/terraform-aws-organization

A Terraform module for managing an AWS Organisation.

Primary LanguageRubyMIT LicenseMIT

Terraform AWS Organisation

CircleCI

A Terraform module for managing an AWS Organisation.

The Organisation deployment has no requirements.

The Organisation deployment consists of:

  • an AWS organisation
  • with a hierarchy of organisational units
  • with a set of accounts placed in that hierarchy

Usage

To use the module, include something like the following in your Terraform configuration:

module "organisation" {
  source  = "infrablocks/organisation/aws"
  version = "0.1.1"

  feature_set                   = "ALL"
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com"
  ]

  organizational_units = [
    {
      name     = "Root",
      children = [
        {
          name     = "Parent",
          children = [
            {
              name = "Dev",
            },
            {
              name = "Prod"
            }
          ]
        }
      ]
    }
  ]

  accounts = [
    {
      name                              = "Dev Gold"
      email                             = "me+dev.gold@example.com"
      organizational_unit               = "Dev"
      allow_iam_users_access_to_billing = true
    },
    {
      name                              = "Dev Silver"
      email                             = "me+dev.silver@example.com"
      organizational_unit               = "Dev"
      allow_iam_users_access_to_billing = true
    },
    {
      name                              = "Prod Platinum"
      email                             = "me+prod.platinum@example.com"
      organizational_unit               = "Prod"
      allow_iam_users_access_to_billing = true
    }
  ]
}

Note: organizational_units can be nested up to 3 levels deep. Levels 1 & 2 must include a children property, although it can be an empty array. Level 3 must not include a children property.

See the Terraform registry entry for more details.

Inputs

Name Description Default Required
feature_set The feature set to enable for the organization (one of "ALL" or "CONSOLIDATED_BILLING") ALL yes
aws_service_access_principals A list of AWS service principal names for which you want to enable integration with your organization. [] yes
organizational_units The tree of organizational units in the organization - yes
accounts The accounts that are part of the organization - yes

Outputs

Name Description
organization_arn The ARN of the resulting organization
organizational_units Details of the resulting organizational units
accounts Details of the resulting accounts

Compatibility

This module is compatible with Terraform versions greater than or equal to Terraform 1.0.

Development

Machine Requirements

In order for the build to run correctly, a few tools will need to be installed on your development machine:

  • Ruby (3.1.1)
  • Bundler
  • git
  • git-crypt
  • gnupg
  • direnv
  • aws-vault

Mac OS X Setup

Installing the required tools is best managed by homebrew.

To install homebrew:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then, to install the required tools:

# ruby
brew install rbenv
brew install ruby-build
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
echo 'eval "$(rbenv init - zsh)"' >> ~/.zshrc
eval "$(rbenv init -)"
rbenv install 3.1.1
rbenv rehash
rbenv local 3.1.1
gem install bundler

# git, git-crypt, gnupg
brew install git
brew install git-crypt
brew install gnupg

# aws-vault
brew cask install

# direnv
brew install direnv
echo "$(direnv hook bash)" >> ~/.bash_profile
echo "$(direnv hook zsh)" >> ~/.zshrc
eval "$(direnv hook $SHELL)"

direnv allow <repository-directory>

Running the build

Running the build requires an AWS account and AWS credentials. You are free to configure credentials however you like as long as an access key ID and secret access key are available. These instructions utilise aws-vault which makes credential management easy and secure.

To provision module infrastructure, run tests and then destroy that infrastructure, execute:

aws-vault exec <profile> -- ./go

To provision the module prerequisites:

aws-vault exec <profile> -- ./go deployment:prerequisites:provision[<deployment_identifier>]

To provision the module contents:

aws-vault exec <profile> -- ./go deployment:root:provision[<deployment_identifier>]

To destroy the module contents:

aws-vault exec <profile> -- ./go deployment:root:destroy[<deployment_identifier>]

To destroy the module prerequisites:

aws-vault exec <profile> -- ./go deployment:prerequisites:destroy[<deployment_identifier>]

Configuration parameters can be overridden via environment variables:

DEPLOYMENT_IDENTIFIER=testing aws-vault exec <profile> -- ./go

When a deployment identifier is provided via an environment variable, infrastructure will not be destroyed at the end of test execution. This can be useful during development to avoid lengthy provision and destroy cycles.

By default, providers will be downloaded for each terraform execution. To cache providers between calls:

TF_PLUGIN_CACHE_DIR="$HOME/.terraform.d/plugin-cache" aws-vault exec <profile> -- ./go

Common Tasks

Generating an SSH key pair

To generate an SSH key pair:

ssh-keygen -m PEM -t rsa -b 4096 -C integration-test@example.com -N '' -f config/secrets/keys/bastion/ssh

Generating a self-signed certificate

To generate a self signed certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

To decrypt the resulting key:

openssl rsa -in key.pem -out ssl.key

Managing CircleCI keys

To encrypt a GPG key for use by CircleCI:

openssl aes-256-cbc \
  -e \
  -md sha1 \
  -in ./config/secrets/ci/gpg.private \
  -out ./.circleci/gpg.private.enc \
  -k "<passphrase>"

To check decryption is working correctly:

openssl aes-256-cbc \
  -d \
  -md sha1 \
  -in ./.circleci/gpg.private.enc \
  -k "<passphrase>"

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/terraform-aws-organisation. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The library is available as open source under the terms of the MIT License.