├── .github ├── ISSUE_TEMPLATE │ ├── question.md │ ├── config.yml │ ├── bug_report.yml │ └── feature_request.yml ├── mergify.yml ├── banner.png ├── workflows │ ├── release.yml │ ├── scheduled.yml │ ├── chatops.yml │ └── branch.yml ├── renovate.json ├── settings.yml ├── PULL_REQUEST_TEMPLATE.md └── CODEOWNERS ├── .gitignore ├── example ├── outputs.tf ├── provider.tf └── main.tf ├── .travis.yml ├── atmos.yaml ├── output.tf ├── variables.tf ├── main.tf ├── README.yaml ├── LICENSE └── README.md /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.github/mergify.yml: -------------------------------------------------------------------------------- 1 | extends: .github 2 | -------------------------------------------------------------------------------- /.github/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudposse/terraform-aws-organization-access-group/HEAD/.github/banner.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled files 2 | *.tfstate 3 | *.tfstate.backup 4 | 5 | # Module directory 6 | .terraform/ 7 | .idea 8 | *.iml 9 | 10 | .build-harness 11 | build-harness -------------------------------------------------------------------------------- /example/outputs.tf: -------------------------------------------------------------------------------- 1 | output "data_switchrole_urls" { 2 | description = "List of URL to the IAM console to switch to the roles" 3 | value = ["${module.organization_access_group_data.switchrole_urls}"] 4 | } 5 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | addons: 2 | apt: 3 | packages: 4 | - git 5 | - make 6 | - curl 7 | 8 | install: 9 | - make init 10 | 11 | script: 12 | - make terraform/install 13 | - make terraform/get-plugins 14 | - make terraform/get-modules 15 | - make terraform/lint 16 | - make terraform/validate 17 | -------------------------------------------------------------------------------- /example/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-west-2" 3 | 4 | # Make it faster by skipping the checks 5 | skip_get_ec2_platforms = true 6 | skip_metadata_api_check = true 7 | skip_region_validation = true 8 | skip_credentials_validation = true 9 | skip_requesting_account_id = true 10 | } 11 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: release 3 | on: 4 | release: 5 | types: 6 | - published 7 | 8 | permissions: 9 | id-token: write 10 | contents: write 11 | pull-requests: write 12 | 13 | jobs: 14 | terraform-module: 15 | uses: cloudposse/.github/.github/workflows/shared-release-branches.yml@main 16 | secrets: inherit 17 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base", 4 | ":preserveSemverRanges" 5 | ], 6 | "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"], 7 | "labels": ["auto-update"], 8 | "dependencyDashboardAutoclose": true, 9 | "enabledManagers": ["terraform"], 10 | "terraform": { 11 | "ignorePaths": ["**/context.tf", "examples/**"] 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /.github/workflows/scheduled.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: scheduled 3 | on: 4 | workflow_dispatch: { } # Allows manually trigger this workflow 5 | schedule: 6 | - cron: "0 3 * * *" 7 | 8 | permissions: 9 | pull-requests: write 10 | id-token: write 11 | contents: write 12 | 13 | jobs: 14 | scheduled: 15 | uses: cloudposse/.github/.github/workflows/shared-terraform-scheduled.yml@main 16 | secrets: inherit 17 | -------------------------------------------------------------------------------- /.github/workflows/chatops.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: chatops 3 | on: 4 | issue_comment: 5 | types: [created] 6 | 7 | permissions: 8 | pull-requests: write 9 | id-token: write 10 | contents: write 11 | statuses: write 12 | 13 | jobs: 14 | test: 15 | uses: cloudposse/.github/.github/workflows/shared-terraform-chatops.yml@main 16 | if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/terratest') }} 17 | secrets: inherit 18 | -------------------------------------------------------------------------------- /example/main.tf: -------------------------------------------------------------------------------- 1 | # Provision group access to data account 2 | module "organization_access_group_data" { 3 | source = "../" 4 | enabled = "true" 5 | namespace = "eg" 6 | stage = "prod" 7 | name = "chamber" 8 | user_names = [] 9 | require_mfa = "true" 10 | 11 | role_arns = { 12 | "cp@prod" = "arn:aws:iam::324440167066:role/OrganizationAccountAccessRole" 13 | "cp@dev" = "arn:aws:iam::321110167044:role/OrganizationAccountAccessRole" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /atmos.yaml: -------------------------------------------------------------------------------- 1 | # Atmos Configuration — powered by https://atmos.tools 2 | # 3 | # This configuration enables centralized, DRY, and consistent project scaffolding using Atmos. 4 | # 5 | # Included features: 6 | # - Organizational custom commands: https://atmos.tools/core-concepts/custom-commands 7 | # - Automated README generation: https://atmos.tools/cli/commands/docs/generate 8 | # 9 | 10 | # Import shared configuration used by all modules 11 | import: 12 | - https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml 13 | -------------------------------------------------------------------------------- /.github/settings.yml: -------------------------------------------------------------------------------- 1 | # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch. 2 | _extends: .github 3 | repository: 4 | name: terraform-aws-organization-access-group 5 | description: Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member account 6 | homepage: https://cloudposse.com/accelerate 7 | topics: terraform, terraform-module, iam, group, iam-role, iam-policy, aws, cross-account 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /.github/workflows/branch.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Branch 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | - release/** 8 | types: [opened, synchronize, reopened, labeled, unlabeled] 9 | push: 10 | branches: 11 | - main 12 | - release/v* 13 | paths-ignore: 14 | - '.github/**' 15 | - 'docs/**' 16 | - 'examples/**' 17 | - 'test/**' 18 | - 'README.md' 19 | 20 | permissions: {} 21 | 22 | jobs: 23 | terraform-module: 24 | uses: cloudposse/.github/.github/workflows/shared-terraform-module.yml@main 25 | secrets: inherit 26 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | 3 | contact_links: 4 | 5 | - name: Community Slack Team 6 | url: https://cloudposse.com/slack/ 7 | about: |- 8 | Please ask and answer questions here. 9 | 10 | - name: Office Hours 11 | url: https://cloudposse.com/office-hours/ 12 | about: |- 13 | Join us every Wednesday for FREE Office Hours (lunch & learn). 14 | 15 | - name: DevOps Accelerator Program 16 | url: https://cloudposse.com/accelerate/ 17 | about: |- 18 | Own your infrastructure in record time. We build it. You drive it. 19 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## what 2 | 3 | 7 | 8 | ## why 9 | 10 | 15 | 16 | ## references 17 | 18 | 22 | -------------------------------------------------------------------------------- /output.tf: -------------------------------------------------------------------------------- 1 | output "group_name" { 2 | value = join("", aws_iam_group.default.*.name) 3 | description = "The Group's name" 4 | } 5 | 6 | output "group_id" { 7 | value = join("", aws_iam_group.default.*.id) 8 | description = "The Group's ID" 9 | } 10 | 11 | output "group_unique_id" { 12 | value = join("", aws_iam_group.default.*.unique_id) 13 | description = "Group's unique ID assigned by AWS" 14 | } 15 | 16 | output "group_arn" { 17 | value = join("", aws_iam_group.default.*.arn) 18 | description = "The ARN assigned by AWS for the Group" 19 | } 20 | 21 | output "policy_name" { 22 | value = join("", coalescelist(aws_iam_group_policy.without_mfa.*.name, aws_iam_group_policy.with_mfa.*.name)) 23 | description = "The name of the policy" 24 | } 25 | 26 | output "policy_id" { 27 | value = join("", coalescelist(aws_iam_group_policy.without_mfa.*.id, aws_iam_group_policy.with_mfa.*.id)) 28 | description = "The policy ID" 29 | } 30 | 31 | output "switchrole_urls" { 32 | description = "List of URL to the IAM console to switch to the roles" 33 | value = ["${formatlist(var.switchrole_url_template, null_resource.role.