ACAI ACF Module: terraform-aws-acf-org-ou-mgmt
Overview
Organizational Units (OUs) provide a hierarchical framework for grouping AWS accounts and implementing centralized guardrails and policies.
This structure enables consistent security and governance across different sets of accounts based on their function or environment.
It's important to understand that the OU structure is not designed to mirror your company's departmental or business hierarchy. Rather, it's a technical structure for grouping accounts according to operational and compliance requirements—such as AWS regions, DMZ vs. non-DMZ environments, service offerings, or specific regulatory frameworks—allowing consistent security policies and guardrails to be applied to similar workloads.
You can attach these policies to an OU:
- Service Control Policies (SCPs)
- Resource Control Policies (RCPs)
- Backup Policies
- Tagging Policies
Information
The Root-OU supports up to five hierarchical levels, and AWS accounts can be assigned at any of these levels.
Solution
GitHub Repository | Terraform Registry
Terraform module to deploy the AWS Organization Unit hierarchy
This module is designed to:
- Provision the AWS Organization Unit (OU) Structure based on a given HCL map.
- Optionally assign existing SCPs to OUs.
- Optionally assign tags to OUs.
OU-Structure
Will provision the AWS Organization Unit (OU) structure based on a given HCL map.
Define OU-Structure:
locals {
# OU-Names are case-sensitive!!!
organizational_units = {
level1_units : [
# Artificial Org Structure
{
name : "level1_unit1",
scp_ids = ["p-yxodpfe7"]
level2_units : [
{
name : "level1_unit1__level2_unit1"
},
{
name : "level1_unit1__level2_unit2",
level3_units = [
{
name : "level1_unit1__level2_unit2__level3_unit1",
tags : {
"key1" : "value 1",
"key2" : "value 2"
}
}
]
}
]
},
{
name : "level1_unit2",
level2_units : [
{
name : "level1_unit2__level2_unit1"
},
{
name : "level1_unit2__level2_unit2"
},
{
name : "level1_unit2__level2_unit3"
}
]
}
]
}
}
Provide the above specifications to the ACF Module: