JSPM

aws-organization-formation

0.0.67
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 3044
  • Score
    100M100P100Q139180F
  • License MIT

Infrastructure as code solution for AWS Organizations

Package Exports

  • aws-organization-formation

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (aws-organization-formation) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

AWS Organization Formation

AWS Organization Formation is an Infrastructure as Code (IaC) tool for AWS Organizations.

Features

AWS Organization Formation (also: org-formation) has 3 main features:

  1. Infrastructure as Code for AWS Organizations: Infrastructure as Code for AWS Organizations Organization resources reference | Example organization file | CLI Reference

 

  1. CloudFormation annotations to provision resources cross account: CloudFormation annotations to provision resources cross account Annotated CloudFormation reference | Examples | CLI Reference

 

  1. Automation of account creation and resource provisioning: Automation of account creation and resource provisioning Automation task file reference | Example tasks file | CLI Reference

Want more? here a list of 50+ features 😎😎😎

Installation

With npm installed, run

> npm install -g aws-organization-formation

You can now execute the commandline program org-formation. try:

> org-formation --help

Getting started

To get started you first need an org-formation template that describes all your Organization resources such as Accounts, OUs and SCPs.

After Installation you can generate this file using the following command:

> org-formation init organization.yml  --region us-east-1 [--profile org-master-account]
example output organization.yml file 
AWSTemplateFormatVersion: '2010-09-09-OC'

Organization:
  Root:
    Type: OC::ORG::MasterAccount
    Properties:
      AccountName: My Organization Root
      AccountId: '123123123123'
      Tags:
        budget-alarm-threshold: '2500'
        account-owner-email: my@email.com

  OrganizationRoot:
    Type: OC::ORG::OrganizationRoot
    Properties:
      ServiceControlPolicies:
        - !Ref RestrictUnusedRegionsSCP

  ProductionAccount:
    Type: OC::ORG::Account
    Properties:
      RootEmail: production@myorg.com
      AccountName: Production Account
      Tags:
        budget-alarm-threshold: '2500'
        account-owner-email: my@email.com

  DevelopmentAccount:
    Type: OC::ORG::Account
    Properties:
      RootEmail: development@myorg.com
      AccountName: Development Account
      Tags:
        budget-alarm-threshold: '2500'
        account-owner-email: my@email.com

  DevelopmentOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: development
      Accounts:
        - !Ref DevelopmentAccount

  ProductionOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: production
      Accounts:
        - !Ref ProductionAccount

  RestrictUnusedRegionsSCP:
    Type: OC::ORG::ServiceControlPolicy
    Properties:
      PolicyName: RestrictUnusedRegions
      Description: Restrict Unused regions
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: DenyUnsupportedRegions
            Effect: Deny
            NotAction:
              - 'cloudfront:*'
              - 'iam:*'
              - 'route53:*'
              - 'support:*'
            Resource: '*'
            Condition:
              StringNotEquals:
                'aws:RequestedRegion':
                  - eu-west-1
                  - us-east-1
                  - eu-central-1

Note: If you prefer to set up CI/CD run org-formation init-pipeline instead. It will create a CodeCommit repository and CodePipeline that will update your organization upon every commit!

You can make changes to the file you generated and upate your organization using the update commmand. Alternatively you can run create-change-set and update-change-set. Read more in the cli reference

Once you got the hang of managing organization resources, use these organization resources to write smarter cloudformation that allows you to provision resources across your organization. Read more about managing resources across accounts.

Why is this important?

Just like with the resources within your AWS Account, managing AWS Organization resources as code allows you to apply changes automatically, reducing manual work, inconsistencies and mistakes.

If you are considering to use an account vending machine (e.g. AWS Control Tower) to create and manage new accounts within your organization: Do realize that the account vending machine allows you to quickly create organization resources but only has limited facilities when it comes to updating and maintaining these resoruces.

More docs