}
}
}
},
service_access_principals = [
"sso.amazonaws.com" ## Automatically added if `enable_sso` is enabled
],
feature_set = "ALL",
enabled_policy_types = [
"SERVICE_CONTROL_POLICY"
]
}
enable_sso = true
default_tags = {
project = "My Project"
}
}organization_config.units- Description: Organization Unit definitions
- Value: Organization unit definitions (
map(any))
organization_config.units.<org-unit-name>- Description: Organization Unit definition (
map(any)) - Key: Name of child Organization to create (
string) - Value: Organization unit configuration (
map(any))
- Description: Organization Unit definition (
organization_config.units.<org-unit-name>.accounts- Description: Organization account definitions (
map(any)) - Value: Organization account definitions
map(any)
- Description: Organization account definitions (
organization_config.units.<org-unit-name>.accounts.<account-name>- Description: Organization account definition (
map(any)) - Key: Name of account to create (
string) - Value: Account configuration (
map(any))
- Description: Organization account definition (
organization_config.units.<org-name>.accounts.<account-name>.email- Description: Email of root user
- Value: Email of root user
string
organization_config.units.<org-name>.accounts.<account-name>.set_iam_user_access_to_billing_setting- Description: Set the
iam_user_access_to_billingparameter toALLOW - Value:
true/fale(bool) - Default: true
- Note: This must be set to
falseif you are terraform importing an AWS account that did not haveiam_user_access_to_billingset during creation, otherwise it will atttempt to remove the account from the Organization, and create a new account
- Description: Set the
| Name | Version |
|---|---|
| terraform | >= 1.1.5 |
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | 4.0.0 |
| Name | Type |
|---|---|
| aws_organizations_account.account | resource |
| aws_organizations_organization.root | resource |
| aws_organizations_organizational_unit.unit | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| default_tags | Resource tags to apply across all resources | map(string) |
{ |
no |
| enable_sso | Enable AWS SSO | bool |
true |
no |
| organization_config | Organization configuration | any |
{ |
no |
| region | AWS Region | string |
"eu-west-2" |
no |
| Name | Description |
|---|---|
| aws_organizations_account | Attributes for the AWS Organization Accounts (aws_organizations_account): https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account#attributes-reference |
| aws_organizations_organization | Attributes for the AWS Organization (aws_organizations_organization: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization#attributes-reference) |
| aws_organizations_organizational_unit | Atrributes for the AWS Organizational Units (aws_organizations_organizational_unit): https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit#attributes-reference |