AWS Organizations L2s #2877
Comments
|
What exactly would the use cases be? Can you elaborate? Not many things in organizations are in CFN. |
|
I was thinking on not having to create accounts manually and since I'm already using CDK I would like to go with CDK instead of going for the API. It's nothing super urgent or whatever, I guess that if there is no CFN support from Organizations then there's little that can be done |
|
For creating accounts I think one thing could be a step function (deployed using CDK) that can be used to create accounts. That would be as far as you can get I think. You could then use this as a custom resource. But beware that you cannot simply delete accounts. |
NGL321
added
no-cfn-supp
and removed
needs-triage
I know many federal government agencies that would use this! |
NGL321
added
needs-cfn
|
|
rix0rrr
added
@aws-cdk/aws-iam
|
For automated accounts creation/bootstrapping the ADF can be used: I'd like to see Organizations support in CDK at least for defining OU structure & SCPs (Service Control Policies). CloudFormation doesn't support it either, although on their roadmap. |
|
I'm also interested in having support for Service Control Policies and OUs. Currently we have to manage these either via the AWS Console or build one-off custom scripts. SCPs are resources which are applied on the Organization Root account and can be automated via relatively scripts (using the AWS CLI for example). I think this is something that could possibly be done via the AwsCustomResource (Custom Resources for AWS APIs) Constructs. Service Control Policies (SCPs)For SCPs, I suppose there would be two "types" of SCP constructs - one to CrUD the SCP's themselves, and another to handle Attachment (e.g. CreateAttachment and DeleteAttachment, Update could be a no-op). Organizational Units (OUs)
For OUs, this maps 1:1 to the I haven't used the |
|
@rrrix OU structure can be up to 5 levels down and SCPs can be applied to any OU or account. For more complex scenarios you need to build some logic. I'd expect CDK to simply support it similar way as Terraform does: https://www.terraform.io/docs/providers/aws/r/organizations_organizational_unit.html |
|
+1 We are building an ops portal and have some very nice web application templates that rely on CDK for infrastructure and Serverless to manage the application. Pretty cool stuff that lays down event sourcing microservice stacks within an account for example. So in the master billing account we would like to basically have a pane of glass to select a domain to sub from, some meta params and say "ok, give me 5 developer accounts, QA, staging and prod accounts pointing to this repo'. Laying down the accounts is the only manual step in our processes, for now we can use ADF but it would be a good native for CDK. |
|
I'm considering using just plain |
|
My team is planning on developing this (waiting for CFN to support it :) ) and we are considering 2 approaches:
Option 2 is cleaner from my point of view but implies many custom resources created which might slowdown deployment (spinup a lambda for each API call etc.) and make it harder than option 1 to create the necessary resources (yaml structure of aws-orgs is quite handy) ... any opinion ? is cdk team interested in having a PR for one of those options ? |
|
What do you think about option 3 and creating a CloudFormation resource provider that does this and then using CDK to generate these new CFN resources? |
|
I may be wrong but it seems that a CloudFormation resource provider is local to an AWS account. You have to deploy it before you can use it in CDK. Am I right? |
|
That is correct and would be a downside of this approach |
|
Terraform supports this: Boto3 supports it as well, but relying on boto3 to create resources and mix it with CDK is not a good practice. |
|
@flochaz did you end up creating a custom CDK approach ? |
|
@0xjjoyy we ended up creating pure CDK custom resources to create OUs and Accounts. We leveraged a lot CDK AWSCustomResource and CustomResource Provider: There is still a lot to develop to have all the features of tools like aws-orgs or org-formation ... |
|
@flochaz Got it, thanks. Does your CDK solution handle service control policies? I was trying to look in your repo though couldn't find. Want to avoid duplicating efforts for a custom CDK resource :) |
|
Not yet :(
…On Mon, 16 Nov 2020 at 15:11, 0xjjoyy ***@***.***> wrote:
@flochaz <https://github.com/flochaz> Got it, thanks. Does your CDK
solution handle service control policies? I was trying to look in your repo
though couldn't find. Want to avoid duplicating efforts for a custom CDK
resource :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2877 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJLIUP65USSGUWILMZNOOLSQEXHHANCNFSM4HYNKBEQ>
.
