Installing a connector on AWS Organization with Terraform

Integrate Apono with your AWS Organization for complete cloud discovery and JIT access management to AWS resources

Intro

Apono connects with the AWS Organization to discover all accounts and their respective cloud resources and services and manage just-in-time, just-enough access to them.

This guide lets you integrate to the AWS Organization with Terraform.

Prerequisites

Terraform
AWS Profile mgmt-account with Admin privileges in the Organization's Management Account
AWS Profile member-account with Admin privileges in one of the Organization's Member Accounts
Activate the CloudFormation StackSet service in your management account

Step by step guide

Go to Integrations catalog, and select AWS integration
Choose Amazon Organization, and in the "Select an Apono Connector", choose "Add new connector"
Copy the token shown in the UI
Run the following Terraform Template:.

The Terraform template does the following:

Installs Apono Connector in a Member Account of the organization
Installs CloudFormation Stack in the Management Account of the organization that: > - Creates IAM Role with policies that allow manage access in IAM Identity Center
- Installs CloudFormation StackSet that creates IAM Role in all member accounts of an Organizational Unit, with policies that allow to list AWS resources

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.39.1"
    }
  }
}

provider "aws" {
  alias      = "member_account"
  region     = var.member_account_region
  profile    = "member-account"
}

provider "aws" {
  alias      = "mgmt_account"
  region     = var.mgmt_identity_center_region
  profile    = "mgmt-account"
}


module "apono-connector" {
  providers = {
    aws = aws.member_account
  }
  source         = "github.com/apono-io/terraform-modules/aws/connector-with-permissions/stacks/apono-connector"
  connectorId    = var.connector_id
  aponoToken     = var.apono_token_connector
  vpcId          = var.member_account_vpc_id
  subnetIds      = var.member_account_subnet_ids
  assignPublicIp = true # change to false if the subnets are configured with NAT gateway
}

resource "aws_cloudformation_stack" "connector_roles" {
  provider = aws.mgmt_account

  name = "apono-organization-integration"

  parameters = {
    AponoConnectorId     = var.connector_id
    ConnectorRoleArn     = module.apono-connector.connector_role_arn
    OrganizationalUnitId = var.org_unit_id
  }

  capabilities = ["CAPABILITY_NAMED_IAM"]

  template_url = "https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml"
}

output "mgmt_account_role_arn" {
  value       = aws_cloudformation_stack.connector_roles.outputs.ManagementAccountRoleArnOutput
  description = "The Management Account Role Arn parameter for the Apono AWS Organization integration"
}

variable "connector_id" {
  description = "A that identifies the Connector."
  type        = string
  default     = "apono-organization-connector"
}

variable "apono_token_connector" {
  description = "Connector Token that you copied from the Apono App"
  type        = string
}

variable "member_account_region" {
  description = "The region where the Apono connector will be deployed"
  type        = string
}

variable "member_account_vpc_id" {
  description = "The VPC ID where the Apono connector will be deployed (example value: vpc-000000000)"
  type        = string
}

variable "member_account_subnet_ids" {
  description = "List of subnet IDs for the Apono connector (example value: [\"subnet-00000000000\"])"
  type        = list(string)
}

variable "mgmt_identity_center_region" {
  description = "The region where the IAM Identity Center is configured"
  type        = string
}

variable "org_unit_id" {
  description = "The Organizational Unit of the accounts to be discoverable by Apono (put the Root Organizational Unit to include all the accounts the organization)"
  type        = string
}

After the installation finishes, copy and save the Management Account Role ARN from the output
Choose the connector from the dropdown list
Choose the resource types you want to connect, and click Next
Under name, enter a name for the integration (i.e. AWS Organization)
Under Region, select a single region of the AWS resources you want to integrate.
Under AWS SSO Region, enter the region where the IAM Identity Center is configured
In Management Account Role ARN, enter the ARN you copied in step 5
Click Connect

Results

The initial connection should now be in progress! After a few minutes, you should see the AWS Org integration as Active on the Integrations page.

Now, start creating Access Flows for the discovered resources.

Last updated 7 months ago

Was this helpful?

Step by step guide

Go to Integrations catalog, and select AWS integration

Choose Amazon Organization, and in the "Select an Apono Connector", choose "Add new connector"

Copy the token shown in the UI

Run the following Terraform Template:.

The Terraform template does the following:

Installs Apono Connector in a Member Account of the organization
Installs CloudFormation Stack in the Management Account of the organization that: > - Creates IAM Role with policies that allow manage access in IAM Identity Center
- Installs CloudFormation StackSet that creates IAM Role in all member accounts of an Organizational Unit, with policies that allow to list AWS resources

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.39.1"
    }
  }
}

provider "aws" {
  alias      = "member_account"
  region     = var.member_account_region
  profile    = "member-account"
}

provider "aws" {
  alias      = "mgmt_account"
  region     = var.mgmt_identity_center_region
  profile    = "mgmt-account"
}


module "apono-connector" {
  providers = {
    aws = aws.member_account
  }
  source         = "github.com/apono-io/terraform-modules/aws/connector-with-permissions/stacks/apono-connector"
  connectorId    = var.connector_id
  aponoToken     = var.apono_token_connector
  vpcId          = var.member_account_vpc_id
  subnetIds      = var.member_account_subnet_ids
  assignPublicIp = true # change to false if the subnets are configured with NAT gateway
}

resource "aws_cloudformation_stack" "connector_roles" {
  provider = aws.mgmt_account

  name = "apono-organization-integration"

  parameters = {
    AponoConnectorId     = var.connector_id
    ConnectorRoleArn     = module.apono-connector.connector_role_arn
    OrganizationalUnitId = var.org_unit_id
  }

  capabilities = ["CAPABILITY_NAMED_IAM"]

  template_url = "https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml"
}

output "mgmt_account_role_arn" {
  value       = aws_cloudformation_stack.connector_roles.outputs.ManagementAccountRoleArnOutput
  description = "The Management Account Role Arn parameter for the Apono AWS Organization integration"
}

variable "connector_id" {
  description = "A that identifies the Connector."
  type        = string
  default     = "apono-organization-connector"
}

variable "apono_token_connector" {
  description = "Connector Token that you copied from the Apono App"
  type        = string
}

variable "member_account_region" {
  description = "The region where the Apono connector will be deployed"
  type        = string
}

variable "member_account_vpc_id" {
  description = "The VPC ID where the Apono connector will be deployed (example value: vpc-000000000)"
  type        = string
}

variable "member_account_subnet_ids" {
  description = "List of subnet IDs for the Apono connector (example value: [\"subnet-00000000000\"])"
  type        = list(string)
}

variable "mgmt_identity_center_region" {
  description = "The region where the IAM Identity Center is configured"
  type        = string
}

variable "org_unit_id" {
  description = "The Organizational Unit of the accounts to be discoverable by Apono (put the Root Organizational Unit to include all the accounts the organization)"
  type        = string
}

After the installation finishes, copy and save the Management Account Role ARN from the output

Go back to the

Choose the connector from the dropdown list

Choose the resource types you want to connect, and click Next

Under name, enter a name for the integration (i.e. AWS Organization)

Under Region, select a single region of the AWS resources you want to integrate.

Under AWS SSO Region, enter the region where the IAM Identity Center is configured

Under SSO Portal, enter your SSO Start URL (i.e. )

In Management Account Role ARN, enter the ARN you copied in step 5

Click Connect