examples/organization.yml

AWSTemplateFormatVersion: '2010-09-09-OC'
Description: default template generated for organization with master account 507468909204

Organization:
  MasterAccount:
    Type: OC::ORG::MasterAccount
    Properties:
      Alias: org-formation-master
      RootEmail: olaf@email.com
      AccountName: oc test account 2
      AccountId: '507468909204'
      PasswordPolicy: !Ref PasswordPolicy
      Tags:
        budget-alarm-threshold: 200
        account-owner-email: olaf@email.com

  OrganizationRoot:
    Type: OC::ORG::OrganizationRoot
    Properties:
      ServiceControlPolicies:
        - !Ref DenyChangeOfOrgRoleSCP
        - !Ref RestrictUnusedRegionsSCP

  ProductionOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: production
      Accounts:
        - !Ref Production1Account

  DevelopmentOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: development
      Accounts:
        - !Ref DevelopmentAccount
        - !Ref Development2Account
        - !Ref Development3Account
        - !Ref Development4Account

  SharedOU:
    Type: OC::ORG::OrganizationalUnit
    Properties:
      OrganizationalUnitName: shared
      Accounts:
        - !Ref SharedUsersAccount
        - !Ref SharedServicesAccount
        - !Ref SharedComplianceAccount

  SharedUsersAccount:
    Type: OC::ORG::Account
    Properties:
      RootEmail: users-2@olafconijn.awsapps.com
      Alias: org-formation-users
      AccountName: Shared Users Account
      PasswordPolicy: !Ref PasswordPolicy
      Tags:
        budget-alarm-threshold: '100'
        account-owner-email: olaf@email.com

  SharedServicesAccount:
    Type: OC::ORG::Account
    Properties:
      Alias: org-formation-services
      AccountName: Shared Services Account
      RootEmail: shared-services-2@olafconijn.awsapps.com
      Tags:
        budget-alarm-threshold: '22'
        account-owner-email: olaf@email.com

  SharedComplianceAccount:
    Type: OC::ORG::Account
    Properties:
      Alias: org-formation-compliance
      AccountName: Shared Compliance Account
      RootEmail: shared-compliance-2@olafconijn.awsapps.com
      Tags:
        budget-alarm-threshold: '200'
        account-owner-email: olaf@email.com

  DevelopmentAccount:
    Type: OC::ORG::Account
    Properties:
      Alias: org-formation-dev
      AccountName: Development Account
      RootEmail: dev-account-1@olafconijn.awsapps.com
      Tags:
        budget-alarm-threshold: '200'
        account-owner-email: olaf@email.com
        subdomain: development1

  Development2Account:
    Type: OC::ORG::Account
    Properties:
      Alias: org-formation-dev2
      AccountName: Development Account 2
      RootEmail: dev-account-2@olafconijn.awsapps.com
      Tags:
        budget-alarm-threshold: '200'
        account-owner-email: olaf@email.com

  Development3Account:
    Type: OC::ORG::Account
    Properties:
      Alias: org-formation-dev3
      AccountName: Development Account 3
      RootEmail: dev-account-3@olafconijn.awsapps.com
      Tags:
        budget-alarm-threshold: '200'
        account-owner-email: olaf@email.com

  Development4Account:
    Type: OC::ORG::Account
    Properties:
      Alias: org-formation-dev4
      AccountName: Development Account 4
      RootEmail: dev-account-4@olafconijn.awsapps.com
      Tags:
        budget-alarm-threshold: '200'
        account-owner-email: olaf@email.com

  Production1Account:
    Type: OC::ORG::Account
    Properties:
      AccountName: Production 1 Account
      RootEmail: production1@olafconijn.awsapps.com
      Alias: my-production1
      Tags:
        budget-alarm-threshold: '100'
        account-owner-email: olaf@email.com
        subdomain: production1

  Production2Account:
    Type: OC::ORG::Account
    Properties:
      AccountName: Production 2 Account
      RootEmail: production2@olafconijn.awsapps.com
      Alias: my-production2
      Tags:
        budget-alarm-threshold: '100'
        account-owner-email: olaf@email.com

  DenyChangeOfOrgRoleSCP:
    Type: OC::ORG::ServiceControlPolicy
    Properties:
      PolicyName: DenyChangeOfOrgRole
      Description: Deny changing the IAM role used for organization access
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: DenyChangeOfOrgRole
            Effect: Deny
            Action:
              - 'iam:Attach*'
              - 'iam:Create*'
              - 'iam:Delete*'
              - 'iam:Detach*'
              - 'iam:PutRole*'
              - 'iam:Update*'
            Resource:
              - 'arn:aws:iam::*:role/OrganizationAccountAccessRole'

  RestrictUnusedRegionsSCP:
    Type: OC::ORG::ServiceControlPolicy
    Properties:
      PolicyName: RestrictUnusedRegions
      Description: Restrict Unused regions
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: DenyUnsupportedRegions
            Effect: Deny
            NotAction:
              - 'cloudfront:*'
              - 'iam:*'
              - 'route53:*'
              - 'support:*'
              - 'budgets:*'
            Resource: '*'
            Condition:
              StringNotEquals:
                'aws:RequestedRegion':
                  - eu-west-1
                  - us-east-1
                  - eu-central-1

  PasswordPolicy:
    Type: OC::ORG::PasswordPolicy
    Properties:
      MaxPasswordAge: 30
      MinimumPasswordLength: 12
      RequireLowercaseCharacters: true
      RequireNumbers: true
      RequireSymbols: true
      RequireUppercaseCharacters: true
      PasswordReusePrevention: 5
      AllowUsersToChangePassword: true