I'd like to have AWS Organizations in CDK in order to automate the creation of the accounts, permissions etc!
jdiazcano
All 19 comments
What exactly would the use cases be? Can you elaborate? Not many things in organizations are in CFN.
hoegertn
on 14 Jun 2019
I was thinking on not having to create accounts manually and since I'm already using CDK I would like to go with CDK instead of going for the API.
It's nothing super urgent or whatever, I guess that if there is no CFN support from Organizations then there's little that can be done
jdiazcano
on 15 Jun 2019
For creating accounts I think one thing could be a step function (deployed using CDK) that can be used to create accounts. That would be as far as you can get I think. You could then use this as a custom resource. But beware that you cannot simply delete accounts.
hoegertn
on 15 Jun 2019
I'd like to have AWS Organizations in CDK in order to automate the creation of the accounts, permissions etc!
I know many federal government agencies that would use this!
pgollucci
on 7 Aug 2019
step functions are what I was thinking too. (Understand and ignoring deleting org accounts).
However step function are not FedRAMP yet....
pgollucci
on 28 Aug 2019
For automated accounts creation/bootstrapping the ADF can be used:
https://github.com/awslabs/aws-deployment-framework
I'd like to see Organizations support in CDK at least for defining OU structure & SCPs (Service Control Policies). CloudFormation doesn't support it either, although on their roadmap.
jakubgaj
on 15 Apr 2020
I'm also interested in having support for Service Control Policies and OUs. Currently we have to manage these either via the AWS Console or build one-off custom scripts.
SCPs are resources which are applied on the Organization Root account and can be automated via relatively scripts (using the AWS CLI for example).
I _think_ this is something that could possibly be done via the AwsCustomResource (Custom Resources for AWS APIs) Constructs.
Service Control Policies (SCPs)
For SCPs, I suppose there would be two "types" of SCP constructs - one to CrUD the SCP's themselves, and another to handle Attachment (e.g. _CreateAttachment_ and _DeleteAttachment_, Update could be a no-op).
Organizational Units (OUs)
- CreateOrganizationalUnit
- DeleteOrganizationalUnit
- UpdateOrganizationalUnit (only supports "rename")
For OUs, this maps 1:1 to the AwsCustomResource construct CrUD interface.
I haven't used the AwsCustomResource construct before... I'll play around to see if I can get something basic working.
rrrix
on 16 Jun 2020
@rrrix OU structure can be up to 5 levels down and SCPs can be applied to any OU or account. For more complex scenarios you need to build some logic. I'd expect CDK to simply support it similar way as Terraform does:
https://www.terraform.io/docs/providers/aws/r/organizations_organizational_unit.html
https://www.terraform.io/docs/providers/aws/r/organizations_policy.html
https://www.terraform.io/docs/providers/aws/r/organizations_policy_attachment.html
jakubgaj
on 16 Jun 2020
+1
We are building an ops portal and have some very nice web application templates that rely on CDK for infrastructure and Serverless to manage the application. Pretty cool stuff that lays down event sourcing microservice stacks within an account for example.
So in the master billing account we would like to basically have a pane of glass to select a domain to sub from, some meta params and say "ok, give me 5 developer accounts, QA, staging and prod accounts pointing to this repo'. Laying down the accounts is the only manual step in our processes, for now we can use ADF but it would be a good native for CDK.
delprofundo
on 20 Jun 2020
I'm considering using just plain boto3 (the python aws sdk) here since AWS accounts are weird. They're not really resources in the same way other things are, as Thorsten points out above. I'm wondering if it makes more sense to make these two tools interact via a shared config file. Also curious to hear how AWS is thinking about this. (I guess maybe you'd have to support deleting accounts first!)
ragona
on 21 Jul 2020
My team is planning on developing this (waiting for CFN to support it :) ) and we are considering 2 approaches:
- wrap aws-orgs tool in a custom resource and therefore leverage the yaml schema to control the construct
- leverage AWSSDKCall + https://docs.aws.amazon.com/organizations/latest/APIReference/API_Operations.html to create a kind of L1 (API based not CFN) construct
Option 2 is cleaner from my point of view but implies many custom resources created which might slowdown deployment (spinup a lambda for each API call etc.) and make it harder than option 1 to create the necessary resources (yaml structure of aws-orgs is quite handy) ...
any opinion ? is cdk team interested in having a PR for one of those options ?
flochaz
on 21 Aug 2020
What do you think about option 3 and creating a CloudFormation resource provider that does this and then using CDK to generate these new CFN resources?
hoegertn
on 21 Aug 2020
I may be wrong but it seems that a CloudFormation resource provider is local to an AWS account. You have to deploy it before you can use it in CDK. Am I right?
fbouteruche
on 21 Aug 2020
That is correct and would be a downside of this approach
hoegertn
on 21 Aug 2020
Terraform supports this:
https://registry.terraform.io/modules/barundel/organizations/aws/1.1.1?tab=inputs
Boto3 supports it as well, but relying on boto3 to create resources and mix it with CDK is not a good practice.
It would be much cleaner for CDK (CF) to catch up with Terraform and support creation of OUs, nested OUs, AWS accounts, SCPs, Tagging polices natively.
tsykora-verimatrix
on 2 Oct 2020
@flochaz did you end up creating a custom CDK approach ?
0xjjoyy
on 15 Nov 2020
@0xjjoyy we ended up creating pure CDK custom resources to create OUs and Accounts. We leveraged a lot CDK AWSCustomResource and CustomResource Provider:
There is still a lot to develop to have all the features of tools like aws-orgs or org-formation ...
flochaz
on 16 Nov 2020
@flochaz Got it, thanks. Does your CDK solution handle service control policies? I was trying to look in your repo though couldn't find. Want to avoid duplicating efforts for a custom CDK resource :)
0xjjoyy
on 16 Nov 2020
Not yet :(
On Mon, 16 Nov 2020 at 15:11, 0xjjoyy notifications@github.com wrote:
@flochaz https://github.com/flochaz Got it, thanks. Does your CDK
solution handle service control policies? I was trying to look in your repo
though couldn't find. Want to avoid duplicating efforts for a custom CDK
resource :)—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-cdk/issues/2877#issuecomment-728082189, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AAJLIUP65USSGUWILMZNOOLSQEXHHANCNFSM4HYNKBEQ
.
--
Florian Chazal
flochaz
on 16 Nov 2020
Related issues
fogfish
·
30Comments
AlexCheema
·
32Comments
rclark
·
49Comments
markusl
·
37Comments
juhofriman
·
33Comments
Most helpful comment
I'm also interested in having support for Service Control Policies and OUs. Currently we have to manage these either via the AWS Console or build one-off custom scripts.
SCPs are resources which are applied on the Organization Root account and can be automated via relatively scripts (using the AWS CLI for example).
I _think_ this is something that could possibly be done via the AwsCustomResource (Custom Resources for AWS APIs) Constructs.
Service Control Policies (SCPs)
For SCPs, I suppose there would be two "types" of SCP constructs - one to CrUD the SCP's themselves, and another to handle Attachment (e.g. _CreateAttachment_ and _DeleteAttachment_, Update could be a no-op).
Organizational Units (OUs)
For OUs, this maps 1:1 to the
AwsCustomResourceconstruct CrUD interface.I haven't used the
AwsCustomResourceconstruct before... I'll play around to see if I can get something basic working.