| # List all AWS Org accounts' Id, Name, and Email in a csv format | |
| aws organizations list-accounts --query 'Accounts[].[Id,Name,Email,Status]' | jq -r '["id","name","email","status"], (.[]) | @csv' | |
| # Find all EKS clusters in AWS Org | |
| aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --output text | |
| # Find all EKS cluster AWS Org with name like name_pattern | |
| # and only display the source account id, the cluster name, and the cluster region | |
| aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --query 'ResourceIdentifiers[?contains(ResourceName,`name_pattern`)].[SourceAccountId,ResourceName,SourceRegion]' --output text | |
| # Find all AWS SSO groups | |
| aws identitystore list-groups --identity-store-id d-12345abcde --output text | |
| # Find all permission set ids in AWS SSO | |
| aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text | |
| # Find all permission set names in AWS SSO | |
| # permission set name is only available via the describe-permission-set command | |
| aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text > aws-sso-permission-sets.txt | |
| while read ps; do aws sso-admin describe-permission-set --permission-set-arn $ps --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef | jq -r .PermissionSet.Name ; done < aws-sso-permission-sets.txt | |
| # Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 1 | |
| aws cloudformation describe-stacks --query 'Stacks[?contains(StackName,`ControlTower`)]' | jq -r '.[].StackName' | |
| # Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 2 | |
| aws cloudformation list-stacks --query 'StackSummaries[?contains(StackName,`ControlTower`)]' | jq -r '.[].StackName' | |
| # Create a stackset | |
| # tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}] | |
| aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=false --tags file://tags.json | |
| # Create a stackset (with service_managed permissions, from the delegated admin account) | |
| # tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}] | |
| aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --call-as DELEGATED_ADMIN --auto-deployment Enabled=false --tags file://tags.json | |
| # Deploy stackset instance to a single account in AWS Org OU with multiple accounts | |
| aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets Accounts=112233445566,OrganizationalUnitIds=ou-12345abcdef,AccountFilterType=INTERSECTION --regions eu-west-1 us-east-1 | |
| # Deploy stackset instance (with service_managed permissions, from the delegated admin account) to an OU with multiple accounts | |
| aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets OrganizationalUnitIds=ou-12345abcdef --call-as DELEGATED_ADMIN --regions eu-west-1 us-east-1 |
Error: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set
--call-as DELEGATED_ADMIN is specified, if running from a delegated admin accountParameter validation failed: Unknown parameter in DeploymentTargets: "AccountFilterType", must be one of: Accounts, AccountsUrl, OrganizationalUnitIds