{"id":21514891,"url":"https://github.com/getindata/terraform-aws-organization","last_synced_at":"2025-07-11T16:34:29.738Z","repository":{"id":43187614,"uuid":"510754964","full_name":"getindata/terraform-aws-organization","owner":"getindata","description":"Terraform module for AWS Organization management","archived":false,"fork":false,"pushed_at":"2023-10-20T12:30:13.000Z","size":47,"stargazers_count":8,"open_issues_count":0,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-06-20T11:46:25.317Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/getindata.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-05T13:46:57.000Z","updated_at":"2025-03-17T13:10:20.000Z","dependencies_parsed_at":"2023-10-20T13:50:10.694Z","dependency_job_id":null,"html_url":"https://github.com/getindata/terraform-aws-organization","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":"getindata/terraform-module-template","purl":"pkg:github/getindata/terraform-aws-organization","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-aws-organization","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-aws-organization/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-aws-organization/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-aws-organization/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/getindata","download_url":"https://codeload.github.com/getindata/terraform-aws-organization/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-aws-organization/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264851643,"owners_count":23673270,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-23T23:53:26.751Z","updated_at":"2025-07-11T16:34:29.695Z","avatar_url":"https://github.com/getindata.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform AWS Organization\n\n![AWS](https://img.shields.io/badge/AWS-%23FF9900.svg?style=for-the-badge\u0026logo=amazon-aws\u0026logoColor=white)\n![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge\u0026logo=terraform\u0026logoColor=white)\n\n![License](https://badgen.net/github/license/getindata/terraform-aws-organization/)\n![Release](https://badgen.net/github/release/getindata/terraform-aws-organization/)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg height=\"150\" src=\"https://getindata.com/img/logo.svg\"\u003e\n  \u003ch3 align=\"center\"\u003eWe help companies turn their data into assets\u003c/h3\u003e\n\u003c/p\u003e\n\n---\n\nThis module is able to create and manage AWS organization, accounts, units and policies.\n\nModule itself creates an AWS organization and manages additional resources using submodules, placed in `./modules` directory\n\n\u003e **NOTE:**\n\u003e  This module supports only flat organization structure (single level of Organizational Units)\n\n## USAGE\n\n```terraform\nmodule \"aws_organization\" {\n  source  = \"github.com/getindata/terraform-aws-organization\"\n  context = module.this.context\n\n  organizational_units = {\n    test-ou = {\n      name = \"test-ou\"\n      accounts = {\n        test = {\n          email = \"test@example.com\"\n        },\n      }\n    }\n  }\n}\n```\n\n### Import existing AWS resources\n\nYou can import existing AWS resources into terraform state without the need of recreating/destroying the resources. \n\n* Import existing AWS organization to the state:\n\n  ```shell\n  $ terraform import \"module.aws_organization.aws_organizations_organization.this_organizations_organization\" o-1234567\n  ```\n  where `o-1234567` is the AWS Organization ID\n\n* Import existing AWS Organization OU (Organizational Unit)\n\n  ```shell\n  $ terraform import \"module.aws_organization.module.this_organizational_units[\\\"test-ou\\\"].aws_organizations_organizational_unit.this_orgranizations_organizational_unit\" ou-abcd-1234567\n  ```\n  where `ou-abcd-1234567` is the AWS Organization OU ID\n\n* Import existing AWS Account that was created in the current AWS Organization\n\n  ```shell\n  $ terraform import \"module.aws_organization.module.this_organizational_units[\\\"test-ou\\\"].module.this_orgranizations_organizational_unit_account[\\\"test\\\"].aws_organizations_account.this_organizations_account\" 123456789098\n  ```\n  where `123456789098` is the AWS Account ID\n\n## NOTES\n\n_Additional information that should be made public, for ex. how to solve known issues, additional descriptions/suggestions_\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## EXAMPLES\n```hcl\nmodule \"aws_organization\" {\n  source  = \"../../\"\n  context = module.this.context\n\n  aws_service_access_principals = [\"sso.amazonaws.com\"]\n\n  policies = {\n    test-policy = {\n      description    = \"testing\"\n      policy_content = file(\"policies/test-policy.json\")\n    },\n  }\n\n  root_policies = [\"test-policy\"]\n\n  root_accounts = {\n    test-root = {\n      email = \"test-root@example.com\"\n    },\n  }\n\n  organizational_units = {\n    test-ou = {\n      name              = \"test-ou\"\n      attached_policies = [\"test-policy\"]\n      accounts = {\n        test = {\n          email = \"test@example.com\"\n        },\n        test2 = {\n          email                      = \"test2@example.com\"\n          name                       = \"test\"\n          role_name                  = \"test\"\n          close_on_deletion          = false\n          iam_user_access_to_billing = \"ALLOW\"\n        }\n      }\n    }\n    prod-ou = {\n      attached_policies = [\"test-policy\"]\n      accounts = {\n        ABC = {\n          email = \"abc@example.com\"\n        }\n      }\n    }\n  }\n}\n```\n\n# AWS Organizations terraform module\n\nThis module is able to create and manage AWS organization, accounts,\nunits and policies\n\nModule itself creates an AWS organization and manages additional resources\nusing submodules, placed in `./modules` directory\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_additional_tag_map\"\u003e\u003c/a\u003e [additional\\_tag\\_map](#input\\_additional\\_tag\\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.\u003cbr\u003eThis is for some rare cases where resources want additional configuration of tags\u003cbr\u003eand therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_attributes\"\u003e\u003c/a\u003e [attributes](#input\\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,\u003cbr\u003ein the order they appear in the list. New attributes are appended to the\u003cbr\u003eend of the list. The elements of the list are joined by the `delimiter`\u003cbr\u003eand treated as a single ID element. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_aws_service_access_principals\"\u003e\u003c/a\u003e [aws\\_service\\_access\\_principals](#input\\_aws\\_service\\_access\\_principals) | List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com | `list(string)` | `null` | no |\n| \u003ca name=\"input_context\"\u003e\u003c/a\u003e [context](#input\\_context) | Single object for setting entire context at once.\u003cbr\u003eSee description of individual variables for details.\u003cbr\u003eLeave string and numeric variables as `null` to use default value.\u003cbr\u003eIndividual variable settings (non-null) override settings in context object,\u003cbr\u003eexcept for attributes, tags, and additional\\_tag\\_map, which are merged. | `any` | \u003cpre\u003e{\u003cbr\u003e  \"additional_tag_map\": {},\u003cbr\u003e  \"attributes\": [],\u003cbr\u003e  \"delimiter\": null,\u003cbr\u003e  \"descriptor_formats\": {},\u003cbr\u003e  \"enabled\": true,\u003cbr\u003e  \"environment\": null,\u003cbr\u003e  \"id_length_limit\": null,\u003cbr\u003e  \"label_key_case\": null,\u003cbr\u003e  \"label_order\": [],\u003cbr\u003e  \"label_value_case\": null,\u003cbr\u003e  \"labels_as_tags\": [\u003cbr\u003e    \"unset\"\u003cbr\u003e  ],\u003cbr\u003e  \"name\": null,\u003cbr\u003e  \"namespace\": null,\u003cbr\u003e  \"regex_replace_chars\": null,\u003cbr\u003e  \"stage\": null,\u003cbr\u003e  \"tags\": {},\u003cbr\u003e  \"tenant\": null\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_delimiter\"\u003e\u003c/a\u003e [delimiter](#input\\_delimiter) | Delimiter to be used between ID elements.\u003cbr\u003eDefaults to `-` (hyphen). Set to `\"\"` to use no delimiter at all. | `string` | `null` | no |\n| \u003ca name=\"input_descriptor_formats\"\u003e\u003c/a\u003e [descriptor\\_formats](#input\\_descriptor\\_formats) | Describe additional descriptors to be output in the `descriptors` output map.\u003cbr\u003eMap of maps. Keys are names of descriptors. Values are maps of the form\u003cbr\u003e`{\u003cbr\u003e   format = string\u003cbr\u003e   labels = list(string)\u003cbr\u003e}`\u003cbr\u003e(Type is `any` so the map values can later be enhanced to provide additional options.)\u003cbr\u003e`format` is a Terraform format string to be passed to the `format()` function.