How To Create An Organizational Unit Using AWS CLI
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed, how to create an organization and add members to it in AWS.
https://cloudaffaire.com/how-to-create-an-organization-in-aws/
In today’s blog post, we will discuss how to create an Organizational Unit using AWS CLI. An Organizational unit is a container for accounts within a root. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently each account can be a member of exactly one OU.
Next, we are going to create two Organizational unit named “Foundation” and “Regulatory” and move member accounts from root OU to respective OU as shown in above diagram.
How To Create An Organizational Unit Using AWS CLI:
Prerequisites:
- Three active AWS account with admin access.
- AWS organization created and two member accounts added.
- AWS CLI installed and configured with admin access to each account.
I have already configured three AWS CLI profile for each account as below
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
## AWS CLI configuration cat .aws/credentials [management] aws_access_key_id = <ACCESS_KEY> aws_secret_access_key = <SECRET_KEY> [member1] aws_access_key_id = <ACCESS_KEY> aws_secret_access_key = <SECRET_KEY> [member2] aws_access_key_id = <ACCESS_KEY> aws_secret_access_key = <SECRET_KEY> cat .aws/config [management] region = ap-south-1 output = json [member1] region = ap-south-1 output = json [member2] region = ap-south-1 output = json aws sts get-caller-identity --profile management aws sts get-caller-identity --profile member1 aws sts get-caller-identity --profile member2 |
You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Check the details for your AWS Organization using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 |
## Get details on your organization aws organizations describe-organization \ --profile management ## Get all the accounts details for your organization aws organizations list-accounts \ --profile management ## Get your Root OU ID ROOT_OU_ID=$(aws organizations list-roots \ --profile management | jq -r .Roots[0].Id) && echo $ROOT_OU_ID |
Step 2: Create a new OU named “Foundation” under Root OU using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 |
## Create a new OU "Foundation" under Root OU aws organizations create-organizational-unit \ --parent-id $ROOT_OU_ID \ --name Foundation \ --profile management ## Check Root OU details aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $ROOT_OU_ID \ --profile management |
Step 3: Next, move the member1 account from Root OU to Foundation OU
|
1 2 3 4 5 6 7 8 9 10 11 12 |
## Move member1 account under "Foundation" OU from Root OU FOUNDATION_OU_ID=$(aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $ROOT_OU_ID \ --profile management | jq -r .Children[0].Id) && MEMBER1_ACC_ID=$(aws sts get-caller-identity \ --profile member1 | jq -r .Account) && aws organizations move-account \ --account-id $MEMBER1_ACC_ID \ --source-parent-id $ROOT_OU_ID \ --destination-parent-id $FOUNDATION_OU_ID \ --profile management |
Step 4: Create a new OU named “Regulatory” under “Foundation” OU.
|
1 2 3 4 5 |
## Create the OU "Regulatory" under OU "Foundation" REGULATORY_OU_ID=$(aws organizations create-organizational-unit \ --parent-id $FOUNDATION_OU_ID \ --name Regulatory \ --profile management | jq -r .OrganizationalUnit.Id) |
Step 5: Move member2 account form Root OU to Regulatory OU.
|
1 2 3 4 5 6 7 8 |
## Move member2 account under "Regulatory" organizational unit MEMBER2_ACC_ID=$(aws sts get-caller-identity \ --profile member2 | jq -r .Account) && aws organizations move-account \ --account-id $MEMBER2_ACC_ID \ --source-parent-id $ROOT_OU_ID \ --destination-parent-id $REGULATORY_OU_ID \ --profile management |
Step 6: Confirm the OU structure
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
## Check the organizational unit details ## Root OU (note: foundation ou is under root ou) aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $ROOT_OU_ID \ --profile management && aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $ROOT_OU_ID \ --profile management ## Foundation OU (note: regulatory ou is under foundation ou) aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $FOUNDATION_OU_ID \ --profile management && aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $FOUNDATION_OU_ID \ --profile management ## Regulatory OU (note: no child ou under regulatory ou) aws organizations list-children -\ -child-type ORGANIZATIONAL_UNIT \ --parent-id $REGULATORY_OU_ID \ --profile management && aws organizations list-children -\ -child-type ACCOUNT \ --parent-id $REGULATORY_OU_ID \ --profile management |
If you login to the management account and check the organization again, you should get below structure where the Foundation OU is under Root OU containing member1 account and child OU Regulatory OU. The Regulatory OU contains member2 account but no further child OU.
If you wondering why the hell, we have created OU hierarchy in this fashion, wait for the upcoming blog post 😊 The purpose of creating such a hierarchy is to explain SCP which will be covered in upcoming blog.
Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation