Created
March 11, 2020 17:30
-
-
Save thisismana/853abe95b222629eb9f2fa5713262794 to your computer and use it in GitHub Desktop.
Create a new AWS account through ControlTower/Service Catalog, but detatch SCP while doing so
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euxo pipefail | |
| export AWS_DEFAULT_REGION=eu-west-1 | |
| export AWS_DEFAULT_OUTPUT=text | |
| export AWS_PAGER="" | |
| FIRST_NAME="ENTER NAME HERE" | |
| LAST_NAME="ENTER LAST NAME HERE" | |
| EMAIL="ENTER@MAIL.HERE" # must be a valid email that is not in use as an root-account email elsewhere | |
| ACCOUNT="ENTER_ACCOUNT_NAME_HERE" | |
| OU="Development" # one of [Production|Development] | |
| ## Detach SCP from OU | |
| function detach_scp { | |
| local root_id=$(aws organizations list-roots --query 'Roots[0].Id') | |
| ou_id=$(aws organizations list-organizational-units-for-parent \ | |
| --parent-id $root_id \ | |
| --query "OrganizationalUnits[?Name=='$OU'].Id") | |
| policy_id=$(aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query "Policies[?Name=='deny-all-outside-eu'].Id") | |
| local is_policy_attached_to_ou=$(aws organizations list-policies-for-target --target-id $ou_id --filter SERVICE_CONTROL_POLICY --query "Policies[?Id=='$policy_id'].Id") | |
| if [ "" == "$is_policy_attached_to_ou" ]; then | |
| echo "Policy $policy_id is not attached to organizational unit $ou_id" | |
| else | |
| aws organizations detach-policy \ | |
| --policy-id $policy_id \ | |
| --target-id $ou_id | |
| echo "Documentation says this action is immediate. But lets wait nonetheless." | |
| sleep 30 | |
| echo "Finished sleeping. Continuing." | |
| fi | |
| } | |
| ## Attach SCP to OU | |
| function attach_scp { | |
| aws organizations attach-policy \ | |
| --policy-id $policy_id \ | |
| --target-id $ou_id | |
| } | |
| function provision_product { | |
| local product_id=$(aws servicecatalog search-products --filters Owner='AWS Control Tower' --query 'ProductViewSummaries[].ProductId') | |
| local launch_path_id=$(aws servicecatalog list-launch-paths --product-id $product_id --query 'LaunchPathSummaries[].Id') | |
| local provisioning_artifact_id=$(aws servicecatalog describe-product --id $product_id --query 'ProvisioningArtifacts[].Id') | |
| aws servicecatalog provision-product \ | |
| --product-id=$product_id \ | |
| --provisioned-product-name=$ACCOUNT \ | |
| --provisioning-artifact-id=$provisioning_artifact_id \ | |
| --path-id=$launch_path_id \ | |
| --provisioning-parameters "[ | |
| { | |
| \"Key\": \"SSOUserEmail\", | |
| \"Value\": \"$EMAIL\" | |
| }, | |
| { | |
| \"Key\": \"AccountEmail\", | |
| \"Value\": \"$EMAIL\" | |
| }, | |
| { | |
| \"Key\": \"SSOUserFirstName\", | |
| \"Value\": \"$FIRST_NAME\" | |
| }, | |
| { | |
| \"Key\": \"SSOUserLastName\", | |
| \"Value\": \"$LAST_NAME\" | |
| }, | |
| { | |
| \"Key\": \"ManagedOrganizationalUnit\", | |
| \"Value\": \"$OU\" | |
| }, | |
| { | |
| \"Key\": \"AccountName\", | |
| \"Value\": \"$ACCOUNT\" | |
| } | |
| ]" | |
| } | |
| detach_scp | |
| provision_product | |
| # todo -> poll provisioned product until "ready", then re-attach scp | |
| # attach_scp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment