aws-scps-with-terraform

aws-scps-with-terraform copied to clipboard

SCPs with Terraform

Deploy Service Control Policies (SCPs) with Terraform.

Prerequisites

• AWS Organizations

Limitations

• SCP Service Quotas

Module Inputs

module "scps" {
  source = "github.com/aws-samples/aws-scps-with-terraform"
  ou_list = {
    "r-1xyz"           = ["root", "allow_services"] #root
    "ou-abcd-11223344" = ["sandbox"]                #sandbox ou
    "ou-efgh-22334455" = ["ssm"]                    #workload ou
  }
}

ou_list is a map of OU IDs and the SCPs attached to them. SCPs are stored as json files in an adjacent policies directory.

.
├── policies
│   ├── allow_services.json
│   ├── root.json
│   ├── sandbox.json
│   └── ssm.json
└── main.tf <---------- module input here

Create SCP json files, add them to the policies directory, and then reference them in the ou_list input.

Optional Inputs

module "scps" {
  ... 
  policies_directory_name = "policies"
}

This can be used to change the name and location of the directory you store SCPs in. It will default to policies.

Example SCPs

aws-samples/service-control-policy-examples

Related Resources

• SCPs (AWS Organizations User Guide)
• Resource: aws_organizations_policy
• Resource: aws_organizations_policy_attachment

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.