*.triggers.account_id, null_resource.role.*.triggers.role_name, null_resource.role.*.triggers.alias)}"] 34 | } 35 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Use this file to define individuals or teams that are responsible for code in a repository. 2 | # Read more: 3 | # 4 | # Order is important: the last matching pattern has the highest precedence 5 | 6 | # These owners will be the default owners for everything 7 | * @cloudposse/engineering @cloudposse/contributors 8 | 9 | # Cloud Posse must review any changes to Makefiles 10 | **/Makefile @cloudposse/engineering 11 | **/Makefile.* @cloudposse/engineering 12 | 13 | # Cloud Posse must review any changes to GitHub actions 14 | .github/* @cloudposse/engineering 15 | 16 | # Cloud Posse must review any changes to standard context definition, 17 | # but some changes can be rubber-stamped. 18 | **/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 19 | README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 20 | README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 21 | docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 22 | 23 | # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration 24 | .github/mergify.yml @cloudposse/admins 25 | .github/CODEOWNERS @cloudposse/admins 26 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "user_names" { 2 | type = list(string) 3 | description = "A list of IAM User names to associate with the Group" 4 | } 5 | 6 | variable "role_arns" { 7 | type = map(string) 8 | default = {} 9 | description = "A map of alias -> IAM Role ARNs the users in the Group can assume" 10 | } 11 | 12 | variable "require_mfa" { 13 | type = string 14 | default = "false" 15 | description = "Require the users to have MFA enabled" 16 | } 17 | 18 | variable "enabled" { 19 | type = string 20 | description = "Whether to create these resources" 21 | default = "true" 22 | } 23 | 24 | variable "namespace" { 25 | type = string 26 | description = "Namespace (e.g. `cp` or `cloudposse`)" 27 | } 28 | 29 | variable "stage" { 30 | type = string 31 | description = "Stage (e.g. `prod`, `dev`, `staging`, `infra`)" 32 | } 33 | 34 | variable "name" { 35 | type = string 36 | description = "Name (e.g. `app` or `cluster`)" 37 | } 38 | 39 | variable "switchrole_url_template" { 40 | type = string 41 | description = "URL template for the IAM console to switch to the roles" 42 | default = "https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s" 43 | } 44 | 45 | variable "delimiter" { 46 | type = string 47 | default = "-" 48 | description = "Delimiter to be used between `namespace`, `stage`, `name`, and `attributes`" 49 | } 50 | 51 | variable "attributes" { 52 | type = list(string) 53 | default = [] 54 | description = "Additional attributes (e.g. `1`)" 55 | } 56 | 57 | variable "tags" { 58 | type = map(string) 59 | default = {} 60 | description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)" 61 | } 62 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | description: Create a report to help us improve 4 | labels: ["bug"] 5 | assignees: [""] 6 | body: 7 | - type: markdown 8 | attributes: 9 | value: | 10 | Found a bug? 11 | 12 | Please checkout our [Slack Community](https://slack.cloudposse.com) 13 | or visit our [Slack Archive](https://archive.sweetops.com/). 14 | 15 | [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) 16 | 17 | - type: textarea 18 | id: concise-description 19 | attributes: 20 | label: Describe the Bug 21 | description: A clear and concise description of what the bug is. 22 | placeholder: What is the bug about? 23 | validations: 24 | required: true 25 | 26 | - type: textarea 27 | id: expected 28 | attributes: 29 | label: Expected Behavior 30 | description: A clear and concise description of what you expected. 31 | placeholder: What happened? 32 | validations: 33 | required: true 34 | 35 | - type: textarea 36 | id: reproduction-steps 37 | attributes: 38 | label: Steps to Reproduce 39 | description: Steps to reproduce the behavior. 40 | placeholder: How do we reproduce it? 41 | validations: 42 | required: true 43 | 44 | - type: textarea 45 | id: screenshots 46 | attributes: 47 | label: Screenshots 48 | description: If applicable, add screenshots or logs to help explain. 49 | validations: 50 | required: false 51 | 52 | - type: textarea 53 | id: environment 54 | attributes: 55 | label: Environment 56 | description: Anything that will help us triage the bug. 57 | placeholder: | 58 | - OS: [e.g. Linux, OSX, WSL, etc] 59 | - Version [e.g. 10.15] 60 | - Module version 61 | - Terraform version 62 | validations: 63 | required: false 64 | 65 | - type: textarea 66 | id: additional 67 | attributes: 68 | label: Additional Context 69 | description: | 70 | Add any other context about the problem here. 71 | validations: 72 | required: false 73 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | description: Suggest an idea for this project 4 | labels: ["feature request"] 5 | assignees: [""] 6 | body: 7 | - type: markdown 8 | attributes: 9 | value: | 10 | Have a question? 11 | 12 | Please checkout our [Slack Community](https://slack.cloudposse.com) 13 | or visit our [Slack Archive](https://archive.sweetops.com/). 14 | 15 | [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) 16 | 17 | - type: textarea 18 | id: concise-description 19 | attributes: 20 | label: Describe the Feature 21 | description: A clear and concise description of what the feature is. 22 | placeholder: What is the feature about? 23 | validations: 24 | required: true 25 | 26 | - type: textarea 27 | id: expected 28 | attributes: 29 | label: Expected Behavior 30 | description: A clear and concise description of what you expected. 31 | placeholder: What happened? 32 | validations: 33 | required: true 34 | 35 | - type: textarea 36 | id: use-case 37 | attributes: 38 | label: Use Case 39 | description: | 40 | Is your feature request related to a problem/challenge you are trying 41 | to solve? 42 | 43 | Please provide some additional context of why this feature or 44 | capability will be valuable. 45 | validations: 46 | required: true 47 | 48 | - type: textarea 49 | id: ideal-solution 50 | attributes: 51 | label: Describe Ideal Solution 52 | description: A clear and concise description of what you want to happen. 53 | validations: 54 | required: true 55 | 56 | - type: textarea 57 | id: alternatives-considered 58 | attributes: 59 | label: Alternatives Considered 60 | description: Explain alternative solutions or features considered. 61 | validations: 62 | required: false 63 | 64 | - type: textarea 65 | id: additional 66 | attributes: 67 | label: Additional Context 68 | description: | 69 | Add any other context about the problem here. 70 | validations: 71 | required: false 72 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | module "label" { 2 | source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3" 3 | namespace = var.namespace 4 | name = var.name 5 | stage = var.stage 6 | delimiter = var.delimiter 7 | attributes = var.attributes 8 | tags = var.tags 9 | } 10 | 11 | locals { 12 | enabled = var.enabled == "true" ? true : false 13 | require_mfa = var.require_mfa == "true" ? true : false 14 | role_arns = ["${values(var.role_arns)}"] 15 | role_aliases = ["${keys(var.role_arns)}"] 16 | } 17 | 18 | resource "null_resource" "role" { 19 | count = length(values(var.role_arns)) 20 | 21 | triggers = { 22 | account_id = "${element(split(":", element(local.role_arns, count.index)), 4)}" 23 | role_name = "${element(split("/", element(split(":", element(local.role_arns, count.index)), 5)), 1)}" 24 | alias = "${element(local.role_aliases, count.index)}" 25 | } 26 | 27 | lifecycle { 28 | create_before_destroy = true 29 | } 30 | } 31 | 32 | # https://www.terraform.io/docs/providers/aws/r/iam_group.html 33 | resource "aws_iam_group" "default" { 34 | count = local.enabled ? 1 : 0 35 | name = module.label.id 36 | } 37 | 38 | # https://www.terraform.io/docs/providers/aws/r/iam_user_group_membership.html 39 | resource "aws_iam_user_group_membership" "default" { 40 | count = local.enabled && length(var.user_names) > 0 ? length(var.user_names) : 0 41 | user = element(var.user_names, count.index) 42 | groups = ["${join("", aws_iam_group.default.