This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Reference

Variable reference, policy library, and module documentation.

This section contains low-level reference documentation for Org Kickstart.

In This Section

Source

The complete module documentation is generated from the Terraform source and available in the ModuleDocs.md file in the repository.

Policy Library

Sample policies are included in the policies/ directory of the repository:

File Type Description
DenyRootSCP.json SCP Deny use of root user in all accounts
SecurityControlsSCP.json.tftpl SCP Base security controls (requires audit_role_name)
DisableRegionsPolicy.json.tftpl SCP Restrict to approved AWS regions
DenyUnapprovedInstanceTypes.json SCP Deny non-approved EC2 instance types
DenyUnapprovedServices.json SCP Deny unapproved AWS services
SuspendedAccountsPolicy.json.tftpl SCP Deny all activity in suspended accounts
RCP_S3DataPerimeter.json.tftpl RCP Restrict S3 access to org principals
EC2ImageBPA_DCP.json Declarative Block public sharing of AMIs
EC2SnapshotBPA_DCP.json Declarative Block public sharing of EBS snapshots
EC2IMDSv2Enforce_DCP.json Declarative Enforce IMDSv2 with hop limit of 2

Policies with the .tftpl extension support Terraform template variables via policy_vars.

1 - Module Documentation

Auto-generated Terraform module reference — inputs, outputs, resources, and sub-modules.

Requirements

Name Version
aws >= 5.80.0

Providers

Name Version
aws >= 5.80.0
aws.security-account >= 5.80.0
external n/a

Modules

Name Source Version
accounts ./modules/account n/a
billing_alerts ./modules/billing_alerts n/a
declarative_policies ./modules/declarative_policies n/a
rcp ./modules/rcp n/a
scp ./modules/scp n/a
security_account ./modules/account n/a

Resources

Name Type
aws_account_alternate_contact.billing resource
aws_account_alternate_contact.operations resource
aws_account_alternate_contact.security resource
aws_account_primary_contact.primary resource
aws_cloudformation_stack.account_factory resource
aws_cloudformation_stack.audit_role_payer resource
aws_cloudformation_stack_set.audit_role resource
aws_cloudformation_stack_set_instance.audit_role resource
aws_cloudtrail.org_cloudtrail resource
aws_cloudwatch_log_group.cloudtrail resource
aws_cur_report_definition.cur_report_definition resource
aws_iam_organizations_features.org resource
aws_iam_role.cloudtrail_to_cloudwatch resource
aws_iam_role_policy.cloudtrail_to_cloudwatch resource
aws_identitystore_group.admin_group resource
aws_kms_alias.macie_key resource
aws_kms_key.macie_key resource
aws_kms_key_policy.macie_key resource
aws_organizations_account.payer resource
aws_organizations_delegated_administrator.cloudformation resource
aws_organizations_delegated_administrator.securityhub resource
aws_organizations_delegated_administrator.sso resource
aws_organizations_organization.org resource
aws_organizations_organizational_unit.custom_ous resource
aws_organizations_organizational_unit.governance_ou resource
aws_organizations_organizational_unit.sandbox_ou resource
aws_organizations_organizational_unit.suspended_ou resource
aws_organizations_organizational_unit.workloads_ou resource
aws_organizations_policy.ai_policy resource
aws_organizations_policy_attachment.ai_policy_root resource
aws_s3_bucket.billing_logs resource
aws_s3_bucket.cloudtrail_bucket resource
aws_s3_bucket.declarative_policy_bucket resource
aws_s3_bucket.macie_bucket resource
aws_s3_bucket.vpc_flowlogs_bucket resource
aws_s3_bucket_notification.bucket_notification resource
aws_s3_bucket_ownership_controls.cloudtrail_bucket resource
aws_s3_bucket_ownership_controls.declarative_policy_bucket resource
aws_s3_bucket_ownership_controls.macie_bucket resource
aws_s3_bucket_ownership_controls.vpc_flowlogs_bucket resource
aws_s3_bucket_policy.allow_billing_logging resource
aws_s3_bucket_policy.cloudtrail_bucket_policy resource
aws_s3_bucket_policy.declarative_policy_bucket_policy resource
aws_s3_bucket_policy.macie_bucket_policy resource
aws_s3_bucket_policy.vpc_flowlogs_bucket_policy resource
aws_s3_bucket_public_access_block.cloudtrail_bucket_bpa resource
aws_s3_bucket_public_access_block.declarative_policy_bucket_bpa resource
aws_s3_bucket_public_access_block.macie_bucket_bpa resource
aws_s3_bucket_public_access_block.vpc_flowlogs_bucket_bpa resource
aws_s3_bucket_server_side_encryption_configuration.macie_bucket resource
aws_s3_bucket_versioning.cloudtrail_bucket resource
aws_s3_bucket_versioning.declarative_policy_bucket resource
aws_s3_bucket_versioning.macie_bucket resource
aws_s3_bucket_versioning.vpc_flowlogs_bucket resource
aws_s3_object.account_factory_config resource
aws_securityhub_account.payer_account resource
aws_securityhub_account.security_account resource
aws_securityhub_configuration_policy.no_enabled_standards resource
aws_securityhub_configuration_policy_association.root_ou resource
aws_securityhub_finding_aggregator.regional_aggregator resource
aws_securityhub_organization_admin_account.delegated_admin resource
aws_securityhub_organization_configuration.security_account resource
aws_sns_topic.cloudtrail_s3_notification_topic resource
aws_ssoadmin_account_assignment.payer_account_group_assignment resource
aws_ssoadmin_managed_policy_attachment.admin_policy_attachments resource
aws_ssoadmin_permission_set.admin_permission_set resource
aws_billing_service_account.main data source
aws_iam_policy_document.allow_billing_logging data source
aws_iam_policy_document.cloudtrail_bucket_policy data source
aws_iam_policy_document.cloudtrail_s3_notification_topic data source
aws_iam_policy_document.declarative_policy_bucket_policy data source
aws_iam_policy_document.macie_bucket_policy data source
aws_iam_policy_document.vpc_flowlogs_bucket_policy data source
aws_organizations_organization.org data source
aws_organizations_organizational_units.all_ous data source
aws_regions.current data source
aws_ssoadmin_instances.identity_store data source
external_external.get_caller_identity data source

