Component: `account`

No description available.

Component: `account`

This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It includes the ability to associate Service Control Policies (SCPs) to the Organization, each Organizational Unit and account.

Usage

Stack Level: Global

Here’s an example snippet for how to use this component. Stick this snippet in the management account’s stack (E.g. gbl-root.yaml)

IMPORTANT: Account names must not contain dashes. Doing so will lead to unpredictable resource names as a - is the default delimiter. Additionally, account names must be alpha-numeric with no special characters.

components:
  terraform:
    account:
      vars:
        account_email_format: aws+%s@example.net
        account_iam_user_access_to_billing: DENY
        organization_enabled: true
        aws_service_access_principals:
          - cloudtrail.amazonaws.com
          - ram.amazonaws.com
        enabled_policy_types:
          - SERVICE_CONTROL_POLICY
          - TAG_POLICY
        organization_config:
          root_account_stage_name: root
          accounts: []
          organization:
            service_control_policies: []
          organizational_units:
            - name: data
              accounts:
                - name: proddata
                  tags:
                    eks: true
                - name: devdata
                  tags:
                    eks: true
                - name: stagedata
                  tags:
                    eks: true
              service_control_policies:
                - DenyLeavingOrganization
            - name: platform
              accounts:
                - name: prodplatform
                  tags:
                    eks: true
                - name: devplatform
                  tags:
                    eks: true
                - name: stageplatform
                  tags:
                    eks: true
              service_control_policies:
                - DenyLeavingOrganization
            - name: mgmt
              accounts:
                - name: demo
                  tags:
                    eks: true
                - name: audit
                  tags:
                    eks: false
                - name: corp
                  tags:
                    eks: true
                - name: security
                  tags:
                    eks: false
                - name: identity
                  tags:
                    eks: false
                - name: network
                  tags:
                    eks: false
                - name: dns
                  tags:
                    eks: false
                - name: automation
                  tags:
                    eks: true
              service_control_policies:
                - DenyLeavingOrganization

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 3.0
local	>= 1.3
template	>= 2.0

Providers

Name	Version
aws	>= 3.0

Inputs

Name	Description	Type	Default	Required
account_email_format	Email address format for the accounts (e.g. `aws+%s@example.com`)	`string`	n/a	yes
account_iam_user_access_to_billing	If set to `ALLOW`, the new account enables IAM users to access account billing information if they have the required permissions. If set to `DENY`, then only the root user of the new account can access account billing information	`string`	`"DENY"`	no
additional_tag_map	Additional tags for appending to tags_as_list_of_maps. Not added to `tags`.	`map(string)`	`{}`	no
attributes	Additional attributes (e.g. `1`)	`list(string)`	`[]`	no
aws_service_access_principals	List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have `feature_set` set to ALL. For additional information, see the AWS Organizations User Guide	`list(string)`	n/a	yes
context	Single object for setting entire context at once.See description of individual variables for details.Leave string and numeric variables as `null` to use default value.Individual variable settings (non-null) override settings in context object,except for attributes, tags, and additional_tag_map, which are merged.	object({ enabled = bool namespace = string environment = string stage = string name = string delimiter = string attributes = list(string) tags = map(string) additional_tag_map = map(string) regex_replace_chars = string label_order = list(string) id_length_limit = number })	{ “additional_tag_map”: {}, “attributes”: [], “delimiter”: null, “enabled”: true, “environment”: null, “id_length_limit”: null, “label_order”: [], “name”: null, “namespace”: null, “regex_replace_chars”: null, “stage”: null, “tags”: {}}	no
delimiter	Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.	`string`	`null`	no
enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
enabled_policy_types	List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY and TAG_POLICY), see the AWS Organizations API Reference	`list(string)`	n/a	yes
environment	Environment, e.g. ‘uw2’, ‘us-west-2’, OR ‘prod’, ‘staging’, ‘dev’, ‘UAT’	`string`	`null`	no
id_length_limit	Limit `id` to this many characters.Set to `0` for unlimited length.Set to `null` for default, which is `0`.Does not affect `id_full`.	`number`	`null`	no
label_order	The naming order of the id output and Name tag.Defaults to [“namespace”, “environment”, “stage”, “name”, “attributes”].You can omit any of the 5 elements, but at least one must be present.	`list(string)`	`null`	no
name	Solution name, e.g. ‘app’ or ‘jenkins’	`string`	`null`	no
namespace	Namespace, which could be your organization name or abbreviation, e.g. ‘eg’ or ‘cp’	`string`	`null`	no
organization_config	Organization, Organizational Units and Accounts configuration	`any`	n/a	yes
organization_enabled	A boolean flag indicating whether to create an Organization or use the existing one	`bool`	`true`	no
regex_replace_chars	Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
region	AWS Region	`string`	n/a	yes
root_account_stage_name	The stage name for the Organization root (master) account	`string`	`"root"`	no
service_control_policies_config_paths	List of paths to Service Control Policy configurations	`list(string)`	n/a	yes
stage	Stage, e.g. ‘prod’, ‘staging’, ‘dev’, OR ‘source’, ‘build’, ‘test’, ‘deploy’, ‘release’	`string`	`null`	no
tags	Additional tags (e.g. `map('BusinessUnit','XYZ')`	`map(string)`	`{}`	no
tfstate_account_id	The ID of the account where the Terraform remote state backend is provisioned	`string`	`""`	no
tfstate_assume_role	Set to false to use the caller’s role to access the Terraform remote state	`bool`	`true`	no
tfstate_bucket_environment_name	The name of the environment for Terraform state bucket	`string`	`""`	no
tfstate_bucket_stage_name	The name of the stage for Terraform state bucket	`string`	`"root"`	no
tfstate_existing_role_arn	The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template`	`string`	`""`	no
tfstate_role_arn_template	IAM Role ARN template for accessing the Terraform remote state	`string`	`"arn:aws:iam::%s:role/%s-%s-%s-%s"`	no
tfstate_role_environment_name	The name of the environment for Terraform state IAM role	`string`	`"gbl"`	no
tfstate_role_name	IAM Role name for accessing the Terraform remote state	`string`	`"terraform"`	no
tfstate_role_stage_name	The name of the stage for Terraform state IAM role	`string`	`"root"`	no

Outputs

Name	Description
account_arns	List of account ARNs
account_ids	List of account IDs
account_names_account_arns	Map of account names to account ARNs
account_names_account_ids	Map of account names to account IDs
account_names_account_scp_arns	Map of account names to SCP ARNs
account_names_account_scp_ids	Map of account names to SCP IDs
eks_accounts	List of EKS accounts
non_eks_accounts	List of non EKS accounts
organization_arn	Organization ARN
organization_id	Organization ID
organization_master_account_arn	Organization master account ARN
organization_master_account_email	Organization master account email
organization_master_account_id	Organization master account ID
organization_scp_arn	Organization Service Control Policy ARN
organization_scp_id	Organization Service Control Policy ID
organizational_unit_arns	List of Organizational Unit ARNs
organizational_unit_ids	List of Organizational Unit IDs
organizational_unit_names_organizational_unit_arns	Map of Organizational Unit names to Organizational Unit ARNs
organizational_unit_names_organizational_unit_ids	Map of Organizational Unit names to Organizational Unit IDs
organizational_unit_names_organizational_unit_scp_arns	Map of OU names to SCP ARNs
organizational_unit_names_organizational_unit_scp_ids	Map of OU names to SCP IDs

References

cloudposse/terraform-aws-components - Cloud Posse’s upstream component

Component: account

Component: account

Usage

Requirements

Providers

Inputs

Outputs

References

Component: `account`

Component: `account`