Skip to content
/ terraform-aws-tardigrade-org-centralized-root-access Public
generated from plus3it/repo-template

Terraform module to manage centralized root management in an AWS Organization

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

plus3it/terraform-aws-tardigrade-org-centralized-root-access

BranchesTags

Repository files navigation

terraform-aws-tardigrade-org-centralized-root-access

Terraform module to manage centralized root access for an AWS Organization.

To configure centralized root access for an AWS Organization, the Organization must enable service access for the IAM principal, iam.amazonaws.com. Currently, the Terraform AWS Provider does not have a resource that only enables service access for an Organization. Therefore, it is up to the user to coordinate the enablement of IAM service access before using this module.

NOTE: There is the resource aws_organizations_organization, which can enable service access. However, it expects exclusive control over all enabled services and features and other attributes of the resource. It cannot be used to enable just a single service, i.e. iam.amazonaws.com, while ignoring any other enabled or disabled service. Anything it is not configured to enable, it will disable! It is not appropriate to use this resource in a module like this one that is designed to manage a single Organization feature.

To determine if IAM service access is enabled for the Organization, run this command using a credential for the AWS Organization account:

aws organizations list-aws-service-access-for-organization --query 'EnabledServicePrincipals[? ServicePrincipal == `iam.amazonaws.com`]'

If enabled, it will return something like:

[
    {
        "ServicePrincipal": "iam.amazonaws.com",
        "DateEnabled": "2025-01-10T14:30:07.609000-08:00"
    }
]

If not enabled, it will simply return an empty list:

[]

To enable IAM service access for the AWS Organization, run this command:

aws organizations enable-aws-service-access --service-principal iam.amazonaws.com

Requirements

No requirements.

Providers

Name Version
aws n/a

Resources

Name Type
aws_caller_identity.this data source
aws_organizations_organization.this data source

Inputs

Name Description Type Default Required
org_centralized_root_access Object containing configuration details to manage centralized root access for the AWS Organization 
object({
    organization_features = optional(object({
      enabled_features = optional(list(string), ["RootCredentialsManagement", "RootSessions"])
    }), {})

    delegated_administrator = optional(object({
      account_id = string
    }))
  })
 {} no

Outputs

Name Description
iam_organizations_features Object with attributes of the AWS IAM Organizations features
organizations_delegated_administrator Object with attributes of the AWS Organizations delegated administrator

About

Terraform module to manage centralized root management in an AWS Organization

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 1

1.0.0 Latest
Jan 13, 2025

Packages

No packages published

Languages