This file, organization.yml represents your AWS Organization. Any changes to Accounts or OrganizationUnits will be reflected in your AWS Organization. You can create new accounts or organization units, move accounts to different organization units, and assign Terraform, Cloudformation, CDKstacks at any level in the hierarchy.

Structure

Telophase allows you to structure accounts in any way the cloud provider allows. You can nest Organization Units within each other.

Organization:
    Name: root  ## AWS Organization Root
    OrganizationUnits:  ## Organization Units
        - Name: ProductionTenants
          Stacks:  ## Terraform, Cloudformation and CDK stacks to apply to all accounts in this Organization Unit
            - Path: go/src/cdk
              Type: CDK
              Name: telophase-owner
          Accounts:  ## Accounts at the top level of this Organization Unit
            - Email: ethan+clitest4@telophase.dev
              AccountName: cli-test4
              Tags:
                - "production"
    Accounts:
        - AccountName: Management
          Email: mgmt@telophase.dev

AWS Organization Root

Organization: instructs the Telophase parser that an AWS Organization follows. It has no corresponding representation in AWS. Name: root represents the root organization unit in your AWS Organization. It is the parent for all accounts and organization units. It cannot be renamed.

Organization:
    Name: root  # (Required) This must be set to "Name: root".
    Accounts:  # (Optional) Child accounts of root Organization Unit.
    OrganizationUnits:  # (Optional) Child Organization Units of the root Organization Unit.

Account

Accounts represents a list of AWS Accounts.

Accounts:
  - Email:  # (Required) Email used to create the account. This will be the root user for this account.
    AccountName:  # (Required) Name of the account.
    Tags:  # (Optional) Telophase label for this account. Tags translate to AWS tags with a `=` as the key value delimiter. For example, `telophase:env=prod`
    Stacks:  # (Optional) Terraform, Cloudformation and CDK stacks to apply to all accounts in this Organization Unit.
    State:  # (Optional) Can be set to `deleted` to delete an account. Experimental.

Example

Accounts:
  - Email: us-prod@telophase.dev
    AccountName: us-prod
  - Email: eu-prod@telophase.dev
    AccountName: eu-prod

This will create two Accounts:

  1. us-prod with root user us-prod@telophase.dev
  2. eu-prod with root user eu-prod@telophase.dev

OrganizationUnits

OrganizationUnits represents a list of AWS Organization Units.

OrganizationUnits:
  - Name:  # (Required) Name of the Organization Unit.
    Accounts:  # (Optional) Child accounts of this Organization Unit.
    Stacks:  # (Optional) Terraform, Cloudformation, and CDK stacks to apply to all accounts in this Organization Unit.
    OrganizationUnits:  # (Optional) Child Organization Units of this Organization Unit.
  - OUFilepath: # (Oprtional) provide a filepath to load a separate OU into telophase.

Example

OrganizationUnits:
    - Name: Production
      Accounts:
        - Email: us-prod@telophase.dev
          AccountName: us-prod
        - Email: eu-prod@telophase.dev
          AccountName: eu-prod
    - Name: Dev Accounts
      Accounts:
        - Email: developer1@telophase.dev
          AccountName: developer1
        - Email: developer2@telophase.dev
          AccountName: developer2

This will create two OUs:

  1. Production with child accounts us-prod and eu-prod
  2. Dev Accounts with child accounts developer1 and developer2

Stacks

Terraform, Cloudformation and CDK stacks can be assigned to Accounts and OrganizationUnitss. Stacks assigned to OrganizationUnits will be applied to all child Accounts.

Stacks:
  - Path:  # (Required) Path to CDK or Terraform project. This must be a directory.
    Type:  # (Required) "Terraform", "CDK", "Cloudformation .
    Name:  # (Optional) Name of the Stack to filter on with --stacks.
    AssumeRoleName:  # (Optional) Force the stack to use a specific role when applying a stack. The default role is the account's `AssumeRoleName` which is typically the `OrganizationAccountAccessRole`.
    Region: # (Optional) What region the stack's resources will be provisioned in. Region can be a comma separated list of regions or "all" to apply to all regions in an account.
    Workspace: # (Optional) Specify a Terraform workspace to use.
    CloudformationParameters: # (Optional) A list of parameters to pass into the cloudformation stack.
    CloudformationCapabilities: # (Optional) A list of capabilities to pass into the cloudformation stack the only valid values are (CAPABILITY_IAM | CAPABILITY_NAMED_IAM | CAPABILITY_AUTO_EXPAND).

Example

Accounts:
  - Email: us-prod@telophase.dev
    AccountName: us-prod
    Stacks:
      - Path: go/src/cdk
        Type: CDK
        Name: s3-remote-state 
      - Path: tf/default-vpc
        Type: Terraform

This will run two separate applies in the us-prod account:

  1. s3-remote-state CDK stack in go/src/cdk that stands up an s3 bucket for a terraform remote state.
  2. tf/default-vpc Terraform stack.

Tags

Tags can be used to perform operations on groups of accounts. Accounts and OrganizationUnitss can be tagged. Tags represent AWS Tags. Telophase Tags map to AWS tags with a key, value pair delimited by an =. For example, env=dev will translate to an AWS tag on an Account or OU with the key env and value dev.

Telophase commands optionally take tags as inputs, allowing you to limit the scope of the operation.

Example

 Accounts:
    - Email: newdev+1@telophase.dev
      AccountName: newdev1
      Tags:
        - "env=dev"
    - Email: newdev+2@telophase.dev
      AccountName: newdev2

    - Email: production@telophase.dev
      AccountName: production

telophasecli diff --tag "env=dev" will show a diff for only the newdev1 account.

Testingtelophasecli diff