I used an IaC tool (org-formation) to create AWS Organization, Organization Units (OUs), and respective Accounts in those OUs.
Org-Formation is a neat tool that lets you handle account Organization via code and not in the Management Console using a native service like Control Tower. Some of the benefits of using this like any other IaC tool is ease of scalability-- I can quickly add multiple OUs and/or accounts from the cli, Security, improved efficiency, among others.
Check out the Official Org-formation documentation.
- I installed the org-formation tool using
npm i aws-organization-formation -g
. Of course, this is assumingnpm
is already installed on your device. If not, you'll have to install it. - I initialized
org-formation
using the commandorg-formation init organization.yml --region us-east-1
If you get an error initializing org-formation, it is likely related to your credentials. i.e. your credentials in the ~/.aws/credentials
file have expired. To fix this, create a new admin user in the AWS Console and add that user to the Administrator group then reconfigure on your cli, aws configure
with the new user’s Access Key ID & Secret Access Key.
- After making changes to your
organization.yml
file, useorg-formation update organization.yml
to update your Organization. After an update, you should get an updated message in your terminal similar to this:
Upon completion, in the AWS Console, the AWS Organization Structure is created as shown:
Wojciech Matuszewski has a very good article detailing how to set up SSO. If you do choose to use org-formation
like I did, then Steps 1 - 8 is already out the way.
Upon completion of my SSO setup, this is what the start url page looked like:
Clicking on the Management Console takes you to a page like this: