Amazon Organization

Integrate all accounts and resources, and manage access with IAM Identity Center (SSO)

Example Usage

aws-organization-integration.tf

resource "apono_integration" "aws-organization-integration" {
  name                     = "Amazon Organization"
  type                     = "aws-organization"
  connector_id             = "apono-connector-id"
  connected_resource_types = ["aws-organization-account"]
  metadata = {
    region = "<Region>"
    aws_sso_region = "<AWS SSO Region>"
    aws_sso_portal = "<SSO Portal>"
    management_account_role_arn = "<Management Account Role ARN>"
    filter_not_organizational_unit_ids = "<Exclude Organizational Unit IDs>"
    user_assuming_role_arns = "<Assumable Roles>"
    session_duration_hours = "<Session Duration (in Hours)>"
    filter_not_account_ids = "<Exclude Account IDs>"
    enable_audit = "<Enable Audit>"
  }
}

aws-organization-integration.tf

resource "apono_resource_integration" "aws-organization-integration" {
  name                     = "Amazon Organization"
  type                     = "aws-organization"
  connector_id             = "apono-connector-id"
  connected_resource_types = ["aws-organization-account"]
  integration_config = {
    region = "<Region>"
    aws_sso_region = "<AWS SSO Region>"
    aws_sso_portal = "<SSO Portal>"
    management_account_role_arn = "<Management Account Role ARN>"
    filter_not_organizational_unit_ids = "<Exclude Organizational Unit IDs>"
    user_assuming_role_arns = "<Assumable Roles>"
    session_duration_hours = "<Session Duration (in Hours)>"
    filter_not_account_ids = "<Exclude Account IDs>"
    enable_audit = "<Enable Audit>"
  }
}

aws-organization-integration.json

{
    "aws-organization-integration": {
        "name": "Amazon Organization",
        "type": "aws-organization",
        "connector_id": "apono-connector-id",
        "connected_resource_types": [
            "aws-organization-account"
        ],
        "integration_config": {
            "region": "<Region>",
            "aws_sso_region": "<AWS SSO Region>",
            "aws_sso_portal": "<SSO Portal>",
            "management_account_role_arn": "<Management Account Role ARN>",
            "filter_not_organizational_unit_ids": "<Exclude Organizational Unit IDs>",
            "user_assuming_role_arns": "<Assumable Roles>",
            "session_duration_hours": "<Session Duration (in Hours)>",
            "filter_not_account_ids": "<Exclude Account IDs>",
            "enable_audit": "<Enable Audit>",
        }
    }
}

Schema

type aws-organization
connected_resource_types List of resource types to sync.

Available resource types you can use

aws-organization-account
aws-organization-s3-bucket
aws-organization-s3-folder
aws-organization-iam-group
aws-organization-iam-role
aws-organization-customer-managed-iam-policy
aws-organization-account-iam-managed-policy
aws-organization-systems-manager-parameter-store
aws-organization-systems-manager-parameter-store-param
aws-organization-ec2-loadbalancer
aws-organization-ec2-instance
aws-organization-ec2-service
aws-organization-ecr
aws-organization-ecr-repository
aws-organization-ecs-cluster
aws-organization-sagemaker-notebook
aws-organization-lambda-function
aws-organization-secrets-manager-secret
aws-organization-sqs-queue
aws-organization-sns-topic
aws-organization-dynamodb-table
aws-organization-cloudformation-stack
aws-organization-cloudformation-stackset
aws-organization-kms-key
aws-organization-emr-cluster
aws-organization-acm-certificate
aws-organization-ses
aws-organization-cognito
aws-organization-elasticache
aws-organization-route53
aws-organization-route53-hostedzone
aws-organization-permission-boundary

Integration Config

region (Required | String) Region
- Possible values: us-east-1, us-east-2, us-west-1, us-west-2, eu-central-1, eu-central-2, eu-west-1, eu-west-2, eu-south-1, eu-south-2, eu-west-3, eu-north-1, af-south-1, ap-east-1, ap-southeast-3, ap-southeast-4, ap-southeast-5, ap-southeast-7, ap-south-1, ap-south-2, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, ca-west-1, me-south-1, me-central-1, sa-east-1, il-central-1, mx-central-1
aws_sso_region (Required | String) AWS SSO Region
- Default value: us-east-1
- Possible values: us-east-1, us-east-2, us-west-1, us-west-2, eu-central-1, eu-central-2, eu-west-1, eu-west-2, eu-south-1, eu-south-2, eu-west-3, eu-north-1, af-south-1, ap-east-1, ap-southeast-3, ap-southeast-4, ap-southeast-5, ap-southeast-7, ap-south-1, ap-south-2, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, ca-west-1, me-south-1, me-central-1, sa-east-1, il-central-1, mx-central-1
aws_sso_portal (Required | String) SSO Portal
management_account_role_arn (Optional | String) Management Account Role ARN
filter_not_organizational_unit_ids (Optional | String) Exclude Organizational Unit IDs
user_assuming_role_arns (Optional | String) Assumable Roles
session_duration_hours (Optional | String) Session Duration (in Hours)
- Possible values: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
filter_not_account_ids (Optional | String) Exclude Account IDs
enable_audit (Optional | String) Enable Audit
- Default value: false
- Possible values: true, false

PreviousAWS Lambda Custom Integration NextAWS RDS MySQL

Last updated 3 days ago

Was this helpful?