Awesome
terraform-aws-account-lookup
ℹ️ Use this module in combination with the filter submodule to further narrow down the list of accounts and be able to group them using tags.
What it does
This module allows you to list AWS accounts of an organization in various forms. Once initialized you can retrieve the following data:
- Organization id
- Account id of your organizations management account
- Name of your organizations management account
- Mapping
id
toname
- Mapping
name
toid
- Mapping
id
totags
- Mapping
name
totags
- A list of all accounts with all of their properties present (
id
,arn
,name
,email
,status
,tags
)
How to use
The role with which you are running terraform on this module requires the following permissions:
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
Either the role on your default provider allows these actions already or you want to add them to that role. Alternatively you can create a distinct role for this case. We'll have a look at both cases down below.
Using default provider
Call the module using this provider and decide whether to include the management account in the output lists or not (default is true
):
module "lookup" {
source = "be-bold/account-lookup/aws"
version = "#.#.#"
include_management_account = false
}
Done. Now call one of the multiple output options:
output "show" {
value = module.lookup.mapping_id_to_name
}
Custom role
You need a role which allows the following actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
}
]
}
Create a provider which references this role:
provider "aws" {
region = "YOUR-REGION-HERE"
alias = "organization_read_role"
assume_role {
role_arn = "arn:aws:iam::############:role/organization-read-role"
}
}
Done. Now call the module using this provider and decide whether to include the management account in the output lists or not (default is true
):
module "lookup" {
source = "be-bold/account-lookup/aws"
version = "#.#.#"
providers = {
aws = aws.organization_read_role
}
include_management_account = false
}
Call one of the multiple output options:
output "show" {
value = module.lookup.mapping_id_to_name
}
Further filtering
Use the filter submodule for even more control on your lists. Have a look at the examples as well.