Skip to content
Extended Data Extended Data Extended Data

vendor_connectors.aws.organizations

vendor_connectors.aws.organizations

Section titled “vendor_connectors.aws.organizations”

AWS Organizations and Control Tower operations.

This module provides operations for managing AWS accounts through AWS Organizations and Control Tower.

Module Contents

Section titled “Module Contents”

Classes

Section titled “Classes”
AWSOrganizationsMixinMixin providing AWS Organizations operations.

API

Section titled “API”

class vendor_connectors.aws.organizations.AWSOrganizationsMixin

Section titled “class vendor_connectors.aws.organizations.AWSOrganizationsMixin”

Mixin providing AWS Organizations operations.

This mixin requires the base AWSConnector class to provide:

  • get_aws_client()
  • logger
  • execution_role_arn

get_organization_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

Section titled “get_organization_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]”

Get all AWS accounts from AWS Organizations.

Recursively traverses the organization hierarchy to get all accounts with their organizational unit information and tags.

Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping account IDs to account data including:

  • Name, Email, Status, JoinedTimestamp
  • OuId, OuArn, OuName (organizational unit info)
  • tags (account tags)
  • managed (always False for org accounts)

Raises: RuntimeError: If unable to find root parent ID.

get_controltower_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

Section titled “get_controltower_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]”

Get all AWS accounts managed by AWS Control Tower.

Retrieves accounts from the Control Tower Account Factory.

Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping account IDs to account data with managed=True.

get_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, include_controltower: bool = True, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

Section titled “get_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, include_controltower: bool = True, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]”

Get all AWS accounts from Organizations and Control Tower.

Combines accounts from AWS Organizations and Control Tower, marking Control Tower accounts as ‘managed’.

Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. include_controltower: Include Control Tower accounts. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping account IDs to account data with ‘managed’ flag.

get_organization_units(unhump_units: bool = True, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

Section titled “get_organization_units(unhump_units: bool = True, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]”

Get all organizational units from AWS Organizations.

Args: unhump_units: Convert keys to snake_case. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping OU IDs to OU data.

_build_org_units_with_tags(role_arn: str | None) → dict[str, dict[str, Any]]

Section titled “_build_org_units_with_tags(role_arn: str | None) → dict[str, dict[str, Any]]”

Fetch organizational units including tag metadata.

_build_labeled_account(account_id: str, account_data: dict[str, Any], controltower_data: dict[str, Any] | None, units_lookup: dict[str, dict[str, Any]], domains: dict[str, str], caller_account_id: str) → dict[str, Any]

Section titled “_build_labeled_account(account_id: str, account_data: dict[str, Any], controltower_data: dict[str, Any] | None, units_lookup: dict[str, dict[str, Any]], domains: dict[str, str], caller_account_id: str) → dict[str, Any]”

Normalize metadata for a single AWS account.

label_account(account_id: str, labels: dict[str, str], execution_role_arn: str | None = None) → None

Section titled “label_account(account_id: str, labels: dict[str, str], execution_role_arn: str | None = None) → None”

Apply labels (tags) to an AWS account.

Args: account_id: AWS account ID. labels: Dictionary of label key-value pairs to apply. execution_role_arn: ARN of role to assume for cross-account access.

classify_accounts(accounts: dict[str, dict[str, Any]] | None = None, classification_rules: dict[str, list[str]] | None = None, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

Section titled “classify_accounts(accounts: dict[str, dict[str, Any]] | None = None, classification_rules: dict[str, list[str]] | None = None, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]”

Classify AWS accounts based on OU paths or tags.

Default classification rules:

  • ‘production’: accounts in OUs containing ‘prod’ or ‘production’
  • ‘staging’: accounts in OUs containing ‘stage’ or ‘staging’
  • ‘development’: accounts in OUs containing ‘dev’ or ‘development’
  • ‘sandbox’: accounts in OUs containing ‘sandbox’
  • ‘security’: accounts in OUs containing ‘security’

Args: accounts: Pre-fetched accounts dict. Fetched if not provided. classification_rules: Custom rules mapping classification -> OU patterns. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Accounts dict with added ‘classification’ field.

label_aws_accounts(domains: dict[str, str], aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

Section titled “label_aws_accounts(domains: dict[str, str], aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]”

Return normalized metadata for every AWS account.

This mirrors the legacy label_aws_account helper from terraform-modules.

Args: domains: Mapping of environment -> root domain. aws_organization_units: Optional precomputed OU metadata (with tags). caller_account_id: Optional root account id. Auto-discovered if omitted. execution_role_arn: ARN used for cross-account access.

Returns: Dictionary keyed by account id with normalized metadata (network_name, json_key, execution role ARN, classifications, etc.).

label_aws_account(account_id: str, domains: dict[str, str], aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Section titled “label_aws_account(account_id: str, domains: dict[str, str], aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]”

Return metadata for a single AWS account.

classify_aws_accounts(labeled_accounts: dict[str, dict[str, Any]] | None = None, suffix: str | None = None, domains: dict[str, str] | None = None, aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, list[str]]

Section titled “classify_aws_accounts(labeled_accounts: dict[str, dict[str, Any]] | None = None, suffix: str | None = None, domains: dict[str, str] | None = None, aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, list[str]]”

Group accounts by classification, matching terraform-modules output.

preprocess_aws_organization(domains: dict[str, str], suffix: str | None = None, aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Section titled “preprocess_aws_organization(domains: dict[str, str], suffix: str | None = None, aws_organization_units: dict[str, dict[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]”

Build full organization context (accounts, units, lookups).

preprocess_organization(include_tags: bool = True, include_classification: bool = True, execution_role_arn: str | None = None) → dict[str, Any]

Section titled “preprocess_organization(include_tags: bool = True, include_classification: bool = True, execution_role_arn: str | None = None) → dict[str, Any]”

Preprocess AWS Organization data for terraform consumption.

Returns a structured dict suitable for terraform data sources.

Args: include_tags: Include account tags. Defaults to True. include_classification: Include account classification. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary with ‘accounts’, ‘organizational_units’, and ‘root_id’.