TEXAS A&M UNIVERSITY
it-ae-tfmod-aws-account
Audience: Platform Engineers and Infrastructure Developers.
Purpose: Create AWS-specific resources for new accounts.
Overview
This Terraform module creates AWS-specific resources and is called by it-cloud-account-hub. It is not intended as a standalone module.
Resources Created
AWS Organizations Account
Creates the AWS account in the appropriate OU based on data classification:
resource "aws_organizations_account" "account" {
name = var.account_name
email = var.account_email
parent_id = var.ou_id != null ? var.ou_id : lookup(
var.data_classification_ou_map,
var.data_classification,
var.default_ou_id
)
}
OU Placement Logic
| Data Classification | OU Placement |
|---|---|
public | Public Data OU |
confidential | Confidential Data OU |
controlled | Controlled Data OU |
Custom ou_id | Specified OU (override) |
AWS Organizations Structure
Azure Active Directory Group
Creates an Azure AD group for the account owners:
resource "azuread_group" "account_group" {
display_name = "AWS-${var.account_name}"
security_enabled = true
}
resource "azuread_group_member" "owners" {
for_each = toset(var.owners)
group_object_id = azuread_group.account_group.object_id
member_object_id = data.azuread_user.owner[each.key].object_id
}
Azure AD Group Usage
The created group is used for:
- AIP SSO Enterprise Application — Controls who can access the account
- Kion User Group — Via SAML association for cloud governance access
Input Variables
| Variable | Type | Description |
|---|---|---|
account_name | string | Account name (from definition) |
account_email | string | Account root email |
data_classification | string | Data classification level |
owners | list(string) | List of owner email addresses |
ou_id | string | (Optional) Override OU ID |
Outputs
| Output | Description |
|---|---|
account_id | AWS account ID |
account_arn | AWS account ARN |
ad_group_id | Azure AD group object ID |