> For the complete documentation index, see [llms.txt](https://docs.apono.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.apono.io/docs/aws-environment/apono-connector-for-aws/installing-a-connector-on-aws-organization-with-terraform.md). # Installing a connector on AWS ECS using Terraform (AWS Organization) ## Intro Apono connects with the AWS Organization to discover all accounts and their respective cloud resources and services and manage just-in-time, just-enough access to them. This guide lets you integrate to the AWS Organization with Terraform. ## Prerequisites * Terraform * AWS Profile `mgmt-account` with Admin privileges in the Organization's Management Account * AWS Profile `member-account` with Admin privileges in one of the Organization's Member Accounts * Activate the CloudFormation StackSet service in your management account\ ## Step by step guide 1. Go to Integrations catalog, and select AWS integration 2. Choose Amazon Organization, and in the "Select an Apono Connector", choose "Add new connector" 3. Copy the token shown in the UI 4. Run the following Terraform Template:. {% hint style="info" %} The Terraform template does the following: * Installs Apono Connector in a Member Account of the organization * Installs CloudFormation Stack in the Management Account of the organization that: > - Creates IAM Role with policies that allow manage access in IAM Identity Center * Installs CloudFormation StackSet that creates IAM Role in all member accounts of an Organizational Unit, with policies that allow to list AWS resources {% endhint %} ``` terraform { required_providers { aws = { source = "hashicorp/aws" version = "5.39.1" } } } provider "aws" { alias = "member_account" region = var.member_account_region profile = "member-account" } provider "aws" { alias = "mgmt_account" region = var.mgmt_identity_center_region profile = "mgmt-account" } module "apono-connector" { providers = { aws = aws.member_account } source = "github.com/apono-io/terraform-modules/aws/connector-without-permissions/stacks/apono-connector" connectorId = var.connector_id aponoToken = var.apono_token_connector vpcId = var.member_account_vpc_id subnetIds = var.member_account_subnet_ids assignPublicIp = true # change to false if the subnets are configured with NAT gateway } resource "aws_cloudformation_stack" "connector_roles" { provider = aws.mgmt_account name = "apono-organization-integration" parameters = { AponoConnectorId = var.connector_id ConnectorRoleArn = module.apono-connector.connector_role_arn OrganizationalUnitId = var.org_unit_id } capabilities = ["CAPABILITY_NAMED_IAM"] template_url = "https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml" } output "mgmt_account_role_arn" { value = aws_cloudformation_stack.connector_roles.outputs.ManagementAccountRoleArnOutput description = "The Management Account Role Arn parameter for the Apono AWS Organization integration" } ``` ``` variable "connector_id" { description = "A that identifies the Connector." type = string default = "apono-organization-connector" } variable "apono_token_connector" { description = "Connector Token that you copied from the Apono App" type = string } variable "member_account_region" { description = "The region where the Apono connector will be deployed" type = string } variable "member_account_vpc_id" { description = "The VPC ID where the Apono connector will be deployed (example value: vpc-000000000)" type = string } variable "member_account_subnet_ids" { description = "List of subnet IDs for the Apono connector (example value: [\"subnet-00000000000\"])" type = list(string) } variable "mgmt_identity_center_region" { description = "The region where the IAM Identity Center is configured" type = string } variable "org_unit_id" { description = "The Organizational Unit of the accounts to be discoverable by Apono (put the Root Organizational Unit to include all the accounts the organization)" type = string } ``` 5. After the installation finishes, copy and save the Management Account Role ARN from the output 6. Go back to the [Amazon Organization integration](https://app.apono.io/catalog/connect-integrations-group/amazon-web-services) 7. Choose the connector from the dropdown list 8. Choose the resource types you want to connect, and click Next 9. Under name, enter a name for the integration (i.e. AWS Organization) 10. Under Region, select a single region of the AWS resources you want to integrate. 11. Under AWS SSO Region, enter the region where the IAM Identity Center is configured 12. Under SSO Portal, enter your SSO Start URL (i.e. ) 13. In Management Account Role ARN, enter the ARN you copied in step 5 14. Click Connect ## Results The initial connection should now be in progress! After a few minutes, you should see the AWS Org integration as Active on the Integrations page. Now, start creating Access Flows for the discovered resources. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.apono.io/docs/aws-environment/apono-connector-for-aws/installing-a-connector-on-aws-organization-with-terraform.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.