awsaccountmgr

Multi-Account management in AWS Organizations

!IMPORTANT! - The code has not been tested properly yet in production and no unit/integration testing have been implemented. Use at your own risk.

This repository contains code that manages the process around AWS account creation. It assumes you are working with the AWS Deployment Framework for managing deployments in a multi-account AWS organization.

Current Features

• Create new AWS accounts within existing AWS Organization
• Move accounts to the organizational unit defined in config files
• Optionally remove default VPC resources on accounts
• Create and update account aliasses
• Account tagging
• Optional protection from moving accounts directly between organizational units (Related to AWS Deployment Framework)
• Create and update account alternate contacts

Not supported due to AWS Organization API limitations

• Updating account names
• Updating account email addresses
• Removing accounts
• Handling root account credentials and MFA

Installation & Configuration

Note we are only supporting python3.6 and up, I really like my f-strings..

Install the package using pip

pip3 install awsaccountmgr

Next define configuration files for the accounts you would like to manage. You can have multiple configuration files for logical separation. The script will iterate and validate each file before sequentially creating/updating the defined accounts.

Here is an example file

Accounts:
  # Account with only mandatory parameters
  - AccountFullName: playgroundaccount
    OrganizationalUnitPath: playground/
    Email: playgroundaccount@moorspots.com

  # Delete the default VPC for this account
  - AccountFullName: usdevaccount
    OrganizationalUnitPath: us/dev
    Email: usdevaccount@moorspots.com
    DeleteDefaultVPC: True

  # Account with all available parameters
  - AccountFullName: myrootaccount
    OrganizationalUnitPath: /
    Email: myrootaccount@moorspots.com
    DeleteDefaultVPC: True
    AllowDirectMoveBetweenOU: True
    Alias: IDontWantMyAliasToBeTheSameAsTheAccountFullName
    AllowBilling: False
    AlternateContacts:
      Operations:
        Email: myops@moorspots.com
        Name: myname
        Title: Doctor
        PhoneNumber: +31307161111

      Security:
        Email: mysecurity@moorspots.com
        Name: myname
        Title: Doctor
        PhoneNumber: +31307161111

      Billing:
        Email: mybilling@moorspots.com
        Name: myname
        Title: Doctor
        PhoneNumber: +31307161111

    Tags:
      - CostCenter: 123456789

To create new accounts or move accounts to a different OU you only have to update the relevant account configuration file and re-run the script.

The OU name is the name of the direct parent of the account. If you want to move an account to the root you can provide the AWS organization id (eg "r-abc1"). If you are dealing with nested organizational units you can seperate them with a / (see examples above).

If you provide the 'AlternateContacts' key, all three alternate contact types will be fully updated with the declared configuration. If you for instance only provide an Operations contact entry, it will try to remove the Security and Billing contact information.

Usage

Once the configuration files are defined you can start the script locally with:

awsaccountmgr <root_ou_id> <config folder path>

You will have to have AWS credentials stored (using AWS CLI or environment variables) on your machine. If the assumed role is not resided in the master account the script will try to assume the OrganizationAccountAccessRole role in the master account. This is useful for people using the AWS Deployment Framework to run this script from a pipeline in the deployment account.

To see all available command line options, run awsaccountmgr --help

TODO: Describe how you can setup the AWS Deployment Framework pipeline to run this on updates and scheduled time. Quick summary

• Create cc-buildonly ADF pipeline
• add buildspec.yml similar to example-buildspec.yml
• Update the ADF global.yml files to ensure the deployment account is able to do organizations related stuff in the master account
• TIP: If you add a schedule to the ADF pipeline you can reasonably ensure the accounts are configured as defined in the yaml files.
• TIP2: perhaps this module can be used in combination with a lambda triggered by cloudwatch events related to relevant organizations actions. This will immediately correct any changes someone does to accounts to whats being defined in the configuration files.

Release History

0.0.16 (2021-12-06)

• FIX: Use standalone context for updating master account

0.0.15 (2021-12-06)

• FIX: Avoid raising an error when trying to remove an alternate contact thats non existing

0.0.14 (2021-12-06)

• FIX: The API has a more strict formatting for the phone field. Default to "00000000" when phone field is not provided

0.0.13 (2021-12-06)

• FIX: / is an invalid character for Alternate contact fields. Defaulting to NotApplicable and not@applicable.com

0.0.12 (2021-12-06)

• FIX: all alternate contact fields are mandatory. Defaulting to N/A when not provided

0.0.11 (2021-12-06)

• Added capability to update AWS account alternate contacts
• FIX: configuration example showed Tags as dict items, corrected to list of dicts

0.0.10 (2020-11-10)

• FIX: Retrying subnet and IGW describe calls. Sometimes they are not yet available after a new account creation.

0.0.9 (2019-10-09)

• FIX: AllowDirectMoveBetweenOU parameter now works as intended

0.0.8 (2019-10-09)

• FIX: Using pagination when listing Org Units

0.0.7 (2019-09-23)

• setup.py now includes dependency libraries
• FIX: describe_vpcs call sometimes failed on creating new account

0.0.6 (2019-08-01)

• Configuration files now support '/' to target root

0.0.5 (2019-08-01)

• FIX: Removing VPCs through threads working properly

0.0.4 (2019-07-31)

• Retrieving master_account_id from API
• Deleting VPCs now using threads

0.0.3 (2019-07-30)

• Removing default VPCs in all regions

0.0.2 (2019-07-30)

• config_directory is now a mandatory parameter

0.0.1 (2019-07-30)

Thanks to @deltagarrett for testing!

• Initial version