Closer look at one of such services like AWS Organizations. How it can be used?
As your cloud workloads grow, the much desired fine-granularity you had in mind when you started becomes more and more difficult to keep. This rule applies to companies and teams of any shape and size. Thankfully and thoughtfully, AWS created a bunch of services that come in handy when adding some shape and structure to cloud topology starts to feel like a necessity. In this article, we will take a closer look at one of such services, namely AWS Organizations, and show how it can be used to help encapsulate your projects/apps/accounts.
In this article, I'll be using Terraform to show you how to create:
If you want to follow along, you'll need to have:
Before we can commence with provisioning any organization - related resources, we need to do some prep work. Let's kick-off by creating a folder for our project:
Within that folder we are going to set up the minimal Terraform configuration required and then run the initialization command:
+aws-organizations-example/provider.tf
For the sake of simplicity, the Terraform state will be stored locally. This is not recommended,but fear not, you may refer to the example provided on Github and see how S3 can be used as a backend.
+ running terraform init
Since we have laid the ground work, we are now ready to commission our organization.
First, we'll create a module for organizations:
+aws-organizations-example/organizations/main.tf
+aws-organizations-example/organizations/variables.tf
+aws-organizations-example/organizations/outputs.tf
Next, we'll initialize it:
+aws-organizations-example/main.tf
+ must run terraform init again
And finally, we are going to run terraform plan and, if it goes without a hitch, terraform apply:
+ running terraform plan
+ running terraform apply
When the process completes, you'll see the following message in the AWS Management Console for AWS Organizations:
Now, log in to your mailbox, check for a message from AWS and confirm the ownership of the email account:
Splendid! You've just created your first AWS Organization:
Now, let's get down to creating users, groups and accounts.
We'll commence, by creating a module for iam-groups. They will allow us to assign our users to either the administrators or the developers group (or both if we wished, though that would not make much sense):
+aws-organizations-example/iam-groups/main.tf
+aws-organizations-example/iam-groups/variables.tf
Using the above pattern, you can easily add a plethora of other groups depending on your particular needs, e.g. a group for Accountants with access only to the billing section of AWS, etc..
Next, a module for iam-users would be recommended. So, let's add it now:
+aws-organizations-example/iam-users/main.tf
+ aws-organizations-example/iam-users/variables.tf
+ aws-organizations-example/iam-users/outputs.tf
Finally, to make it all work add the following lines to the aws-organizations-example/main.tf:
Initialize the modules:
+ run terraform plan followed by terraform apply:
You can grab the output and safely pass it to the user, who can then decrypt the sensitive bits (e.g. the encrypted-secret-access-key), using their PGP in the following manner:
NB, keybase pgp decrypt can be swapped with pgp --decrypt
That’s a wrap of part 1. In the next and final one, we’ll talk about Organizational Units and Service Control Policies. See you there!
We'd love to answer your questions and help you thrive in the cloud.