Inputs

Name Description Type Default Required
account_configurator n/a any null no
accounts Account Index any n/a yes
admin_group_name Name of the Identity Store Group with all the admin users string "AllAdmins" no
admin_permission_set_name Name of the Permission Set to Create string "AdministratorAccess" no
audit_role_name Name of the AuditRole to deploy string "security-audit" no
audit_role_stack_set_template_url URL that points to the Audit Role Policy Template string null no
backend_bucket n/a any n/a yes
billing_alerts n/a any null no
billing_data_bucket_name Name of the S3 Bucket for CUR reports. Set to null to disable string null no
cloudtrail_bucket_name Name of the S3 Bucket to create to store CloudTrail events. Set to null to disable cloudtrail management string null no
cloudtrail_loggroup_name Name of the CloudWatch Log Group in the payer account where CloudTrail will send its events string null no
cur_report_frequency Frequency CUR reports should be delivered (DAILY, HOURLY, MONTHLY). Set to NONE to disable string "NONE" no
declarative_policies Map of Declarative Policies to deploy map {} no
declarative_policy_bucket_name Name of S3 Bucket for Declarative Policy Reports any null no
deploy_audit_role Boolean to determine if org-kickstart should manage Audit Role bool true no
disable_sso_management Set to true to manage AWS Identity Center outside of org-kickstart bool false no
global_billing_contact Map for the central billing alternate contact to be applied to all accounts any null no
global_operations_contact Map for the central operations alternate contact to be applied to all accounts any null no
global_primary_contact Map for the primary account owner to be applied to all accounts any null no
global_security_contact Map for the central security alternate contact to be applied to all accounts any null no
macie_bucket_name Name of the S3 Bucket to create to store Macie Findings. Set to null to skip creation string null no
organization_name Name of the Organization. This is used for resource prefixes and general reference string n/a yes
organization_units Map of OUs to deploy map {} no
payer_email Root Email address for the Organization Management account string null no
payer_name Name of the Organization Management account string "AWS Payer" no
resource_control_policies Map of RCPs to deploy map {} no
security_account_name Name of the Security Account string "Security Account" no
security_account_root_email Root Email address for the security account string null no
security_services explictly disable or not manage a security service map 
{
  “disable_guardduty”: “false”,
  “disable_inspector”: “false”,
  “disable_macie”: “false”,
  “disable_securityhub”: “false”
}
 no
service_control_policies Map of SCPs to deploy map {} no
session_duration Default Session Duration string "PT8H" no
tag_set Default map of tags to be applied to all resources via all providers map(any) {} no
vpc_flowlogs_bucket_name Name of the S3 Bucket to create to store VPC Flow Logs. Set to null to skip creation string null no

Outputs

Name Description
cloudtrail_cloudwatch_log_group n/a
cloudtrail_s3_notification_topic n/a
declarative_policy_bucket n/a
macie_key_arn Things to pass to the Security Services Regional Modules
org_id n/a
org_name n/a
security_account_id n/a
sso_instance_arn AWS Identity Center Instance ARN managed by org-kickstart

2 - Parameter Reference

All Terraform variables for the Org Kickstart module.

All configuration is passed via the organization variable (an object type) and a few top-level variables. Below are the key configuration parameters.

