ACAI ACF Module: terraform-aws-acf-org-delegation
GitHub Repository | Terraform Registry
Solution
Terraform module to manage AWS Organization delegation.
This module is designed to:
- Delegate AWS Services to a target accounts.
- Support multi-regional delegation.
Features
locals {
primary_aws_region = "eu-central-1"
default_regions = ["eu-central-1", "us-east-2"]
delegations = [
{
regions = ["us-east-1"]
service_principal = "cloudtrail.amazonaws.com"
target_account_id = "992382728088" # core_security
},
{
regions = local.default_regions
service_principal = "guardduty.amazonaws.com"
target_account_id = "992382728088" # core_security
},
{
regions = local.default_regions
service_principal = "securityhub.amazonaws.com"
target_account_id = "992382728088" # core_security
},
{
regions = [local.primary_aws_region]
service_principal = "backup.amazonaws.com"
target_account_id = "992382728088" # core_security
},
{
regions = [local.primary_aws_region]
service_principal = "member.org.stacksets.cloudformation.amazonaws.com"
target_account_id = "992382728088" # core_security
},
{
regions = [local.primary_aws_region]
service_principal = "member.org.stacksets.cloudformation.amazonaws.com"
target_account_id = "590183833356" # core_logging
}
]
}
module "preprocess_data" {
source = "app.terraform.io/acai-solutions/org-delegation/aws//modules/preprocess-data"
version = "~> 1.0"
primary_aws_region = local.primary_aws_region
delegations = local.delegations
}
Provide the above specifications to the ACF Module (multiple module calls for different regions):
module "example_euc1" {
source = "app.terraform.io/acai-solutions/org-delegation/aws"
version = "~> 1.0"
preprocessed_data = {
primary_aws_region = local.primary_aws_region
current_aws_region = "eu-central-1"
delegations = module.preprocess_data.delegations_by_region["eu-central-1"]
}
providers = {
aws = aws.org_mgmt_euc1
}
depends_on = [module.create_provisioner]
}
module "example_use1" {
source = "app.terraform.io/acai-solutions/org-delegation/aws"
version = "~> 1.0"
preprocessed_data = {
primary_aws_region = local.primary_aws_region
current_aws_region = "us-east-1"
delegations = module.preprocess_data.delegations_by_region["us-east-1"]
}
providers = {
aws = aws.org_mgmt_use1
}
depends_on = [
module.create_provisioner,
module.example_euc1
]
}
module "example_use2" {
source = "app.terraform.io/acai-solutions/org-delegation/aws"
version = "~> 1.0"
preprocessed_data = {
primary_aws_region = local.primary_aws_region
current_aws_region = "us-east-2"
delegations = module.preprocess_data.delegations_by_region["us-east-2"]
}
providers = {
aws = aws.org_mgmt_use2
}
depends_on = [
module.create_provisioner,
module.example_euc1
]
}
Important — multi-region sequencing: Secondary-region module instances must declare
depends_onon the primary-region instance.AWS delegated administrator registration (
RegisterDelegatedAdministrator) is organization-wide (global), performed once per(account, service_principal)pair. The primary-region module performs this registration explicitly. Several regional service-admin APIs (Security Hub, Macie, Detective, Inspector, Audit Manager) implicitly callRegisterDelegatedAdministratorif the account is not yet registered. Without sequencing, a secondary-region module can race the primary and trigger an implicit registration, causing the primary's explicit call to fail withAccountAlreadyRegisteredException.Service delegation scope reference:
Service Scope Notes cloudtrail.amazonaws.comGlobal Register once per organization ipam.amazonaws.comGlobal Register once per organization fms.amazonaws.comGlobal us-east-1onlyguardduty.amazonaws.comRegional Same admin account required in every region securityhub.amazonaws.comRegional Per-region admin macie.amazonaws.comRegional Per-region admin detective.amazonaws.comRegional Per-region admin inspector2.amazonaws.comRegional Per-region admin auditmanager.amazonaws.comRegional Per-region admin config.amazonaws.comRegional Aggregator authorization is per source region