Installing a connector on AWS Organization with Terraform

Integrate Apono with your AWS Organization for complete cloud discovery and JIT access management to AWS resources

Last updated 6 months ago

Was this helpful?

Step by step guide

Go to Integrations catalog, and select AWS integration

Choose Amazon Organization, and in the "Select an Apono Connector", choose "Add new connector"

Copy the token shown in the UI

Run the following Terraform Template:.

The Terraform template does the following:

Installs Apono Connector in a Member Account of the organization
Installs CloudFormation Stack in the Management Account of the organization that: > - Creates IAM Role with policies that allow manage access in IAM Identity Center
- Installs CloudFormation StackSet that creates IAM Role in all member accounts of an Organizational Unit, with policies that allow to list AWS resources

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.39.1"
    }
  }
}

provider "aws" {
  alias      = "member_account"
  region     = var.member_account_region
  profile    = "member-account"
}

provider "aws" {
  alias      = "mgmt_account"
  region     = var.mgmt_identity_center_region
  profile    = "mgmt-account"
}


module "apono-connector" {
  providers = {
    aws = aws.member_account
  }
  source         = "github.com/apono-io/terraform-modules/aws/connector-with-permissions/stacks/apono-connector"
  connectorId    = var.connector_id
  aponoToken     = var.apono_token_connector
  vpcId          = var.member_account_vpc_id
  subnetIds      = var.member_account_subnet_ids
  assignPublicIp = true # change to false if the subnets are configured with NAT gateway
}

resource "aws_cloudformation_stack" "connector_roles" {
  provider = aws.mgmt_account

  name = "apono-organization-integration"

  parameters = {
    AponoConnectorId     = var.connector_id
    ConnectorRoleArn     = module.apono-connector.connector_role_arn
    OrganizationalUnitId = var.org_unit_id
  }

  capabilities = ["CAPABILITY_NAMED_IAM"]

  template_url = "https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml"
}

output "mgmt_account_role_arn" {
  value       = aws_cloudformation_stack.connector_roles.outputs.ManagementAccountRoleArnOutput
  description = "The Management Account Role Arn parameter for the Apono AWS Organization integration"
}

variable "connector_id" {
  description = "A that identifies the Connector."
  type        = string
  default     = "apono-organization-connector"
}

variable "apono_token_connector" {
  description = "Connector Token that you copied from the Apono App"
  type        = string
}

variable "member_account_region" {
  description = "The region where the Apono connector will be deployed"
  type        = string
}

variable "member_account_vpc_id" {
  description = "The VPC ID where the Apono connector will be deployed (example value: vpc-000000000)"
  type        = string
}

variable "member_account_subnet_ids" {
  description = "List of subnet IDs for the Apono connector (example value: [\"subnet-00000000000\"])"
  type        = list(string)
}

variable "mgmt_identity_center_region" {
  description = "The region where the IAM Identity Center is configured"
  type        = string
}

variable "org_unit_id" {
  description = "The Organizational Unit of the accounts to be discoverable by Apono (put the Root Organizational Unit to include all the accounts the organization)"
  type        = string
}

After the installation finishes, copy and save the Management Account Role ARN from the output

Choose the connector from the dropdown list

Choose the resource types you want to connect, and click Next

Under name, enter a name for the integration (i.e. AWS Organization)

Under Region, select a single region of the AWS resources you want to integrate.

Under AWS SSO Region, enter the region where the IAM Identity Center is configured

In Management Account Role ARN, enter the ARN you copied in step 5

Click Connect

Step by step guide

Go to Integrations catalog, and select AWS integration

Choose Amazon Organization, and in the "Select an Apono Connector", choose "Add new connector"

Copy the token shown in the UI

Run the following Terraform Template:.

The Terraform template does the following:

Installs Apono Connector in a Member Account of the organization
Installs CloudFormation Stack in the Management Account of the organization that: > - Creates IAM Role with policies that allow manage access in IAM Identity Center
- Installs CloudFormation StackSet that creates IAM Role in all member accounts of an Organizational Unit, with policies that allow to list AWS resources

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.39.1"
    }
  }
}

provider "aws" {
  alias      = "member_account"
  region     = var.member_account_region
  profile    = "member-account"
}

provider "aws" {
  alias      = "mgmt_account"
  region     = var.mgmt_identity_center_region
  profile    = "mgmt-account"
}


module "apono-connector" {
  providers = {
    aws = aws.member_account
  }
  source         = "github.com/apono-io/terraform-modules/aws/connector-with-permissions/stacks/apono-connector"
  connectorId    = var.connector_id
  aponoToken     = var.apono_token_connector
  vpcId          = var.member_account_vpc_id
  subnetIds      = var.member_account_subnet_ids
  assignPublicIp = true # change to false if the subnets are configured with NAT gateway
}

resource "aws_cloudformation_stack" "connector_roles" {
  provider = aws.mgmt_account

  name = "apono-organization-integration"

  parameters = {
    AponoConnectorId     = var.connector_id
    ConnectorRoleArn     = module.apono-connector.connector_role_arn
    OrganizationalUnitId = var.org_unit_id
  }

  capabilities = ["CAPABILITY_NAMED_IAM"]

  template_url = "https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml"
}

output "mgmt_account_role_arn" {
  value       = aws_cloudformation_stack.connector_roles.outputs.ManagementAccountRoleArnOutput
  description = "The Management Account Role Arn parameter for the Apono AWS Organization integration"
}

variable "connector_id" {
  description = "A that identifies the Connector."
  type        = string
  default     = "apono-organization-connector"
}

variable "apono_token_connector" {
  description = "Connector Token that you copied from the Apono App"
  type        = string
}

variable "member_account_region" {
  description = "The region where the Apono connector will be deployed"
  type        = string
}

variable "member_account_vpc_id" {
  description = "The VPC ID where the Apono connector will be deployed (example value: vpc-000000000)"
  type        = string
}

variable "member_account_subnet_ids" {
  description = "List of subnet IDs for the Apono connector (example value: [\"subnet-00000000000\"])"
  type        = list(string)
}

variable "mgmt_identity_center_region" {
  description = "The region where the IAM Identity Center is configured"
  type        = string
}

variable "org_unit_id" {
  description = "The Organizational Unit of the accounts to be discoverable by Apono (put the Root Organizational Unit to include all the accounts the organization)"
  type        = string
}

After the installation finishes, copy and save the Management Account Role ARN from the output

Go back to the

Choose the connector from the dropdown list

Choose the resource types you want to connect, and click Next

Under name, enter a name for the integration (i.e. AWS Organization)

Under Region, select a single region of the AWS resources you want to integrate.

Under AWS SSO Region, enter the region where the IAM Identity Center is configured

Under SSO Portal, enter your SSO Start URL (i.e. )

In Management Account Role ARN, enter the ARN you copied in step 5

Click Connect

Installing a connector on AWS Organization with Terraform

Installing a connector on AWS Organization with Terraform

Intro

Prerequisites

Step by step guide

Results

Intro

Prerequisites

Step by step guide

Results