--
Florian Chazal
|
|
@coreycoto thank you! The project wraps AWS Organization API just by CDK Custom Resources. The Github Actions are the defaults from projen, which is just CDK for projects from the AWS devs. Currently, the cdk-organizations lacks some better testing. I still need to figure out how to write proper tests for all the Custom Resources... Also we will need some import logic in a cdk-ish style like ECR Repository.fromRepositoryAttributes. The only question to do so is, which AWS Organizations APIs are idempotent. Then it can be implemented fast and lazy. One point I didn't got after reading all the docs. Why there is a listRoots endpoint, when one account can only belong to one organization at a time. (API_CreateOrganization_Errors) |
|
The docs mention that it's only available in us-east-1. What is driving
this limitation? Has AWS provided any guidance on when the missing
features will be available in other regions?
…On Sat, Jan 15, 2022 at 3:33 PM Patrick Florek ***@***.***> wrote:
@coreycoto <https://github.com/coreycoto> thank you!
The project wraps AWS Organization API
<https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html>
just by CDK Custom Resources
<https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html>
.
The Github Actions are the defaults from projen
<https://github.com/projen/projen>, which is just CDK for projects from
the AWS devs.
Currently, the cdk-organizations
<https://github.com/pepperize/cdk-organizations> lacks some better
testing. I still need to figure out how to write proper tests for all the Custom
Resources
<https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html>
...
Also we will need some import logic in a cdk-ish style like ECR
Repository.fromRepositoryAttributes
<https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-ecr/lib/repository.ts#L379>.
The only question to do so is, which AWS Organizations APIs are idempotent.
Then it can be implemented fast and lazy.
One point I didn't got after reading all the docs. Why there is a
listRoots
<https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listRoots-property>
endpoint, when one account can only belong to one organization at a time. (
API_CreateOrganization_Errors
<https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html#API_CreateOrganization_Errors>
)
—
Reply to this email directly, view it on GitHub
<#2877 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEQPB6TFUEXKGP53DZADNTUWHK3LANCNFSM4HYNKBEQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Actually, this is not true. The organization API is in us-east-1 only but you can provision organizations and accounts in other regions. |
|
Thanks for the clarification! This is nice. So the main logic just needs
to run us-east-1 - that's great!
…On Thu, Jan 27, 2022 at 12:46 PM Jérôme Van Der Linden < ***@***.***> wrote:
Actually, this is not true. The organization API is in us-east-1 only but
you can provision organizations and accounts in other regions.
—
Reply to this email directly, view it on GitHub
<#2877 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEQPB7MZJAHPJGLXP52GM3UYGAHZANCNFSM4HYNKBEQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Just want to reiterate that the best way for CDK to directly support Organizations is if CloudFormation supports it first. See the coverage roadmap and share your feedback there 🙂 |
Not really. CDK Constructs/CustomResources help us get around Cfn limitations yeah? |
|
The ability to generate SCPs with a CDK-like syntax would be very welcome, even without the ability to deploy them using CDK-like tooling or through CFN. I know that things like Cloud Development Kit for Terraform (CDKTF) exist -- Does anyone who might respond know of a generation language for SCPs that exists now? https://github.com/pepperize/cdk-organizations#policy <-- maybe this is what I'm looking for, but I would just like to get the SCP as a JSON and carry it over to an existing CfCT for deployment I'd rather have CDK-similar generation, but would use anything better than mustache templates ;-) |
Given the limited number of allowed SCPs per OU/Account they do need to be able to be easily combined together / automatically generated to stay within the limit. |
|
Native CFN support for 🚀 |
|
OrganizationalUnit is not in CDK v2.51.1, only Account and Policy. It should come soon ( ) |
|
@jeromevdl I bet it get's generated into the CDK with the upcoming CFN spec update? Did a small proof of concept changing a higher level construct using the The Currently we still need something like Is it possible to an existing org using https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-existing-stack.html with the CDK? |
