This Module creates an organization, member account(s), ability to make the member account a delegated administrator and organizational unit
Examples available here
NOTE: These examples use the latest version of this module
module "minimum" {
#OU Only
source = "../../"
ou_name = local.name
ou_parent_id = local.parent_id
tags = local.tags
}
AWS Organizations Documentation
Terraform module documentation
Name | Version |
---|---|
terraform | >= 0.14.11 |
aws | >= 4.20.0 |
Name | Version |
---|---|
aws | 4.63.0 |
No modules.
Name | Type |
---|---|
aws_organizations_account.main | resource |
aws_organizations_delegated_administrator.main | resource |
aws_organizations_organization.main | resource |
aws_organizations_organizational_unit.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
administrator_service_principal | The service principal of the AWS service for which you want to make the member account a delegated administrator. | string |
"cloudtrail.amazonaws.com" |
no |
aws_service_access_principals | List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL | list(string) |
[ |
no |
close_on_deletion | If true, a deletion event will close the account. Otherwise, it will only remove from the organization. This is not supported for GovCloud accounts. | bool |
false |
no |
create_govcloud | Whether to also create a GovCloud account. The GovCloud account is tied to the main (commercial) account this resource creates. If true, the GovCloud account ID is available in the govcloud_id attribute. The only way to manage the GovCloud account with Terraform is to subsequently import the account using this resource. | bool |
false |
no |
create_organization | Specify whether to create an organization | bool |
false |
no |
Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | string |
null |
no | |
enabled_policy_types | List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL . For additional information about valid policy types (e.g., AISERVICES_OPT_OUT_POLICY , BACKUP_POLICY , SERVICE_CONTROL_POLICY , and TAG_POLICY ) |
list(string) |
[ |
no |
feature_set | Specify ALL (default) or CONSOLIDATED_BILLING . |
string |
"ALL" |
no |
iam_user_access_to_billing | If set to ALLOW, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set to DENY, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this to ALLOW. If the resource is created and this option is changed, it will try to recreate the account. Valid values ALLOW and DENY |
string |
"ALLOW" |
no |
make_delegated_administrator | Specify whether to create delegated_administrator | bool |
false |
no |
name | Friendly name for the member account. | string |
null |
no |
ou_name | The name for the organizational unit | string |
null |
no |
ou_parent_id | ID of the parent organizational unit, which may be the root | string |
null |
no |
parent_id | Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. | string |
null |
no |
role_name | The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the root account, allowing users in the root account to assume the role, as permitted by the root account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so Terraform cannot perform drift detection on its value and will always show a difference for a configured value after import unless ignore_changes is used. |
string |
null |
no |
tags | Key-value map of resource tags. | map(string) |
{} |
no |
Name | Description |
---|---|
account_arn | ARN of the account |
account_email | Email of the account |
account_id | Identifier of the account |
account_name | Name of the account |
account_status | Current status of the account |
accounts | List of organization accounts including the master account. For a list excluding the master account, see the non_master_accounts attribute. |
administrator_account_id | The unique identifier (ID) of the delegated administrator. |
administrator_arn | The Amazon Resource Name (ARN) of the delegated administrator's account. |
administrator_delegation_enabled_date | The date when the account was made a delegated administrator. |
administrator_email | The email address that is associated with the delegated administrator's AWS account. |
administrator_joined_method | The method by which the delegated administrator's account joined the organization. |
administrator_joined_timestamp | The date when the delegated administrator's account became a part of the organization. |
administrator_name | The friendly name of the delegated administrator's account. |
administrator_status | The status of the delegated administrator's account in the organization. |
arn | The ARN for this account. |
govcloud_id | ID for a GovCloud account created with the account. |
id | The AWS account id |
master_account_arn | ARN of the master account |
master_account_email | Email address of the master account |
master_account_id | Identifier of the master account |
non_master_accounts | List of organization accounts excluding the master account. |
org_arn | ARN of the organization |
org_id | Identifier of the organization |
ou_accounts | List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. |
ou_accounts_arn | ARN of the account |
ou_accounts_email | Email of the account |
ou_accounts_id | Identifier of the account |
ou_accounts_name | Name of the account |
ou_arn | ARN of the organizational unit |
ou_id | Identifier of the organization unit |
ou_tags_all | A map of tags assigned to the resource |
root_arn | ARN of the root |
root_id | Identifier of the root |
root_name | Name of the root |
root_policy_types | List of policy types enabled for this root. |
root_policy_types_status | The status of the policy type as it relates to the associated root |
root_policy_types_type | The type of the policy type |
roots | List of organization roots. |
tags_all | A map of tags assigned to the resource |
This repository uses third party software:
- pre-commit - Used to help ensure code and documentation consistency
- Install with
brew install pre-commit
- Manually use with
pre-commit run
- Install with
- terraform 0.14.11 For backwards compatibility we are using version 0.14.11 for testing making this the min version tested and without issues with terraform-docs.
- terraform-docs - Used to generate the Inputs and Outputs sections
- Install with
brew install terraform-docs
- Manually use via pre-commit
- Install with
- tflint - Used to lint the Terraform code
- Install with
brew install tflint
- Manually use via pre-commit
- Install with
The makefile contained in this repo is optimized for linux paths and the main purpose is to execute testing for now.
- Create all tests:
$ make tests
- Clean all tests:
$ make clean