adding aws-master module for configuring a standalone account as a master payer

organizations/aws-master/README.md

@@ -0,0 +1,35 @@
+# Organizations
+
+This module sets up the foundation of an AWS account playing the role of "Master Payer"; the parent organization in the AWS Organizations service. This module will manage the parent Organization's service along with subordinate Organizational Units (OU), policies, and policy attachments.
+
+This module explicitly does not setup the AWS accounts; it will setup the backend Organizations service and cost and usage reporting only and should be referenced by additional templates for provisioning accounts.
+
+Only use this module on a standalone AWS account that is not already a member of an Organization.
+
+## Usage
+
+```
+module "master_payer" {
+  source = "github.com/lalanza808/tf-modules.git/organizations/aws-master"
+}
+
+module "sandbox-account" {
+  source = "github.com/lalanza808/tf-modules.git/organizations/subaccount"
+
+  account_name   = "sandbox"
+  account_email  = "root+sandbox@domain.com"
+  parent_ou_id   = module.master_payer.prod_ou_id
+}
+
+output "sandbox-account" {
+  value = module.sandbox-account.account_id
+}
+```
+
+## Inputs
+
+See the full list of inputs here: [variables.tf](./variables.tf)
+
+## Outputs
+
+[output.tf](./output.tf)

organizations/aws-master/cur.tf

@@ -0,0 +1,50 @@
+resource "aws_cur_report_definition" "cur" {
+  report_name                = aws_s3_bucket.cur.id
+  time_unit                  = var.time_unit
+  format                     = "textORcsv"
+  compression                = "GZIP"
+  additional_schema_elements = ["RESOURCES"]
+  s3_bucket                  = aws_s3_bucket.cur.id
+  s3_region                  = "us-east-1"
+  additional_artifacts       = var.additional_artifacts
+}
+
+resource "aws_s3_bucket" "cur" {
+  bucket_prefix = "${var.prefix}-cur-"
+  force_destroy = var.force_destroy_bucket
+  region        = "us-east-1"
+  tags          = var.tags
+}
+
+resource "aws_s3_bucket_policy" "cur" {
+  bucket = aws_s3_bucket.cur.id
+
+  policy = <<POLICY
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Sid": "CURReadAccess",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+            },
+            "Action": [
+                "s3:GetBucketAcl",
+                "s3:GetBucketPolicy"
+            ],
+            "Resource": "${aws_s3_bucket.cur.arn}"
+        },
+        {
+            "Sid": "CURWriteAccess",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "${aws_s3_bucket.cur.arn}/*"
+        }
+    ]
+}
+POLICY
+}

organizations/aws-master/main.tf

@@ -0,0 +1,57 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_organizations_organization" "org" {
+  aws_service_access_principals = var.service_principals
+  enabled_policy_types          = var.scp_types
+  feature_set                   = var.feature_set
+}
+
+resource "aws_organizations_organizational_unit" "prod" {
+  name      = "Production"
+  parent_id = aws_organizations_organization.org.roots.0.id
+}
+
+resource "aws_organizations_organizational_unit" "non_prod" {
+  name      = "NonProduction"
+  parent_id = aws_organizations_organization.org.roots.0.id
+}
+
+resource "aws_organizations_policy" "prod" {
+  name  = "Production"
+
+  content = <<CONTENT
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+CONTENT
+}
+
+resource "aws_organizations_policy" "non_prod" {
+  name  = "NonProduction"
+
+  content = <<CONTENT
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+CONTENT
+}
+
+resource "aws_organizations_policy_attachment" "prod" {
+  policy_id = aws_organizations_policy.prod.id
+  target_id = aws_organizations_organizational_unit.prod.id
+}
+
+resource "aws_organizations_policy_attachment" "non_prod" {
+  policy_id = aws_organizations_policy.non_prod.id
+  target_id = aws_organizations_organizational_unit.non_prod.id
+}

organizations/aws-master/output.tf

@@ -0,0 +1,7 @@
+output "prod_ou_id" {
+  value = aws_organizations_organizational_unit.prod.id
+}
+
+output "non_prod_ou_id" {
+  value = aws_organizations_organizational_unit.non_prod.id
+}

organizations/aws-master/variables.tf

@@ -0,0 +1,44 @@
+variable "scp_types" {
+  type        = list
+  default     = ["SERVICE_CONTROL_POLICY"]
+  description = "List of SCP types - can be overridden to none or empty list for no SCP"
+}
+
+variable "additional_artifacts" {
+  default = ["QUICKSIGHT"]
+}
+
+variable "feature_set" {
+  default     = "ALL"
+  description = "Organizations features to setup"
+}
+
+variable "service_principals" {
+  type = list
+  default = [
+    "cloudtrail.amazonaws.com",
+    "config.amazonaws.com",
+  ]
+  description = "List of services to allow"
+}
+
+variable "force_destroy_bucket" {
+  default     = false
+  description = "Whether or not you want the bucket to force removal of all objects upon deletion - otherwise throws error when deleting"
+}
+
+variable "time_unit" {
+  default     = "DAILY"
+  description = "The frequency on which report data are measured and displayed. Valid values are: HOURLY, DAILY."
+}
+
+variable "tags" {
+  default     = {}
+  type        = map
+  description = "Optional set of tags to apply to the infrastructure"
+}
+
+variable "prefix" {
+  default     = "organizations"
+  description = "String to prefix to all resources"
+}