Deploying resources on multiple AWS Organizations account

2
votes

Let me give some context to the issue.

I'm trying to create a terraform script that deploys an AWS Organization with some accounts and also some resources in those accounts.

So, the issue is that I cant seem to be able to figure out how to create resources on multiple accounts at runetime. Meaning that I'd like to create resources on accounts I created on the same script.

The "workflow" would be something like this

  1. Script creates AWS Organization
  2. Same script creates AWS Organizations account
  3. Same script creates an S3 bucket on the account created

Is this a thing that is possible doing? I know one can "impersonate" users by doing something like the following.

provider "aws" {
  alias   = "dns"
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

But is this information something I can get after creating the account as some sort of output from the AWS-organization-account terraform module?

Maybe there is another way of doing this and I just need some reading material.

1
amazon-web-servicesterraformterraform-provider-aws
What module are you referencing? - ydaetskcoR
For the AWS Organizations account, this one registry.terraform.io/providers/hashicorp/aws/latest/docs/… - Manuel

1 Answers

2
votes

You can do this but you may want to separate some of these things out to minimise blast radius so it's not all in a single terraform apply or terraform destroy.

As a quick example you could do something like the following:

resource "aws_organizations_organization" "org" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "ALL"
}

resource "aws_organizations_account" "new_account" {
  name  = "my_new_account"
  email = "[email protected]"

  depends_on = [
    aws_organizations_organization.org,
  ]
}

provider "aws" {
  alias = "new_account"

  assume_role {
    role_arn     = "arn:aws:iam::${aws_organizations_account.new_account.id}:role/OrganizationAccountAccessRole"
    session_name = "new_account_creation"
  }
}

resource "aws_s3_bucket" "bucket" {
  provider = aws.new_account

  bucket = "new-account-bucket-${aws_organizations_account.new_account.id}"
  acl    = "private"
}

The above uses the default OrganizationAccountAccessRole IAM role that is created in the child account to then create the S3 bucket in that account.