Skip to main content
Sponsor @cloudposse

Module: organization-access-group

Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member account

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

Introduction

By default, when you create a member account as part of your Organization, AWS automatically creates OrganizationAccountAccessRole in the member account.

The role grants admin permissions to access the member account to delegated IAM users in the master account.

In the master account you need to create a Policy to grant permissions to IAM users to assume OrganizationAccountAccessRole in the member account.

This module does the following:

  1. Creates an IAM Group
  2. Adds the provided IAM users to the Group
  3. Creates a Policy to grant permissions to the IAM users in the master account to assume OrganizationAccountAccessRole in the member account
  4. Attaches the Policy to the Group

Users who are members of the Group will be able to assume the role and administer the member account by going here:

(change XXXXXXXXXXXX to the ID of the member account)

https://signin.aws.amazon.com/switchrole
                ?account=XXXXXXXXXXXX
                &roleName=OrganizationAccountAccessRole
                &displayName=Dev

NOTE: Member accounts that you invite to join your Organization (that are not part of your Organization) do not automatically get OrganizationAccountAccessRole created. You can use terraform-aws-organization-access-role module to create OrganizationAccountAccessRole role in an invited member account.


Usage

module "organization_access_group" {
  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=master"
  namespace         = "cp"
  stage             = "dev"
  name              = "cluster"
  user_names        = ["User1","User2"]
  role_arns         = {
    "cp@dev" = "arn:aws:iam::XXXXXXXXX:role/OrganizationAccountAccessRole"
  }
  require_mfa       = "true"
}

Variables

Required Variables

user_names (list(string)) required

A list of IAM User names to associate with the Group

Optional Variables

require_mfa (string) optional

Require the users to have MFA enabled


Default value: "false"

role_arns (map(string)) optional

A map of alias -> IAM Role ARNs the users in the Group can assume


Default value: { }

switchrole_url_template (string) optional

URL template for the IAM console to switch to the roles


Default value: "https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s"

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

name (string) required

Name (e.g. app or cluster)
Required: Yes

Default value: ``

namespace (string) required

Namespace (e.g. cp or cloudposse)
Required: Yes

Default value: ``

stage (string) required

Stage (e.g. prod, dev, staging, infra)
Required: Yes

Default value: ``

attributes (list(string)) optional

Additional attributes (e.g. 1)
Required: No

Default value: [ ]

delimiter (string) optional

Delimiter to be used between namespace, stage, name, and attributes
Required: No

Default value: "-"

enabled (string) optional

Whether to create these resources
Required: No

Default value: "true"

tags (map(string)) optional

Additional tags (e.g. map(BusinessUnit,XYZ)
Required: No

Default value: { }

Outputs

group_arn

The ARN assigned by AWS for the Group

group_id

The Group's ID

group_name

The Group's name

group_unique_id

Group's unique ID assigned by AWS

policy_id

The policy ID

policy_name

The name of the policy

switchrole_urls

List of URL to the IAM console to switch to the roles

Dependencies

Providers

  • aws
  • null

Modules

NameVersionSourceDescription
labeltags/0.3.3git::https://github.com/cloudposse/terraform-null-label.gitn/a

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module: