CLI tool for managing AWS Organization accounts with Control Tower

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for svange from gravatar.com svange

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (Copyright (c) Augmenting Integrations LLC)
  • Author: Samuel Vange
  • Tags automation , aws , control-tower , organizations , sso
  • Requires: Python >=3.12
Classifiers
Report project as malware

Project description

augint-org (ai-org) ๐Ÿš€

One-command AWS account provisioning with Control Tower integration and enterprise-grade automation.

Create production-ready AWS accounts in seconds. They auto-configure based on their environment. No manual setup required.

๐Ÿ“Š Project Health

Library Publishing Infrastructure PyPI Python License: MIT

๐Ÿ“– Documentation ๐Ÿงช Tests ๐Ÿ“Š Coverage ๐Ÿ”’ Security โš–๏ธ Compliance

โœจ What Does It Do?

The ai-org CLI tool automates AWS multi-account management:

  • Creates accounts with one command
  • Auto-provisions resources based on environment (prod/staging/sandbox)
  • Sets up CI/CD with GitHub Actions OIDC (no AWS keys!)
  • Configures monitoring, backups, and compliance automatically
  • Sends email notifications with ready-to-use configurations

๐Ÿš€ Quick Start (5 minutes)

1. Install the CLI

# Install with pip (or pipx for isolation)
pip install augint-org

# Or with uv (recommended - 10-100x faster)
uv pip install augint-org

2. Configure Your Environment (Optional)

# Set your AWS profile (required)
export AWS_PROFILE=org

# Optional: Create personal defaults config
ai-org config init

# Or create manually at ~/.ai-org.env
cat > ~/.ai-org.env << EOF
AWS_PROFILE=org
DEFAULT_SSO_EMAIL=you@company.com
DEFAULT_PERMISSION_SET=AWSAdministratorAccess
NOTIFICATIONS_EMAIL=alerts@company.com
BUDGETS_MONTHLY_DEFAULT=1000
BUDGETS_ANOMALY_THRESHOLD=100
EOF

# Note: Environment variables override config file

3. Bootstrap Your Landing Zone

# One-time setup: Create OUs, deploy StackSets, configure policies
ai-org bootstrap

# This runs in minutes and sets up:
# โœ… OU structure (Workloads/Production, Workloads/Staging)
# โœ… 7 StackSets with auto-deployment
# โœ… Service Control Policies
# โœ… GitHub Actions authentication
# โœ… Cost management and monitoring

4. Create Your First Project

# Create both staging and production accounts for a project
ai-org account create myapp

# What happens automatically:
# 1. Creates myapp-staging account โ†’ Workloads/Staging OU
# 2. Creates myapp-prod account โ†’ Workloads/Production OU
# 3. Waits for Control Tower provisioning
# 4. StackSets auto-deploy appropriate resources
# 5. Emails you ready-to-use .env configurations
# 6. Sets up AWS CLI profiles automatically

5. Deploy Your Application

# Your accounts are ready! Deploy with SAM or CDK
cd your-app/
sam deploy --profile myapp-staging

# Or use GitHub Actions (already configured!)
git push origin staging

๐Ÿ“‹ What Gets Deployed Where

Resource Production Staging Sandbox
S3 Deployment Bucket โœ… โœ… โŒ
GitHub OIDC + Roles โœ… โœ… โŒ
CloudWatch Monitoring โœ… โœ… โŒ
Cost Alerts โœ… โœ… โŒ
Automated Backups โœ… โŒ โŒ
Centralized Logging โœ… โŒ โŒ
Security Policies โœ… โœ… โŒ

๐ŸŽฏ Common Commands

# Account Management
ai-org account create <project>           # Create staging + prod accounts
ai-org account create <project> --prod    # Create only production
ai-org account list                       # List all accounts
ai-org account info <project>             # Show account details

# Infrastructure Management
ai-org status                              # Show landing zone health
ai-org stackset list                       # List deployed StackSets
ai-org stackset update <name>              # Update a StackSet
ai-org validate                            # Validate all configurations

# Configuration
ai-org config show                         # Display current config
ai-org config set notifications.email x@y  # Update config value
ai-org config profiles add <name>          # Add AWS CLI profile

# Development
ai-org account sandbox <name>              # Create sandbox account
ai-org costs report --days 30              # Cost analysis
ai-org compliance check                    # Compliance report

๐Ÿ”ง GitHub Actions Setup

The bootstrap process creates a SAMDeployRole in each account. Your workflows just need:

name: Deploy
on:
  push:
    branches: [main, staging]

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
      - uses: actions/checkout@v4

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          # These are automatically created by ai-org!
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          aws-region: us-east-1

      - run: sam deploy --config-env ${{ vars.ENVIRONMENT }}

๐Ÿ—๏ธ Architecture

Control Tower (AWS Managed)
โ”œโ”€โ”€ Security OU
โ”‚   โ”œโ”€โ”€ Audit Account
โ”‚   โ””โ”€โ”€ Log Archive Account
โ”œโ”€โ”€ Sandbox OU (Unrestricted)
โ””โ”€โ”€ Workloads OU (Your Domain)
    โ”œโ”€โ”€ Production OU
    โ”‚   โ””โ”€โ”€ [project]-prod accounts (Full automation)
    โ””โ”€โ”€ Staging OU
        โ””โ”€โ”€ [project]-staging accounts (Essential automation)

Key Design Principles

  1. Zero-touch provisioning - Accounts self-configure based on OU
  2. GitOps ready - GitHub Actions OIDC from day one
  3. Cost conscious - Staging gets essentials, prod gets everything
  4. Secure by default - SCPs enforce security baseline
  5. Audit friendly - Centralized logging and compliance reports

๐Ÿ“š Documentation

Resource Description
API Reference Complete CLI and module documentation
Architecture Guide System design and decision rationale
Configuration Guide Detailed config options and examples
Migration Guide Migrating existing accounts
Development Guide Contributing and local development

๐Ÿ” Prerequisites

Before running ai-org bootstrap:

  • โœ… AWS Control Tower is activated
  • โœ… AWS SSO configured with management account access
  • โœ… AWS CLI v2 with SSO profile configured
  • โœ… Python 3.12+ installed
  • โœ… GitHub organization created (for OIDC)

๐Ÿšง Troubleshooting

Account Creation Issues

# Check account status
ai-org account info myapp --verbose

# View CloudFormation events
ai-org debug stackset-instances pipeline-bootstrap

# Verify OU structure
ai-org validate organization

Common Issues

  • "Production OU not visible in Account Factory" โ†’ Run ai-org bootstrap --enable-baselines
  • "StackSets not deploying" โ†’ Check account is in correct OU with ai-org account move
  • "GitHub Actions can't authenticate" โ†’ Verify with ai-org validate github-oidc

๐Ÿค Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

๐Ÿ“„ License

MIT License - see LICENSE for details.

๐Ÿ™ Acknowledgments

Built with:

Stop clicking through AWS Console. Start shipping.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for svange from gravatar.com svange

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (Copyright (c) Augmenting Integrations LLC)
  • Author: Samuel Vange
  • Tags automation , aws , control-tower , organizations , sso
  • Requires: Python >=3.12
Classifiers

Release history Release notifications | RSS feed

0.13.1

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

0.8.0

0.7.1

This version

0.7.0

0.6.1

0.6.0

0.5.0

0.4.0

0.3.0

0.2.2

0.2.1

0.2.0

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

augint_org-0.7.0.tar.gz (245.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

augint_org-0.7.0-py3-none-any.whl (66.2 kB view details)

Uploaded Python 3

File details

Details for the file augint_org-0.7.0.tar.gz.

File metadata

  • Download URL: augint_org-0.7.0.tar.gz
  • Upload date:
  • Size: 245.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for augint_org-0.7.0.tar.gz
Algorithm Hash digest
SHA256 42323a7576d280a9909ba35876a6bdbcffa3b3140f1d52299823ff016dc44ead
MD5 b71c982cfbdd8d0f564ceff830bea4a0
BLAKE2b-256 7bad8b905840480f583782ec4c3b5e72411b3880a425f04584634aa8d2df8127

See more details on using hashes here.

Provenance

The following attestation bundles were made for augint_org-0.7.0.tar.gz:

Publisher: publish.yaml on Augmenting-Integrations/aillc-org

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file augint_org-0.7.0-py3-none-any.whl.

File metadata

  • Download URL: augint_org-0.7.0-py3-none-any.whl
  • Upload date:
  • Size: 66.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for augint_org-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 613c2aa0c8602d2d8bd590a82c49bf66cde739a809feb00da8adc33b5e492b13
MD5 585258615109e062afb29367fb67cb7c
BLAKE2b-256 d0e06f2c0381d456b9c6666b38ebb24ca41c6adfcea3c2eff79a4e033cfbb0e4

See more details on using hashes here.

Provenance

The following attestation bundles were made for augint_org-0.7.0-py3-none-any.whl:

Publisher: publish.yaml on Augmenting-Integrations/aillc-org

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page