> basic higher level constructs **features:** - adds higher level constructs `Account`, `OrganizationalUnit`, `Policy` building up the org tree - adds utility construct `OrganizationRoot` to retrieve the root for the first organizational units (singleton `AwsCustomResource`) **todo:** - [] decide how to sequentially chain the organization tree - [] add doc blocks, usage example and howtos - [] improve tests (unit coverage and integ tests) > sequentially chain resources is an important feature. The AWS Organizations API can create accounts only sequentially. Also adding policies, delegating administration and enabling trusted services needs to sequentially chained. Here is a solution that uses the construct tree walking `Aspect`: [https://github.com/pepperize/cdk-organizations/blob/main/src/dependency-chain.ts](https://github.com/pepperize/cdk-organizations/blob/main/src/dependency-chain.ts). Another option could be to chain the dependencies in the `Account` and `OrganizationalUnit` **inversion of parentship:** It could be useful to inverse the parent child relation, for example ```typescript organizationalUnit.addAccount(account); ``` instead of ``` new Account(scope, id, { parent: ou, }); ``` also it could be useful to inverse the policy attachment ```typescript export class Account { public function attachPolicy(policy: IPolicy): void { policy.addAccount(this); } } ``` _Delegation of the attachment could also be useful if explicit dependency chaining is used._ **next (later on):** - add `ScpPolicy`, `BackupPolicy`, `TagPolicy`, `AiPolicy` as flavors of `PolicyBase` - add `Organization` construct to enable AWS Organizations - add enabling `PolicyType`, `DelegatedAdministrator`, `TrustedService` Fixes: aws#2877
> basic higher level constructs **features:** - adds higher level constructs `Account`, `OrganizationalUnit`, `Policy` building up the org tree - adds utility construct `OrganizationRoot` to retrieve the root for the first organizational units (singleton `AwsCustomResource`) **todo:** - [] decide how to sequentially chain the organization tree - [] add doc blocks, usage example and howtos - [] improve tests (unit coverage and integ tests) > sequentially chain resources is an important feature. The AWS Organizations API can create accounts only sequentially. Also adding policies, delegating administration and enabling trusted services needs to sequentially chained. Here is a solution that uses the construct tree walking `Aspect`: [https://github.com/pepperize/cdk-organizations/blob/main/src/dependency-chain.ts](https://github.com/pepperize/cdk-organizations/blob/main/src/dependency-chain.ts). Another option could be to chain the dependencies in the `Account` and `OrganizationalUnit` **inversion of parentship:** It could be useful to inverse the parent child relation, for example ```typescript organizationalUnit.addAccount(account); ``` instead of ``` new Account(scope, id, { parent: ou, }); ``` also it could be useful to inverse the policy attachment ```typescript export class Account { public function attachPolicy(policy: IPolicy): void { policy.addAccount(this); } } ``` _Delegation of the attachment could also be useful if explicit dependency chaining is used._ **next (later on):** - add `ScpPolicy`, `BackupPolicy`, `TagPolicy`, `AiPolicy` as flavors of `PolicyBase` - add `Organization` construct to enable AWS Organizations - add enabling `PolicyType`, `DelegatedAdministrator`, `TrustedService` Fixes: aws#2877
|
I'm still unable to import 'aws_organizations' using the latest version of cdk v2.51.1. Do I have to do something else specific ? |
|
@raajheshkannaa Here pepperize/cdk-organizations#753 and here #23001 are some drafts with the new organizations in the cdk 😉 |
|
@raajheshkannaa The l1 resources should be there (there are no L2s yet), this works for me on the latest version |
TheRealAmazonKendra
added
feature/coverage-gap
peterwoodworth
added
p2
and removed
feature/coverage-gap
|
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
|
Looks like after 4 years this might be a priority now :) Great! Does the CDK team have sufficient information to generate requirements for this feature? Some of the things we wanted were:
|
and others
I'd like to have AWS Organizations in CDK in order to automate the creation of the accounts, permissions etc!
https://aws.amazon.com/organizations/
The text was updated successfully, but these errors were encountered: