Skip to content

Latest commit

 

History

History
80 lines (58 loc) · 3.35 KB

File metadata and controls

80 lines (58 loc) · 3.35 KB

terraform-aws-tardigrade-org-centralized-root-access

Terraform module to manage centralized root access for an AWS Organization.

To configure centralized root access for an AWS Organization, the Organization must enable service access for the IAM principal, iam.amazonaws.com. Currently, the Terraform AWS Provider does not have a resource that only enables service access for an Organization. Therefore, it is up to the user to coordinate the enablement of IAM service access before using this module.

NOTE: There is the resource aws_organizations_organization, which can enable service access. However, it expects exclusive control over all enabled services and features and other attributes of the resource. It cannot be used to enable just a single service, i.e. iam.amazonaws.com, while ignoring any other enabled or disabled service. Anything it is not configured to enable, it will disable! It is not appropriate to use this resource in a module like this one that is designed to manage a single Organization feature.

To determine if IAM service access is enabled for the Organization, run this command using a credential for the AWS Organization account:

aws organizations list-aws-service-access-for-organization --query 'EnabledServicePrincipals[? ServicePrincipal == `iam.amazonaws.com`]'

If enabled, it will return something like:

[
    {
        "ServicePrincipal": "iam.amazonaws.com",
        "DateEnabled": "2025-01-10T14:30:07.609000-08:00"
    }
]

If not enabled, it will simply return an empty list:

[]

To enable IAM service access for the AWS Organization, run this command:

aws organizations enable-aws-service-access --service-principal iam.amazonaws.com

Requirements

No requirements.

Providers

Name Version
aws n/a

Resources

Name Type
aws_caller_identity.this data source
aws_organizations_organization.this data source

Inputs

Name Description Type Default Required
org_centralized_root_access Object containing configuration details to manage centralized root access for the AWS Organization
object({
organization_features = optional(object({
enabled_features = optional(list(string), ["RootCredentialsManagement", "RootSessions"])
}), {})

delegated_administrator = optional(object({
account_id = string
}))
})
{} no

Outputs

Name Description
iam_organizations_features Object with attributes of the AWS IAM Organizations features
organizations_delegated_administrator Object with attributes of the AWS Organizations delegated administrator