terraform-aws-organization-policies

Deploy SCPs, RCPs, and other AWS organization policies with Terraform.

Module Inputs

SCP example:

module "scps" {
  source      = "aws-samples/organization-policies/aws"
  version     = "3.1.0"
  policy_type = "SERVICE_CONTROL_POLICY"
  ou_map = {
    "r-1xyz"           = ["root", "allow_services"] #root
    "ou-abcd-11223344" = ["sandbox"]                #sandbox ou
    "ou-efgh-22334455" = ["ssm"]                    #workload ou
  }
}

RCP example:

module "rcps" {
  source      = "aws-samples/organization-policies/aws"
  version     = "3.1.0"
  policy_type = "RESOURCE_CONTROL_POLICY"
  ou_map = {
    "r-1xyz" = ["root"] #root
  }
}

policy_type is the type of organizational policy. A new module needs to be created for each policy type.

ou_map is a map of OU IDs and the policies attached to them. Policies are stored as json files in an adjacent directory. The directory name defaults to the policy type, eg ./service_control_policy/.

The above two module inputs would look like this:

.
├── resource_control_policy
│   └── root.json
├── service_control_policy
│   ├── allow_services.json
│   ├── root.json
│   ├── sandbox.json
│   └── ssm.json
└── main.tf 

Optional Inputs

module "scps" {
  ... 
  policies_directory = "policies/scps"
}

policies_directory overrides the name and location of the directory used to store policies. Otherwise it will default to the name of the policy type, eg ./service_control_policy/.

Template Files

The module accepts template files (.json.tpl). These can be inputted alongside json files.

module "scps" {
  source      = "aws-samples/organization-policies/aws"
  version     = "3.1.0"
  policy_type = "SERVICE_CONTROL_POLICY"
  ou_map = {
    "r-1xyz"           = ["root", "iam"] #root
  }
  template_variables = {
    management_account_id = var.management_account_id
  }
}

template_variables inserts variables into template files. See iam.json.tpl for an example.

Troubleshooting

Issue	Fix
PolicyTypeNotEnabledException	Enable the policy type within AWS Organizations first.

Related Resources

• Managing organization policies with AWS Organizations
• Service Control Policy (SCP) examples
• Resource Control Policy (RCP) examples
• Declarative policy syntax and examples
• Backup policy syntax and examples
• Tag policy syntax and examples
• AI policy syntax and examples
• aws-samples/data-perimeter-policy-examples
• aws-samples/service-control-policy-examples
• Resource: aws_organizations_policy
• Resource: aws_organizations_policy_attachment
• Terraform Registry: aws-samples/organization-policies/aws

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.