# Accounts

Each account in the AWS organization must belong to some organizational unit defined in the organization configuration file.

# Creating Accounts

You can create new accounts with create account command. Once an account has been created, it must be added manually to the organization configuration file under the appropriate organizational unit.

You can provide constraints and default values for new accounts using account creation options. The options are given in accountCreation object which has the following keys:

  • defaults - Default values for optional account creation parameters:
    • iamUserAccessToBilling - Enable IAM users to access account billing, defaults to true
    • roleName - Name of the IAM role used to manage the new account, defaults to OrganizationAccountAccessRole
  • constraints - Account creation constraints
    • emailPattern - Email of the new account being created must match this pattern
    • namePattern - Name of the new account being create must match this pattern

# Example: Account creation options

accountCreation:
  defaults:
    iamUserAccessToBilling: false
    roleName: MyAdminRole
  constraints:
    emailPattern: ^[a-z]@acme.com$
    namePattern: ^.*@acme.com$

# Adding Accounts to Organizational Units

Accounts are added to an organizational unit by adding them to the accounts list.

# Example: Adding accounts to an organizational unit

Providing a list of account ids.

organizationalUnits:
  Root:
    accounts:
      - "123456789012"
      - "210987654321"

# Example: Providing more configuration for an account

Sometimes you might want to provide more configuration for an account. If this form of configuration is used, only the id property is required.

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        name: my-account
        status: active

# Admin Role

You can tell Takomo to assume this role to deploy configuration for the account. This takes precedence of any role names configured at the top-level of the organization configuration file or in the configuration of account's organizational unit.

# Example: Setting account admin role

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        accountAdminRole: MyAdminRole

# Description

It is often useful to provide a short description of the account

# Example: Setting account description

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        description: Production environment of acme.com

# Email

Account email is the root email of the actual account. As we humans are not very good at remembering random numbers like account ids, the account email is one way to help the organization maintainers to identify the accounts which they manage. When the account is deployed, Takomo validates that the account email belongs to the same account as the account id does.

You can't change the actual root account email by defining the account email in the local configuration. It's there only for documentation and validation purposes.

# Example: Setting account email

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        email: acme-prod@acme.com

# Name

Account name is the name of the actual account. As we humans are not very good at remembering random numbers like account ids, the account name is one way to help the organization maintainers to identify the accounts which they manage. When the account is deployed, Takomo validates that the account name belongs to the same account as the account id does.

You can't change the actual account name by defining the account name in the local configuration. It's there only for documentation and validation purposes.

# Example: Setting account name

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        name: acme-prod

# Service Control Policies

You can attach service control policies to the account.

# Example: Attaching service control policies

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        serviceControlPolicies:
          - PolicyA

# Tag Policies

You can attach tag policies to the account.

# Example: Attaching tag policies

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        tagPolicies:
          - MyTagPolicy
          - AnotherTagPolicy

# Config Sets

Config sets are used to define the configuration that should be deployed to the accounts.

# Example: Setting config sets

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        configSets:
          - Networking

# Status

Account status is used to define whether the config sets linked to the account should be executed when the organization is launched.

Allowed values are:

  • active - Execute config sets, this is the default value
  • disabled - Do execute config sets
  • suspended - The account is closed, no config sets are executed

# Example: Setting account status

organizationalUnits:
  Root:
    accounts:
      - id: "123456789012"
        status: disabled
Last Updated: 5/4/2020, 3:54:44 PM