*.id)}"] 43 | } 44 | 45 | # https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html 46 | data "aws_iam_policy_document" "with_mfa" { 47 | count = local.enabled && local.require_mfa ? 1 : 0 48 | 49 | statement { 50 | actions = [ 51 | "sts:AssumeRole", 52 | ] 53 | 54 | resources = ["${local.role_arns}"] 55 | 56 | condition { 57 | test = "Bool" 58 | variable = "aws:MultiFactorAuthPresent" 59 | values = ["true"] 60 | } 61 | 62 | effect = "Allow" 63 | } 64 | } 65 | 66 | resource "aws_iam_group_policy" "with_mfa" { 67 | count = local.enabled && local.require_mfa ? 1 : 0 68 | name = module.label.id 69 | group = join("", aws_iam_group.default.*.id) 70 | policy = data.aws_iam_policy_document.with_mfa.json 71 | } 72 | 73 | data "aws_iam_policy_document" "without_mfa" { 74 | count = local.enabled && local.require_mfa == false ? 1 : 0 75 | 76 | statement { 77 | actions = [ 78 | "sts:AssumeRole", 79 | ] 80 | 81 | resources = ["${local.role_arns}"] 82 | 83 | effect = "Allow" 84 | } 85 | } 86 | 87 | resource "aws_iam_group_policy" "without_mfa" { 88 | count = local.enabled && local.require_mfa == false ? 1 : 0 89 | name = module.label.id 90 | group = join("", aws_iam_group.default.*.id) 91 | policy = data.aws_iam_policy_document.without_mfa.json 92 | } 93 | -------------------------------------------------------------------------------- /README.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # This is the canonical configuration for the `README.md` 3 | # Run `make readme` to rebuild the `README.md` 4 | # 5 | 6 | # Name of this project 7 | name: terraform-aws-organization-access-group 8 | 9 | # Tags of this project 10 | tags: 11 | - aws 12 | - terraform 13 | - terraform-modules 14 | - security 15 | - iam 16 | - group 17 | - iam-role 18 | - iam-policy 19 | - cross-account 20 | 21 | # Categories of this project 22 | categories: 23 | - terraform-modules/security 24 | 25 | # Logo for this project 26 | #logo: docs/logo.png 27 | 28 | # License of this project 29 | license: "APACHE2" 30 | 31 | # Canonical GitHub repo 32 | github_repo: cloudposse/terraform-aws-organization-access-group 33 | 34 | # Badges to display 35 | badges: 36 | - name: Latest Release 37 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-organization-access-group.svg?style=for-the-badge 38 | url: https://github.com/cloudposse/terraform-aws-organization-access-group/releases/latest 39 | - name: Last Updated 40 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-organization-access-group.svg?style=for-the-badge 41 | url: https://github.com/cloudposse/terraform-aws-organization-access-group/commits 42 | - name: Slack Community 43 | image: https://slack.cloudposse.com/for-the-badge.svg 44 | url: https://cloudposse.com/slack 45 | 46 | # List any related terraform modules that this module may be used with or that this module depends on. 47 | related: 48 | - name: "terraform-aws-organization-access-role" 49 | description: "Terraform module to create an IAM Role to grant permissions to delegated IAM users in the master account to access an invited member account" 50 | url: "https://github.com/cloudposse/terraform-aws-organization-access-role" 51 | 52 | # Short description of this project 53 | description: |- 54 | Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member account 55 | 56 | https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html 57 | 58 | introduction: |- 59 | By default, when you create a member account as part of your Organization, AWS automatically creates `OrganizationAccountAccessRole` in the member account. 60 | 61 | The role grants admin permissions to access the member account to delegated IAM users in the master account. 62 | 63 | In the master account you need to create a Policy to grant permissions to IAM users to assume `OrganizationAccountAccessRole` in the member account. 64 | 65 | This module does the following: 66 | 67 | 1. Creates an IAM Group 68 | 2. Adds the provided IAM users to the Group 69 | 3. Creates a Policy to grant permissions to the IAM users in the master account to assume `OrganizationAccountAccessRole` in the member account 70 | 4. Attaches the Policy to the Group 71 | 72 | 73 | Users who are members of the Group will be able to assume the role and administer the member account by going here: 74 | 75 | (change `XXXXXXXXXXXX` to the ID of the member account) 76 | 77 | ``` 78 | https://signin.aws.amazon.com/switchrole 79 | ?account=XXXXXXXXXXXX 80 | &roleName=OrganizationAccountAccessRole 81 | &displayName=Dev 82 | ``` 83 | 84 | 85 |