\u003cbr\u003e`labels` is a list of labels, in order, to pass to `format()` function.\u003cbr\u003eLabel values will be normalized before being passed to `format()` so they will be\u003cbr\u003eidentical to how they appear in `id`.\u003cbr\u003eDefault is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |\n| \u003ca name=\"input_enabled\"\u003e\u003c/a\u003e [enabled](#input\\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |\n| \u003ca name=\"input_enabled_policy_types\"\u003e\u003c/a\u003e [enabled\\_policy\\_types](#input\\_enabled\\_policy\\_types) | List of Organizations policy types to enable in your organization. Valid values are AISERVICES\\_OPT\\_OUT\\_POLICY, BACKUP\\_POLICY, SERVICE\\_CONTROL\\_POLICY, TAG\\_POLICY | `list(string)` | `null` | no |\n| \u003ca name=\"input_environment\"\u003e\u003c/a\u003e [environment](#input\\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |\n| \u003ca name=\"input_id_length_limit\"\u003e\u003c/a\u003e [id\\_length\\_limit](#input\\_id\\_length\\_limit) | Limit `id` to this many characters (minimum 6).\u003cbr\u003eSet to `0` for unlimited length.\u003cbr\u003eSet to `null` for keep the existing setting, which defaults to `0`.\u003cbr\u003eDoes not affect `id_full`. | `number` | `null` | no |\n| \u003ca name=\"input_label_key_case\"\u003e\u003c/a\u003e [label\\_key\\_case](#input\\_label\\_key\\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.\u003cbr\u003eDoes not affect keys of tags passed in via the `tags` input.\u003cbr\u003ePossible values: `lower`, `title`, `upper`.\u003cbr\u003eDefault value: `title`. | `string` | `null` | no |\n| \u003ca name=\"input_label_order\"\u003e\u003c/a\u003e [label\\_order](#input\\_label\\_order) | The order in which the labels (ID elements) appear in the `id`.\u003cbr\u003eDefaults to [\"namespace\", \"environment\", \"stage\", \"name\", \"attributes\"].\u003cbr\u003eYou can omit any of the 6 labels (\"tenant\" is the 6th), but at least one must be present. | `list(string)` | `null` | no |\n| \u003ca name=\"input_label_value_case\"\u003e\u003c/a\u003e [label\\_value\\_case](#input\\_label\\_value\\_case) | Controls the letter case of ID elements (labels) as included in `id`,\u003cbr\u003eset as tag values, and output by this module individually.\u003cbr\u003eDoes not affect values of tags passed in via the `tags` input.\u003cbr\u003ePossible values: `lower`, `title`, `upper` and `none` (no transformation).\u003cbr\u003eSet this to `title` and set `delimiter` to `\"\"` to yield Pascal Case IDs.\u003cbr\u003eDefault value: `lower`. | `string` | `null` | no |\n| \u003ca name=\"input_labels_as_tags\"\u003e\u003c/a\u003e [labels\\_as\\_tags](#input\\_labels\\_as\\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.\u003cbr\u003eDefault is to include all labels.\u003cbr\u003eTags with empty values will not be included in the `tags` output.\u003cbr\u003eSet to `[]` to suppress all generated tags.\u003cbr\u003e**Notes:**\u003cbr\u003e  The value of the `name` tag, if included, will be the `id`, not the `name`.\u003cbr\u003e  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be\u003cbr\u003e  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | \u003cpre\u003e[\u003cbr\u003e  \"default\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.\u003cbr\u003eThis is the only ID element not also included as a `tag`.\u003cbr\u003eThe \"name\" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |\n| \u003ca name=\"input_namespace\"\u003e\u003c/a\u003e [namespace](#input\\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |\n| \u003ca name=\"input_organizational_units\"\u003e\u003c/a\u003e [organizational\\_units](#input\\_organizational\\_units) | Flat List of Organizational Units with assigned accounts | `any` | `{}` | no |\n| \u003ca name=\"input_policies\"\u003e\u003c/a\u003e [policies](#input\\_policies) | Organizational policy specification, it should be a map of values:\u003cbr\u003e`{\u003cbr\u003e  name = string\u003cbr\u003e  policy_content = string\u003cbr\u003e\u003cbr\u003e  # Optional parameters\u003cbr\u003e  description = string\u003cbr\u003e  type = string\u003cbr\u003e}`,\u003cbr\u003evalues `name` (policy name) and `policy_content` (JSON policy specification) are mandatory\u003cbr\u003e`description` (description of policy), `type` (organizations policy type - one of \"AISERVICES\\_OPT\\_OUT\\_POLICY\", \"BACKUP\\_POLICY\", \"SERVICE\\_CONTROL\\_POLICY\", \"TAG\\_POLICY\") | `map(any)` | `{}` | no |\n| \u003ca name=\"input_regex_replace_chars\"\u003e\u003c/a\u003e [regex\\_replace\\_chars](#input\\_regex\\_replace\\_chars) | Terraform regular expression (regex) string.