This is the multi-page printable view of this section. Click here to print.
This section contains task-oriented guides for common Org Kickstart operations.
Adding a new AWS account is the most common operation in Org Kickstart. All account configuration
lives in the accounts map in your tfvars file.
Add an entry to the accounts map in your tfvars file:
accounts = {
# ... existing accounts ...
my_new_account = {
account_name = "my-org-new-account"
account_email = "aws+new-account@example.com"
parent_ou_name = "Workloads"
monthly_budget_amount = 500
}
}
Plan and apply:
make env=your-org tf-execute
Or step-by-step to review the plan before applying:
make env=your-org tf-plan
make env=your-org tf-show
make env=your-org tf-apply
Org Kickstart will create the AWS account, place it in the correct OU, assign SSO access, set alternate contacts, and apply any policies that target the parent OU.
| Option | Description |
|---|---|
account_name |
Display name for the AWS account |
account_email |
Root email address (must be globally unique) |
parent_ou_name |
Place the account in this OU (by name) |
parent_ou_id |
Place the account in this OU (by ID) |
monthly_budget_amount |
Budget alert threshold in USD |
delegated_admin |
List of AWS services to delegate admin for |
close_on_deletion |
Whether to close the account when removed from Terraform |
primary_contact |
Override the global primary contact for this account |
account_email must be unique across all AWS accounts globallysecurity_account blockOrg Kickstart manages three types of AWS Organizations policies via the same Terraform pattern: Service Control Policies (SCPs), Resource Control Policies (RCPs), and Declarative Policies.
Create a policy JSON file in the policies/ directory of your deployment repo.
For dynamic values, use a .tftpl extension and Terraform template syntax.
// policies/MyPolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*"
}
]
}
Add the policy definition to the appropriate block in your tfvars file:
service_control_policies = {
deny_s3_delete = {
policy_name = "DenyS3BucketDeletion"
policy_description = "Prevent deletion of S3 buckets"
policy_json_file = "policies/MyPolicy.json"
policy_targets = ["Workloads", "Sandbox"]
}
}
Plan and apply:
make env=your-org tf-execute
SCPs and RCPs are high-impact changes. Always review the plan before applying:
make env=your-org tf-plan
make env=your-org tf-show
make env=your-org tf-apply
You can also run a security scan of the plan with Checkov before applying:
make env=your-org checkov
| Block | AWS Type |
|---|---|
service_control_policies |
Service Control Policy (SCP) |
resource_control_policies |
Resource Control Policy (RCP) |
declarative_policies |
Declarative Policy (EC2) |
Declarative Policies also require policy_type = "DECLARATIVE_POLICY_EC2".
policy_targets accepts a list of OU names or OU IDs. Use "Root" to target the
organization root:
policy_targets = ["Root"] # all accounts
policy_targets = ["Workloads", "Sandbox"] # by name
policy_targets = ["ou-xxxx-xxxxxxxx"] # by ID
For policies that need org-specific values, use a .tftpl file:
// policies/AuditRoleProtection.json.tftpl
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": ["iam:Delete*"],
"Resource": "arn:aws:iam::*:role/${audit_role_name}"
}]
}
service_control_policies = {
protect_audit_role = {
policy_name = "ProtectAuditRole"
policy_json_file = "policies/AuditRoleProtection.json.tftpl"
policy_vars = {
audit_role_name = "security-audit"
}
}
}
See the policies/ directory
in the repository for a library of ready-to-use policies. Or check out PrimeHarbor’s respository of Organizational Policies.