Installing a connector on AWS Organization with Terraform
Integrate Apono with your AWS Organization for complete cloud discovery and JIT access management to AWS resources
Intro
Apono connects with the AWS Organization to discover all accounts and their respective cloud resources and services and manage just-in-time, just-enough access to them.
This guide lets you integrate to the AWS Organization with Terraform.
Prerequisites
Terraform
AWS Profile
mgmt-account
with Admin privileges in the Organization's Management AccountAWS Profile
member-account
with Admin privileges in one of the Organization's Member AccountsActivate the CloudFormation StackSet service in your management account https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html
Step by step guide
Go to Integrations catalog, and select AWS integration
Choose Amazon Organization, and in the "Select an Apono Connector", choose "Add new connector"
Copy the token shown in the UI
Run the following Terraform Template:.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.39.1"
}
}
}
provider "aws" {
alias = "member_account"
region = var.member_account_region
profile = "member-account"
}
provider "aws" {
alias = "mgmt_account"
region = var.mgmt_identity_center_region
profile = "mgmt-account"
}
module "apono-connector" {
providers = {
aws = aws.member_account
}
source = "github.com/apono-io/terraform-modules/aws/connector-with-permissions/stacks/apono-connector"
connectorId = var.connector_id
aponoToken = var.apono_token_connector
vpcId = var.member_account_vpc_id
subnetIds = var.member_account_subnet_ids
assignPublicIp = true # change to false if the subnets are configured with NAT gateway
}
resource "aws_cloudformation_stack" "connector_roles" {
provider = aws.mgmt_account
name = "apono-organization-integration"
parameters = {
AponoConnectorId = var.connector_id
ConnectorRoleArn = module.apono-connector.connector_role_arn
OrganizationalUnitId = var.org_unit_id
}
capabilities = ["CAPABILITY_NAMED_IAM"]
template_url = "https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml"
}
output "mgmt_account_role_arn" {
value = aws_cloudformation_stack.connector_roles.outputs.ManagementAccountRoleArnOutput
description = "The Management Account Role Arn parameter for the Apono AWS Organization integration"
}
variable "connector_id" {
description = "A that identifies the Connector."
type = string
default = "apono-organization-connector"
}
variable "apono_token_connector" {
description = "Connector Token that you copied from the Apono App"
type = string
}
variable "member_account_region" {
description = "The region where the Apono connector will be deployed"
type = string
}
variable "member_account_vpc_id" {
description = "The VPC ID where the Apono connector will be deployed (example value: vpc-000000000)"
type = string
}
variable "member_account_subnet_ids" {
description = "List of subnet IDs for the Apono connector (example value: [\"subnet-00000000000\"])"
type = list(string)
}
variable "mgmt_identity_center_region" {
description = "The region where the IAM Identity Center is configured"
type = string
}
variable "org_unit_id" {
description = "The Organizational Unit of the accounts to be discoverable by Apono (put the Root Organizational Unit to include all the accounts the organization)"
type = string
}
After the installation finishes, copy and save the Management Account Role ARN from the output
Go back to the Amazon Organization integration
Choose the connector from the dropdown list
Choose the resource types you want to connect, and click Next
Under name, enter a name for the integration (i.e. AWS Organization)
Under Region, select a single region of the AWS resources you want to integrate.
Under AWS SSO Region, enter the region where the IAM Identity Center is configured
Under SSO Portal, enter your SSO Start URL (i.e. https://mycompany.awsapps.com/start/#/)
In Management Account Role ARN, enter the ARN you copied in step 5
Click Connect
Results
The initial connection should now be in progress! After a few minutes, you should see the AWS Org integration as Active on the Integrations page.
Now, start creating Access Flows for the discovered resources.
Last updated
Was this helpful?