AWS IAM Organization

This page shows how to write Terraform for IAM Organization and write them securely.

aws_organizations_organization (Terraform)

The Organization in IAM can be configured in Terraform with the resource name aws_organizations_organization. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "aws_organizations_organization" "org" {
  feature_set                   = var.feature_set
  aws_service_access_principals = var.feature_set == "ALL" ? var.aws_service_access_principals : null
  enabled_policy_types          = var.feature_set == "ALL" ? var.enabled_policy_types : null
resource "aws_organizations_organization" "org" {
  feature_set = "ALL"
resource "aws_organizations_organization" "default" {
  feature_set = "ALL"
resource "aws_organizations_organization" "org" {

module "iam_account" {
  count = var.iam_account_email == null ? 0 : 1
resource "aws_organizations_organization" "organization" {
  feature_set = "ALL"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


Explanation in Terraform Registry

Provides a resource to create an organization. !> WARNING: When migrating from a feature_set of CONSOLIDATED_BILLING to ALL, the Organization account owner will received an email stating the following: "You started the process to enable all features for your AWS organization. As part of that process, all member accounts that joined your organization by invitation must approve the change. You don’t need approval from member accounts that you directly created from within your AWS organization." After all member accounts have accepted the invitation, the Organization account owner must then finalize the changes via the AWS Console. Until these steps are performed, Terraform will perpetually show a difference, and the DescribeOrganization API will continue to show the FeatureSet as CONSOLIDATED_BILLING. See the AWS Organizations documentation for more information.

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

CloudFormation Example

CloudFormation code does not have the related resource.

Frequently asked questions

What is AWS IAM Organization?

AWS IAM Organization is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform.

Where can I find the example code for the AWS IAM Organization?

For Terraform, the ahummel25/aws-organizations-hummel, MrGossett/.aws and jamesridle/carpstack source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.