Module Documentation

Auto-generated Terraform module reference — inputs, outputs, resources, and sub-modules.

Requirements

Name Version
aws >= 5.80.0

Providers

Name Version
aws >= 5.80.0
aws.security-account >= 5.80.0
external n/a

Modules

Name Source Version
accounts ./modules/account n/a
billing_alerts ./modules/billing_alerts n/a
declarative_policies ./modules/declarative_policies n/a
rcp ./modules/rcp n/a
scp ./modules/scp n/a
security_account ./modules/account n/a

Resources

Name Type
aws_account_alternate_contact.billing resource
aws_account_alternate_contact.operations resource
aws_account_alternate_contact.security resource
aws_account_primary_contact.primary resource
aws_cloudformation_stack.account_factory resource
aws_cloudformation_stack.audit_role_payer resource
aws_cloudformation_stack_set.audit_role resource
aws_cloudformation_stack_set_instance.audit_role resource
aws_cloudtrail.org_cloudtrail resource
aws_cloudwatch_log_group.cloudtrail resource
aws_cur_report_definition.cur_report_definition resource
aws_iam_organizations_features.org resource
aws_iam_role.cloudtrail_to_cloudwatch resource
aws_iam_role_policy.cloudtrail_to_cloudwatch resource
aws_identitystore_group.admin_group resource
aws_kms_alias.macie_key resource
aws_kms_key.macie_key resource
aws_kms_key_policy.macie_key resource
aws_organizations_account.payer resource
aws_organizations_delegated_administrator.cloudformation resource
aws_organizations_delegated_administrator.securityhub resource
aws_organizations_delegated_administrator.sso resource
aws_organizations_organization.org resource
aws_organizations_organizational_unit.custom_ous resource
aws_organizations_organizational_unit.governance_ou resource
aws_organizations_organizational_unit.sandbox_ou resource
aws_organizations_organizational_unit.suspended_ou resource
aws_organizations_organizational_unit.workloads_ou resource
aws_organizations_policy.ai_policy resource
aws_organizations_policy_attachment.ai_policy_root resource
aws_s3_bucket.billing_logs resource
aws_s3_bucket.cloudtrail_bucket resource
aws_s3_bucket.declarative_policy_bucket resource
aws_s3_bucket.macie_bucket resource
aws_s3_bucket.vpc_flowlogs_bucket resource
aws_s3_bucket_notification.bucket_notification resource
aws_s3_bucket_ownership_controls.cloudtrail_bucket resource
aws_s3_bucket_ownership_controls.declarative_policy_bucket resource
aws_s3_bucket_ownership_controls.macie_bucket resource
aws_s3_bucket_ownership_controls.vpc_flowlogs_bucket resource
aws_s3_bucket_policy.allow_billing_logging resource
aws_s3_bucket_policy.cloudtrail_bucket_policy resource
aws_s3_bucket_policy.declarative_policy_bucket_policy resource
aws_s3_bucket_policy.macie_bucket_policy resource
aws_s3_bucket_policy.vpc_flowlogs_bucket_policy resource
aws_s3_bucket_public_access_block.cloudtrail_bucket_bpa resource
aws_s3_bucket_public_access_block.declarative_policy_bucket_bpa resource
aws_s3_bucket_public_access_block.macie_bucket_bpa resource
aws_s3_bucket_public_access_block.vpc_flowlogs_bucket_bpa resource
aws_s3_bucket_server_side_encryption_configuration.macie_bucket resource
aws_s3_bucket_versioning.cloudtrail_bucket resource
aws_s3_bucket_versioning.declarative_policy_bucket resource
aws_s3_bucket_versioning.macie_bucket resource
aws_s3_bucket_versioning.vpc_flowlogs_bucket resource
aws_s3_object.account_factory_config resource
aws_securityhub_account.payer_account resource
aws_securityhub_account.security_account resource
aws_securityhub_configuration_policy.no_enabled_standards resource
aws_securityhub_configuration_policy_association.root_ou resource
aws_securityhub_finding_aggregator.regional_aggregator resource
aws_securityhub_organization_admin_account.delegated_admin resource
aws_securityhub_organization_configuration.security_account resource
aws_sns_topic.cloudtrail_s3_notification_topic resource
aws_ssoadmin_account_assignment.payer_account_group_assignment resource
aws_ssoadmin_managed_policy_attachment.admin_policy_attachments resource
aws_ssoadmin_permission_set.admin_permission_set resource
aws_billing_service_account.main data source
aws_iam_policy_document.allow_billing_logging data source
aws_iam_policy_document.cloudtrail_bucket_policy data source
aws_iam_policy_document.cloudtrail_s3_notification_topic data source
aws_iam_policy_document.declarative_policy_bucket_policy data source
aws_iam_policy_document.macie_bucket_policy data source
aws_iam_policy_document.vpc_flowlogs_bucket_policy data source
aws_organizations_organization.org data source
aws_organizations_organizational_units.all_ous data source
aws_regions.current data source
aws_ssoadmin_instances.identity_store data source
external_external.get_caller_identity data source

Inputs

Name Description Type Default Required
account_configurator n/a any null no
accounts Account Index any n/a yes
admin_group_name Name of the Identity Store Group with all the admin users string "AllAdmins" no
admin_permission_set_name Name of the Permission Set to Create string "AdministratorAccess" no
audit_role_name Name of the AuditRole to deploy string "security-audit" no
audit_role_stack_set_template_url URL that points to the Audit Role Policy Template string null no
backend_bucket n/a any n/a yes
billing_alerts n/a any null no
billing_data_bucket_name Name of the S3 Bucket for CUR reports. Set to null to disable string null no
cloudtrail_bucket_name Name of the S3 Bucket to create to store CloudTrail events. Set to null to disable cloudtrail management string null no
cloudtrail_loggroup_name Name of the CloudWatch Log Group in the payer account where CloudTrail will send its events string null no
cur_report_frequency Frequency CUR reports should be delivered (DAILY, HOURLY, MONTHLY). Set to NONE to disable string "NONE" no
declarative_policies Map of Declarative Policies to deploy map {} no
declarative_policy_bucket_name Name of S3 Bucket for Declarative Policy Reports any null no
deploy_audit_role Boolean to determine if org-kickstart should manage Audit Role bool true no
disable_sso_management Set to true to manage AWS Identity Center outside of org-kickstart bool false no
global_billing_contact Map for the central billing alternate contact to be applied to all accounts any null no
global_operations_contact Map for the central operations alternate contact to be applied to all accounts any null no
global_primary_contact Map for the primary account owner to be applied to all accounts any null no
global_security_contact Map for the central security alternate contact to be applied to all accounts any null no
macie_bucket_name Name of the S3 Bucket to create to store Macie Findings. Set to null to skip creation string null no
organization_name Name of the Organization. This is used for resource prefixes and general reference string n/a yes
organization_units Map of OUs to deploy map {} no
payer_email Root Email address for the Organization Management account string null no
payer_name Name of the Organization Management account string "AWS Payer" no
resource_control_policies Map of RCPs to deploy map {} no
security_account_name Name of the Security Account string "Security Account" no
security_account_root_email Root Email address for the security account string null no
security_services explictly disable or not manage a security service map 
{
  “disable_guardduty”: “false”,
  “disable_inspector”: “false”,
  “disable_macie”: “false”,
  “disable_securityhub”: “false”
}
 no
service_control_policies Map of SCPs to deploy map {} no
session_duration Default Session Duration string "PT8H" no
tag_set Default map of tags to be applied to all resources via all providers map(any) {} no
vpc_flowlogs_bucket_name Name of the S3 Bucket to create to store VPC Flow Logs. Set to null to skip creation string null no

Outputs

Name Description
cloudtrail_cloudwatch_log_group n/a
cloudtrail_s3_notification_topic n/a
declarative_policy_bucket n/a
macie_key_arn Things to pass to the Security Services Regional Modules
org_id n/a
org_name n/a
security_account_id n/a
sso_instance_arn AWS Identity Center Instance ARN managed by org-kickstart

Last modified March 15, 2026: Add autogenerated module docs (ab0caff)