Deploy SCPs, RCPs, and other AWS Organization policies with Terraform.
SCP example:
module "scps" { source = "aws-samples/organization-policies/aws" version = "3.0.1" policy_type = "SERVICE_CONTROL_POLICY" ou_map = { "r-1xyz" = ["root", "allow_services"] #root "ou-abcd-11223344" = ["sandbox"] #sandbox ou "ou-efgh-22334455" = ["ssm"] #workload ou } }RCP example:
module "rcps" { source = "aws-samples/organization-policies/aws" version = "3.0.1" policy_type = "RESOURCE_CONTROL_POLICY" ou_map = { "r-1xyz" = ["root"] #root } }policy_type is the type of organizational policy. Valid values are AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, RESOURCE_CONTROL_POLICY, SERVICE_CONTROL_POLICY, and TAG_POLICY. A new module needs to be created for each policy type.
ou_map is a map of OU IDs and the policies attached to them. Policies are stored as JSON files in an adjacent directory. The directory name defaults to the policy type, eg ./service_control_policy/.
The above two module inputs would look like this:
. ├── resource_control_policy │ └── root.json ├── service_control_policy │ ├── allow_services.json │ ├── root.json │ ├── sandbox.json │ └── ssm.json └── main.tf module "scps" { ... policies_directory = "policies/scps" }policies_directory can be used to change the name and location of the directory used to store policies. Otherwise it will default to the name of the policy type, eg ./service_control_policy/.
| Issue | Fix |
|---|---|
PolicyTypeNotEnabledException | Enable the policy type within AWS Organizations first. |
- Managing organization policies with AWS Organizations
- Service Control Policy (SCP) examples
- Resource Control Policy (RCP) examples
- Declarative policy syntax and examples
- Backup policy syntax and examples
- Tag policy syntax and examples
- AI policy syntax and examples
- aws-samples/data-perimeter-policy-examples
- aws-samples/service-control-policy-examples
- Resource: aws_organizations_policy
- Resource: aws_organizations_policy_attachment
- Terraform Registry: aws-samples/organization-policies/aws
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
