Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/be-bold/terraform-aws-account-lookup

This Terraform module allows querying AWS accounts and outputs the accounts in various mappings or as a complete list, with the ability to apply a search filter to the account list and group the accounts by existing tags using a sub-module.
https://github.com/be-bold/terraform-aws-account-lookup

aws terraform terraform-module

Last synced: about 1 month ago
JSON representation

This Terraform module allows querying AWS accounts and outputs the accounts in various mappings or as a complete list, with the ability to apply a search filter to the account list and group the accounts by existing tags using a sub-module.

Awesome Lists containing this project

README

        

# terraform-aws-account-lookup

ℹ️ Use this module in combination with the [filter submodule](https://github.com/be-bold/terraform-aws-account-lookup/tree/main/modules/filter) to further narrow down the list of accounts and be able to group them using tags.

## What it does

This module allows you to list AWS accounts of an organization in various forms. Once initialized you can retrieve the following data:
* Organization id
* Account id of your organizations management account
* Name of your organizations management account
* Mapping `id` _to_ `name`
* Mapping `name` _to_ `id`
* Mapping `id` _to_ `tags`
* Mapping `name` _to_ `tags`
* A list of all accounts with all of their properties present (`id`, `arn`, `name`, `email`, `status`, `tags`)

## How to use

The role with which you are running terraform on this module requires the following permissions:

```text
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
```

Either the role on your default provider allows these actions already or you want to add them to that role.
Alternatively you can create a distinct role for this case. We'll have a look at both cases down below.

### Using default provider

Call the module using this provider and decide whether to include the management account in the output lists or not (default is `true`):

```hcl
module "lookup" {
source = "be-bold/account-lookup/aws"
version = "#.#.#"
include_management_account = false
}
```

**Done**. Now call one of the multiple output options:

````hcl
output "show" {
value = module.lookup.mapping_id_to_name
}
````

### Custom role

You need a role which allows the following actions:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
}
]
}
```

Create a provider which references this role:

```hcl
provider "aws" {
region = "YOUR-REGION-HERE"
alias = "organization_read_role"

assume_role {
role_arn = "arn:aws:iam::############:role/organization-read-role"
}
}
```

**Done**. Now call the module using this provider and decide whether to include the management account in the output lists or not (default is `true`):

```hcl
module "lookup" {
source = "be-bold/account-lookup/aws"
version = "#.#.#"
providers = {
aws = aws.organization_read_role
}
include_management_account = false
}
```

Call one of the multiple output options:

````hcl
output "show" {
value = module.lookup.mapping_id_to_name
}
````

## Further filtering

Use the [filter submodule](https://github.com/be-bold/terraform-aws-account-lookup/tree/main/modules/filter) for even more control on your lists.
Have a look at the **examples** as well.