Top-Level Variables

Variable Type Required Description
organization object Yes Main configuration object (see below)
backend_bucket string Yes S3 bucket name for Terraform state

Organization Object

Core Identity

Parameter Type Required Description
organization_name string Yes Short name for the organization
payer_name string Yes Display name for the management account
payer_email string Yes Root email of the management account
security_account_name string Yes Display name for the security account
security_account_root_email string Yes Root email for the new security account

CloudTrail

Parameter Type Default Description
cloudtrail_bucket_name string required S3 bucket for CloudTrail logs. Set null to disable
cloudtrail_loggroup_name string "CloudTrail/DefaultLogGroup" CloudWatch Log Group name

SSO / Identity Center

Parameter Type Default Description
session_duration string "PT8H" ISO 8601 duration for SSO sessions
admin_permission_set_name string "AdministratorAccess" Name of the admin Permission Set
admin_group_name string "AllAdmins" Name of the admin Identity Center group
disable_sso_management bool false Set true to stop Terraform from managing SSO

Audit Role

Parameter Type Default Description
deploy_audit_role bool true Deploy the cross-account audit role StackSet
audit_role_name string "security-audit" Name of the audit role in each account
audit_role_stack_set_template_url string required if deploy S3 URL to the CloudFormation template

Billing

Parameter Type Required Description
billing_data_bucket_name string Yes S3 bucket for CUR reports
cur_report_frequency string "DAILY" DAILY, HOURLY, MONTHLY, or "NONE" to disable
declarative_policy_bucket_name string Yes S3 bucket for declarative policy documents

Security Services

Configure which security services to enable/disable:

security_services = {
  disable_guardduty   = false
  disable_securityhub = false
  disable_macie       = false
}

Organizational Units

Four OUs are always created: Governance, Workloads, Sandbox, Suspended. Additional OUs can be defined:

organization_units = {
  "MyOU" = {
    name             = "MyOU"
    is_child_of_root = true
  }
  "NestedOU" = {
    name         = "NestedOU"
    parent_id    = "MyOU"   # use parent OU name for direct children of custom OUs
  }
}

Accounts

Each account in the accounts map:

accounts = {
  my_account = {
    account_name          = "my-org-prod"        # AWS account display name
    account_email         = "aws+prod@example.com" # root email (must be unique)
    parent_ou_name        = "Workloads"           # OU name (or use parent_ou_id)
    monthly_budget_amount = 1000                  # optional, in USD
    delegated_admin       = ["service.amazonaws.com"]  # optional
    close_on_deletion     = false                 # optional

    # Optional: override primary contact for this account
    primary_contact = {
      full_name       = "Account Owner"
      company_name    = "My Org"
      address_line_1  = "123 Main St"
      city            = "Atlanta"
      state_or_region = "GA"
      postal_code     = "30332"
      country_code    = "US"
      email_address   = "owner@example.com"
      phone_number    = "+14041234567"
    }
  }
}

Alternate Contacts

Applied org-wide (overridable per account):

global_billing_contact = {
  name          = "Name"
  title         = "CFO"
  email_address = "billing@example.com"
  phone_number  = "+1xxxxxxxxxx"
}

global_security_contact = {
  name          = "Name"
  title         = "CISO"
  email_address = "security@example.com"
  phone_number  = "+1xxxxxxxxxx"
}

global_operations_contact = {
  name          = "Name"
  title         = "VP Engineering"
  email_address = "ops@example.com"
  phone_number  = "+1xxxxxxxxxx"
}

global_primary_contact = {
  full_name       = "Name"
  company_name    = "My Org"
  address_line_1  = "123 Main St"
  city            = "Atlanta"
  state_or_region = "GA"
  postal_code     = "30332"
  country_code    = "US"
  email_address   = "aws@example.com"
  phone_number    = "+1xxxxxxxxxx"
}

Policies

All three policy types follow the same structure:

service_control_policies = {
  my_policy = {
    policy_name        = "MyPolicy"
    policy_description = "Description"
    policy_json_file   = "policies/MyPolicy.json"
    policy_targets     = ["Workloads", "ou-xxxx-xxxxxxxx"]  # OU names or IDs
    policy_vars = {                                         # for .tftpl files
      variable_name = "value"
    }
  }
}

The same structure applies to resource_control_policies and declarative_policies (which also require policy_type = "DECLARATIVE_POLICY_EC2").

Billing Alerts

billing_alerts = {
  levels = {
    level1  = 100   # USD threshold
    level2  = 500
    oh_shit = 1000
  }
  subscriptions = ["email@example.com"]
}

budget_defaults = {
  alert_recipients      = ["email@example.com"]
  currency              = "USD"
  warning_percentage    = 80
  organizational_budget = 1000
}