adding aws-master module for configuring a standalone account as a master payer
parent
95d3b23186
commit
ea7a2b2174
@ -0,0 +1,35 @@
|
||||
# Organizations
|
||||
|
||||
This module sets up the foundation of an AWS account playing the role of "Master Payer"; the parent organization in the AWS Organizations service. This module will manage the parent Organization's service along with subordinate Organizational Units (OU), policies, and policy attachments.
|
||||
|
||||
This module explicitly does not setup the AWS accounts; it will setup the backend Organizations service and cost and usage reporting only and should be referenced by additional templates for provisioning accounts.
|
||||
|
||||
Only use this module on a standalone AWS account that is not already a member of an Organization.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
module "master_payer" {
|
||||
source = "github.com/lalanza808/tf-modules.git/organizations/aws-master"
|
||||
}
|
||||
|
||||
module "sandbox-account" {
|
||||
source = "github.com/lalanza808/tf-modules.git/organizations/subaccount"
|
||||
|
||||
account_name = "sandbox"
|
||||
account_email = "root+sandbox@domain.com"
|
||||
parent_ou_id = module.master_payer.prod_ou_id
|
||||
}
|
||||
|
||||
output "sandbox-account" {
|
||||
value = module.sandbox-account.account_id
|
||||
}
|
||||
```
|
||||
|
||||
## Inputs
|
||||
|
||||
See the full list of inputs here: [variables.tf](./variables.tf)
|
||||
|
||||
## Outputs
|
||||
|
||||
[output.tf](./output.tf)
|
@ -0,0 +1,50 @@
|
||||
resource "aws_cur_report_definition" "cur" {
|
||||
report_name = aws_s3_bucket.cur.id
|
||||
time_unit = var.time_unit
|
||||
format = "textORcsv"
|
||||
compression = "GZIP"
|
||||
additional_schema_elements = ["RESOURCES"]
|
||||
s3_bucket = aws_s3_bucket.cur.id
|
||||
s3_region = "us-east-1"
|
||||
additional_artifacts = var.additional_artifacts
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket" "cur" {
|
||||
bucket_prefix = "${var.prefix}-cur-"
|
||||
force_destroy = var.force_destroy_bucket
|
||||
region = "us-east-1"
|
||||
tags = var.tags
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_policy" "cur" {
|
||||
bucket = aws_s3_bucket.cur.id
|
||||
|
||||
policy = <<POLICY
|
||||
{
|
||||
"Version": "2008-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "CURReadAccess",
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetBucketAcl",
|
||||
"s3:GetBucketPolicy"
|
||||
],
|
||||
"Resource": "${aws_s3_bucket.cur.arn}"
|
||||
},
|
||||
{
|
||||
"Sid": "CURWriteAccess",
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
|
||||
},
|
||||
"Action": "s3:PutObject",
|
||||
"Resource": "${aws_s3_bucket.cur.arn}/*"
|
||||
}
|
||||
]
|
||||
}
|
||||
POLICY
|
||||
}
|
@ -0,0 +1,57 @@
|
||||
data "aws_caller_identity" "current" {}
|
||||
|
||||
resource "aws_organizations_organization" "org" {
|
||||
aws_service_access_principals = var.service_principals
|
||||
enabled_policy_types = var.scp_types
|
||||
feature_set = var.feature_set
|
||||
}
|
||||
|
||||
resource "aws_organizations_organizational_unit" "prod" {
|
||||
name = "Production"
|
||||
parent_id = aws_organizations_organization.org.roots.0.id
|
||||
}
|
||||
|
||||
resource "aws_organizations_organizational_unit" "non_prod" {
|
||||
name = "NonProduction"
|
||||
parent_id = aws_organizations_organization.org.roots.0.id
|
||||
}
|
||||
|
||||
resource "aws_organizations_policy" "prod" {
|
||||
name = "Production"
|
||||
|
||||
content = <<CONTENT
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": {
|
||||
"Effect": "Allow",
|
||||
"Action": "*",
|
||||
"Resource": "*"
|
||||
}
|
||||
}
|
||||
CONTENT
|
||||
}
|
||||
|
||||
resource "aws_organizations_policy" "non_prod" {
|
||||
name = "NonProduction"
|
||||
|
||||
content = <<CONTENT
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": {
|
||||
"Effect": "Allow",
|
||||
"Action": "*",
|
||||
"Resource": "*"
|
||||
}
|
||||
}
|
||||
CONTENT
|
||||
}
|
||||
|
||||
resource "aws_organizations_policy_attachment" "prod" {
|
||||
policy_id = aws_organizations_policy.prod.id
|
||||
target_id = aws_organizations_organizational_unit.prod.id
|
||||
}
|
||||
|
||||
resource "aws_organizations_policy_attachment" "non_prod" {
|
||||
policy_id = aws_organizations_policy.non_prod.id
|
||||
target_id = aws_organizations_organizational_unit.non_prod.id
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
output "prod_ou_id" {
|
||||
value = aws_organizations_organizational_unit.prod.id
|
||||
}
|
||||
|
||||
output "non_prod_ou_id" {
|
||||
value = aws_organizations_organizational_unit.non_prod.id
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
variable "scp_types" {
|
||||
type = list
|
||||
default = ["SERVICE_CONTROL_POLICY"]
|
||||
description = "List of SCP types - can be overridden to none or empty list for no SCP"
|
||||
}
|
||||
|
||||
variable "additional_artifacts" {
|
||||
default = ["QUICKSIGHT"]
|
||||
}
|
||||
|
||||
variable "feature_set" {
|
||||
default = "ALL"
|
||||
description = "Organizations features to setup"
|
||||
}
|
||||
|
||||
variable "service_principals" {
|
||||
type = list
|
||||
default = [
|
||||
"cloudtrail.amazonaws.com",
|
||||
"config.amazonaws.com",
|
||||
]
|
||||
description = "List of services to allow"
|
||||
}
|
||||
|
||||
variable "force_destroy_bucket" {
|
||||
default = false
|
||||
description = "Whether or not you want the bucket to force removal of all objects upon deletion - otherwise throws error when deleting"
|
||||
}
|
||||
|
||||
variable "time_unit" {
|
||||
default = "DAILY"
|
||||
description = "The frequency on which report data are measured and displayed. Valid values are: HOURLY, DAILY."
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
default = {}
|
||||
type = map
|
||||
description = "Optional set of tags to apply to the infrastructure"
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
default = "organizations"
|
||||
description = "String to prefix to all resources"
|
||||
}
|
Loading…
Reference in New Issue