86 | 87 | __NOTE__: Member accounts that you invite to join your Organization (that are not part of your Organization) do not automatically get `OrganizationAccountAccessRole` created. 88 | You can use [terraform-aws-organization-access-role](https://github.com/cloudposse/terraform-aws-organization-access-role) module to create `OrganizationAccountAccessRole` role in an invited member account. 89 | 90 |
91 | 92 | # How to use this project 93 | usage: |- 94 | ```hcl 95 | module "organization_access_group" { 96 | source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=master" 97 | namespace = "cp" 98 | stage = "dev" 99 | name = "cluster" 100 | user_names = ["User1","User2"] 101 | role_arns = { 102 | "cp@dev" = "arn:aws:iam::XXXXXXXXX:role/OrganizationAccountAccessRole" 103 | } 104 | require_mfa = "true" 105 | } 106 | ``` 107 | 108 | include: [] 109 | contributors: [] 110 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2018 Cloud Posse, LLC 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Project Banner
5 |

6 | Latest ReleaseLast UpdatedSlack Community

7 | 8 | 9 | 29 | 30 | Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member account 31 | 32 | https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html 33 | 34 | 35 | > [!TIP] 36 | > #### 👽 Use Atmos with Terraform 37 | > Cloud Posse uses [`atmos`](https://atmos.tools) to easily orchestrate multiple environments using Terraform.
38 | > Works with [Github Actions](https://atmos.tools/integrations/github-actions/), [Atlantis](https://atmos.tools/integrations/atlantis), or [Spacelift](https://atmos.tools/integrations/spacelift). 39 | > 40 | >
41 | > Watch demo of using Atmos with Terraform 42 | >
43 | > Example of running atmos to manage infrastructure from our Quick Start tutorial. 44 | > 45 | 46 | 47 | ## Introduction 48 | 49 | By default, when you create a member account as part of your Organization, AWS automatically creates `OrganizationAccountAccessRole` in the member account. 50 | 51 | The role grants admin permissions to access the member account to delegated IAM users in the master account. 52 | 53 | In the master account you need to create a Policy to grant permissions to IAM users to assume `OrganizationAccountAccessRole` in the member account. 54 | 55 | This module does the following: 56 | 57 | 1. Creates an IAM Group 58 | 2. Adds the provided IAM users to the Group 59 | 3. Creates a Policy to grant permissions to the IAM users in the master account to assume `OrganizationAccountAccessRole` in the member account 60 | 4. Attaches the Policy to the Group 61 | 62 | 63 | Users who are members of the Group will be able to assume the role and administer the member account by going here: 64 | 65 | (change `XXXXXXXXXXXX` to the ID of the member account) 66 | 67 | ``` 68 | https://signin.aws.amazon.com/switchrole 69 | ?account=XXXXXXXXXXXX 70 | &roleName=OrganizationAccountAccessRole 71 | &displayName=Dev 72 | ``` 73 | 74 | 75 |
76 | 77 | __NOTE__: Member accounts that you invite to join your Organization (that are not part of your Organization) do not automatically get `OrganizationAccountAccessRole` created. 78 | You can use [terraform-aws-organization-access-role](https://github.com/cloudposse/terraform-aws-organization-access-role) module to create `OrganizationAccountAccessRole` role in an invited member account. 79 | 80 |