\u003cbr\u003eCharacters matching the regex will be removed from the ID elements.\u003cbr\u003eIf not set, `\"/[^a-zA-Z0-9-]/\"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |\n| \u003ca name=\"input_root_accounts\"\u003e\u003c/a\u003e [root\\_accounts](#input\\_root\\_accounts) | AWS accounts not assigned to any O (partent\\_id = organization root) | `any` | `{}` | no |\n| \u003ca name=\"input_root_policies\"\u003e\u003c/a\u003e [root\\_policies](#input\\_root\\_policies) | A list of policies that should be attached to organizations root | `set(string)` | `[]` | no |\n| \u003ca name=\"input_stage\"\u003e\u003c/a\u003e [stage](#input\\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).\u003cbr\u003eNeither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_tenant\"\u003e\u003c/a\u003e [tenant](#input\\_tenant) | ID element \\_(Rarely used, not included by default)\\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_this\"\u003e\u003c/a\u003e [this](#module\\_this) | cloudposse/label/null | 0.25.0 |\n| \u003ca name=\"module_this_organizational_units\"\u003e\u003c/a\u003e [this\\_organizational\\_units](#module\\_this\\_organizational\\_units) | ./modules/organizational-unit | n/a |\n| \u003ca name=\"module_this_policies\"\u003e\u003c/a\u003e [this\\_policies](#module\\_this\\_policies) | ./modules/organizations-policy | n/a |\n| \u003ca name=\"module_this_root_accounts\"\u003e\u003c/a\u003e [this\\_root\\_accounts](#module\\_this\\_root\\_accounts) | ./modules/account | n/a |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_accounts\"\u003e\u003c/a\u003e [accounts](#output\\_accounts) | List of organization accounts including the master account |\n| \u003ca name=\"output_arn\"\u003e\u003c/a\u003e [arn](#output\\_arn) | ARN of the organization |\n| \u003ca name=\"output_id\"\u003e\u003c/a\u003e [id](#output\\_id) | Identifier of the organization |\n| \u003ca name=\"output_master_account_arn\"\u003e\u003c/a\u003e [master\\_account\\_arn](#output\\_master\\_account\\_arn) | ARN of the master account |\n| \u003ca name=\"output_non_master_accounts\"\u003e\u003c/a\u003e [non\\_master\\_accounts](#output\\_non\\_master\\_accounts) | List of organization accounts including the master account |\n| \u003ca name=\"output_organizational_units\"\u003e\u003c/a\u003e [organizational\\_units](#output\\_organizational\\_units) | Details of Organizational Units |\n| \u003ca name=\"output_policies\"\u003e\u003c/a\u003e [policies](#output\\_policies) | Details of Policies |\n| \u003ca name=\"output_root_accounts\"\u003e\u003c/a\u003e [root\\_accounts](#output\\_root\\_accounts) | Details of AWS Accounts created under organizations root |\n| \u003ca name=\"output_roots\"\u003e\u003c/a\u003e [roots](#output\\_roots) | List of organization roots |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 3.34 |\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.3.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 3.34 |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_organizations_organization.this_organizations_organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource |\n| [aws_organizations_policy_attachment.this_root_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |\n\u003c!-- END_TF_DOCS --\u003e\n\n## CONTRIBUTING\n\nContributions are very welcomed!\n\nStart by reviewing [contribution guide](CONTRIBUTING.md) and our [code of conduct](CODE_OF_CONDUCT.md). After that, start coding and ship your changes by creating a new PR.\n\n## LICENSE\n\nApache 2 Licensed. See [LICENSE](LICENSE) for full details.\n\n## AUTHORS\n\n\u003c!--- Replace repository name --\u003e\n\u003ca href=\"https://github.com/getindata/terraform-aws-organization/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contrib.rocks/image?repo=getindata/terraform-aws-organization\" /\u003e\n\u003c/a\u003e\n\nMade with [contrib.rocks](https://contrib.rocks).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetindata%2Fterraform-aws-organization","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgetindata%2Fterraform-aws-organization","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetindata%2Fterraform-aws-organization/lists"}