No project description provided
Project description
Landing Zone Organization
Initial steps
Install and run the tests:
make install
make test
Check code complexity:
make complexity
Validate typing and formatting:
make lint
Configuration
By default, this package does an assumption about your naming schema. It expects you use the following format:
<PREFIX>-<WORKLOAD NAME>-<ENVIRONMENT>
. When you deviate from this schema you potentially need to provide 2 configuration
options. You can do this via 2 environment variable:
Name | Default Value | Description |
---|---|---|
PATTERN_WORKLOAD_NAME | .*?-(.*)-.* |
The first match is used as the workload name. |
PATTERN_ENVIRONMENT_NAME | .*-.*-(.*) |
The first match is used as the environment name. For example: development, testing, acceptance or production. |
AWS Policies
In order to query the AWS Organizations, you either need to assume a role in the master payer account. Or you need to delegate administration to another account. For more information read the Delegated administrator for AWS Organizations page.
Here you see the least privileged delegated administrator policy that you can use:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListRoot",
"Effect": "Allow",
"Principal": { "AWS": "<Delegated Account>" },
"Action": [ "organizations:ListRoots" ],
"Resource": [ "*" ]
},
{
"Sid": "ListContent",
"Effect": "Allow",
"Principal": { "AWS": "Delegated Account" },
"Action": [
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListChildren"
],
"Resource": [
"arn:aws:organizations::<Master Payer Account>:account/*",
"arn:aws:organizations::<Master Payer Account>:ou/*",
"arn:aws:organizations::<Master Payer Account>:root/*"
]
}
]
}
Using the CLI
Before you can execute any command you need to select the correct profile:
export CUSTOMER=<prefix used in your profiles>
export AWS_PROFILE=${CUSTOMER}-audit
Download the organization structure
Before you can use the CLI commands you need to execute the following command:
landingzone-organization organization download
This command will query the AWS Organization API and store the aggregated data to a file in the current working directory. This file will be reused for every other command.
List all workloads
To get an overview of all the workloads within your organization you can execute the following command:
landingzone-organization workload list [--location "<OU NAME>"]
When you want to list a nested OU you can use comma separation:
landingzone-organization workload list [--location "<OU NAME>,<OU NAME>"]
View account by ID
Sometimes you have an Account ID and you need to know what account it is. To get more information about the given Account ID you can execute the following command:
landingzone-organization account view <ACCOUNT_ID>
Using AWS Lambda
You can also use this module within an AWS Lambda function. AWS recommends to not use the master payer account for
anything other than providing AWS Organizations and billing. But in order to query the AWS Organization we need a role
in the master payer account that we can assume. In cloudformation/prerequisites.yaml
you can see how you can create a role that can be assumed from another account.
You can than assume that role from any other account and initialize the module with accurate organization information.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for landingzone_organization-0.2.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | f26c7174e453ef773cb3de0afcd8fd3189c6e7d14d936b0c07df697006a346c2 |
|
MD5 | 8196935104bbe71bf0e352470da0ad3e |
|
BLAKE2b-256 | 4b405fc9a9e8651f1082ef5fc2e3577caa7b1355517349723039c0cb5483725c |
Hashes for landingzone_organization-0.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bb4ea97783528931272d28b6b7de9341d0be8189578234b57566b6305c0938b3 |
|
MD5 | fc5512b839d30523ba99ff33292f5d49 |
|
BLAKE2b-256 | 9ff7e0de5b2a77c705c9bc4568ce0dcc4cb05bc062becf9efb810916e11a38d9 |