81 | 82 | 83 | 84 | 85 | ## Usage 86 | 87 | ```hcl 88 | module "organization_access_group" { 89 | source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=master" 90 | namespace = "cp" 91 | stage = "dev" 92 | name = "cluster" 93 | user_names = ["User1","User2"] 94 | role_arns = { 95 | "cp@dev" = "arn:aws:iam::XXXXXXXXX:role/OrganizationAccountAccessRole" 96 | } 97 | require_mfa = "true" 98 | } 99 | ``` 100 | 101 | > [!IMPORTANT] 102 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation 103 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version 104 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic 105 | > approach for updating versions to avoid unexpected changes. 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | ## Requirements 116 | 117 | No requirements. 118 | 119 | ## Providers 120 | 121 | | Name | Version | 122 | |------|---------| 123 | | [aws](#provider\_aws) | n/a | 124 | | [null](#provider\_null) | n/a | 125 | 126 | ## Modules 127 | 128 | | Name | Source | Version | 129 | |------|--------|---------| 130 | | [label](#module\_label) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.3.3 | 131 | 132 | ## Resources 133 | 134 | | Name | Type | 135 | |------|------| 136 | | [aws_iam_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource | 137 | | [aws_iam_group_policy.with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy) | resource | 138 | | [aws_iam_group_policy.without_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy) | resource | 139 | | [aws_iam_user_group_membership.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership) | resource | 140 | | [null_resource.role](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | 141 | | [aws_iam_policy_document.with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 142 | | [aws_iam_policy_document.without_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 143 | 144 | ## Inputs 145 | 146 | | Name | Description | Type | Default | Required | 147 | |------|-------------|------|---------|:--------:| 148 | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | 149 | | [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `stage`, `name`, and `attributes` | `string` | `"-"` | no | 150 | | [enabled](#input\_enabled) | Whether to create these resources | `string` | `"true"` | no | 151 | | [name](#input\_name) | Name (e.g. `app` or `cluster`) | `string` | n/a | yes | 152 | | [namespace](#input\_namespace) | Namespace (e.g. `cp` or `cloudposse`) | `string` | n/a | yes | 153 | | [require\_mfa](#input\_require\_mfa) | Require the users to have MFA enabled | `string` | `"false"` | no | 154 | | [role\_arns](#input\_role\_arns) | A map of alias -> IAM Role ARNs the users in the Group can assume | `map(string)` | `{}` | no | 155 | | [stage](#input\_stage) | Stage (e.g. `prod`, `dev`, `staging`, `infra`) | `string` | n/a | yes | 156 | | [switchrole\_url\_template](#input\_switchrole\_url\_template) | URL template for the IAM console to switch to the roles | `string` | `"https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s"` | no | 157 | | [tags](#input\_tags) | Additional tags (e.g. map(`BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no | 158 | | [user\_names](#input\_user\_names) | A list of IAM User names to associate with the Group | `list(string)` | n/a | yes | 159 | 160 | ## Outputs 161 | 162 | | Name | Description | 163 | |------|-------------| 164 | | [group\_arn](#output\_group\_arn) | The ARN assigned by AWS for the Group | 165 | | [group\_id](#output\_group\_id) | The Group's ID | 166 | | [group\_name](#output\_group\_name) | The Group's name | 167 | | [group\_unique\_id](#output\_group\_unique\_id) | Group's unique ID assigned by AWS | 168 | | [policy\_id](#output\_policy\_id) | The policy ID | 169 | | [policy\_name](#output\_policy\_name) | The name of the policy | 170 | | [switchrole\_urls](#output\_switchrole\_urls) | List of URL to the IAM console to switch to the roles | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | ## Related Projects 180 | 181 | Check out these related projects. 182 | 183 | - [terraform-aws-organization-access-role](https://github.com/cloudposse/terraform-aws-organization-access-role) - Terraform module to create an IAM Role to grant permissions to delegated IAM users in the master account to access an invited member account 184 | 185 | 186 | > [!TIP] 187 | > #### Use Terraform Reference Architectures for AWS 188 | > 189 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly. 190 | > 191 | > ✅ We build it together with your team.
