AWS CDK Construct Library to manage specific AWS Organization resources
Project description
cdk-library-aws-organization
This CDK library is a WIP and not ready for production use.
Key challenges with Organizations
- Accounts aren't like AWS resources and the removal process isn't a simple delete. Therefore the constructs contained in this library do not have the goal to delete accounts.
- CloudFormation doesn't support Organizations directly so the constructs in this library use CloudFormation custom resources that utilize Python and Boto3
Testing the custom provider code with SAM CLI
Pre-reqs
- You will either want a previously created test account or allow the tests to create a new account
Testing
- Create a test project that utilizes this library (you can use a development version by utilizing
yarn link
, but note you might need to set a static dependency for CDK versions orconstructs
in the local app or you'll get errors about mismatched object types) - Create a test stack
- Synthesize the test stack with
cdk synth --no-staging > template.yml
- Get the handler function names from the template
- Run
sam local start-lambda -t template.yml
- Run the
handler_tests
python files withpytest
like follows:
TEST_ACCOUNT_NAME='<name>' TEST_ACCOUNT_EMAIL='<email>' TEST_ACCOUNT_ORIGINAL_OU='<original ou id>' ACCOUNT_LAMBDA_FUNCTION_NAME='<name you noted earlier>' OU_LAMBDA_FUNCTION_NAME='<name you noted earlier>' pytest ./handler_tests/<test file name>.py -rA --capture=sys
- Using the name, email, and original OU env variables here allows the test suite to re-use a single test account. Given deleting accounts is not simple you likely dont want to randomly create a new account every time you run tests.
- The
test.py
also looks up the root org id to run tests so you'll need to have AWS creds set up to accomodate that behavior. - You can run the provided tests against the real lambda function by getting the deployed function name from AWS and setting the
RUN_LOCALLY
env variable
TEST_ACCOUNT_NAME='<name>' TEST_ACCOUNT_EMAIL='<email>' TEST_ACCOUNT_ORIGINAL_OU='<original ou id>' RUN_LOCALLY='false' ACCOUNT_LAMBDA_FUNCTION_NAME='<name you noted earlier>' OU_LAMBDA_FUNCTION_NAME='<name from AWS>' pytest ./handler_tests/<test file name>.py -rA --capture=sys
Why can't I move an OU?
Moving OUs isn't supported by Organizations and would cause significant issues with keeping track of OUs in the CDK. Imagine a scenario like below:
-
You have an ou,
OUAdmin
, and it has 2 children,OUChild1 and Account1
, that are also managed by the CDK stack. -
You change the parent of
OUAdmin
toOUFoo
. The CDK would need to take the following actions:-
Create a new
OU
underOUFoo
with the nameOUAdmin
-
Move all of the original
OUAdmin
OU's children to the newOUAdmin
-
Delete the old
OUAdmin
-
Update all physical resource IDs
- It would succeed at moving accounts because physical IDs should not change. Accounting moving between OUs is supported by Organizations
- It would fail at moving any child OUs because they would also be recreated. Resulting in a change to physical resource ID. Because the custom resource can only managed the resource it's currently acting on,
OUAdmin
, any children OUs would be "lost" in this process and ugly to try and manage.
-
The best way to move OUs would be to add additional OUs to your org then move any accounts as needed then proceed to delete the OUs, like so:
- Add new OU resources
- Deploy the stack
- Change account parents
- Deploy the stack
- Remove old OU resources
- Deploy the stack
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for renovosolutions.aws-cdk-aws-organization-0.4.57.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 180143ffce8045a174e6d6f47a27922075f31c04a9197796de88440bec109d34 |
|
MD5 | cb9365dc0ade4643b9da2c6bc8591089 |
|
BLAKE2b-256 | 957936dc1a361c76a6d0265cc05588173335446ced9d26949181b5c0ba108f8f |
Hashes for renovosolutions.aws_cdk_aws_organization-0.4.57-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5652e276a1d72a3e925d458c5b5a28a61385fdceb84c3e3d1006f51ab2624c7d |
|
MD5 | 388f2912b982b83def70dd2b081049ec |
|
BLAKE2b-256 | 5dc2fd76a3a90caa63f6d0cf0eaad3188c35cda42c8631f5fb315fb355e3198d |