192 | > ✅ Your team owns everything.
193 | > ✅ 100% Open Source and backed by fanatical support.
194 | > 195 | > Request Quote 196 | >
📚 Learn More 197 | > 198 | >
199 | > 200 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-organization-access-group&utm_content=commercial_support) for funded startups and enterprises. 201 | > 202 | > *Your team can operate like a pro today.* 203 | > 204 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed. 205 | > #### Day-0: Your Foundation for Success 206 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code. 207 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases. 208 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance. 209 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations. 210 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions. 211 | > 212 | > Request Quote 213 | > 214 | > #### Day-2: Your Operational Mastery 215 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency. 216 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it. 217 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity. 218 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration. 219 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly. 220 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value. 221 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate. 222 | > 223 | > Request Quote 224 | >
225 | 226 | ## ✨ Contributing 227 | 228 | This project is under active development, and we encourage contributions from our community. 229 | 230 | 231 | 232 | Many thanks to our outstanding contributors: 233 | 234 | 235 | 236 | 237 | 238 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-organization-access-group/issues). 239 | 240 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. 241 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-organization-access-group/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). 242 | 2. **Fork** the repo on GitHub 243 | 3. **Clone** the project to your own machine 244 | 4. **Commit** changes to your own branch 245 | 5. **Push** your work back up to your fork 246 | 6. Submit a **Pull Request** so that we can review your changes 247 | 248 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! 249 | 250 | ### 🌎 Slack Community 251 | 252 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-organization-access-group&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. 253 | 254 | ### 📰 Newsletter 255 | 256 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-organization-access-group&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. 257 | Dropped straight into your Inbox every week — and usually a 5-minute read. 258 | 259 | ### 📆 Office Hours 260 | 261 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-organization-access-group&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else. 262 | It's **FREE** for everyone! 263 | ## License 264 | 265 | License 266 | 267 |
268 | Preamble to the Apache License, Version 2.0 269 |
270 |
271 | 272 | Complete license is available in the [`LICENSE`](LICENSE) file. 273 | 274 | ```text 275 | Licensed to the Apache Software Foundation (ASF) under one 276 | or more contributor license agreements. See the NOTICE file 277 | distributed with this work for additional information 278 | regarding copyright ownership. The ASF licenses this file 279 | to you under the Apache License, Version 2.0 (the 280 | "License"); you may not use this file except in compliance 281 | with the License. You may obtain a copy of the License at 282 | 283 | https://www.apache.org/licenses/LICENSE-2.0 284 | 285 | Unless required by applicable law or agreed to in writing, 286 | software distributed under the License is distributed on an 287 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 288 | KIND, either express or implied. See the License for the 289 | specific language governing permissions and limitations 290 | under the License. 291 | ``` 292 |
293 | 294 | ## Trademarks 295 | 296 | All other trademarks referenced herein are the property of their respective owners. 297 | 298 | 299 | --- 300 | Copyright © 2017-2025 [Cloud Posse, LLC](https://cpco.io/copyright) 301 | 302 | 303 | README footer 304 | 305 | Beacon 306 | --------------------------------------------------------------------------------