Organizations
  • What is Takomo Organizations?
  • Organization configuration
    • Introduction
    • Directory structure
    • Master account
    • Organizational units
    • Accounts
    • Policies
    • Deploying organization
  • Accounts
    • Creating accounts
    • Account aliases
    • Listing accounts
  • Account stacks
    • Config sets
    • Bootstrap config sets
    • Variables
    • Deploying config sets
    • Removing config sets
  • Command-line usage
    • Organization
      • Create organization
      • Describe organization
      • Deploy organization
    • Account
      • Create account
      • Create account alias
      • Delete account alias
      • List accounts
    • Account stacks
      • List accounts stacks
      • Deploy accounts
      • Undeploy accounts
      • Bootstrap accounts
      • Tear down accounts
Powered by GitBook
On this page
  • Account defaults
  • Account contraints

Was this helpful?

  1. Accounts

Creating accounts

PreviousDeploying organizationNextAccount aliases

Last updated 3 years ago

Was this helpful?

You create new accounts to your organization using the .

Example

Create a new account:

tkm org accounts create \
  --email my-account-1@example.com \
  --name my-account

Account defaults

When creating a new account, you can optionally specify if the account's IAM users should have access to the account's billing information and what is the name of the IAM role AWS Organizations creates in the account. You can use accountCreation property specify the default values for these options in the organization configuration file:

organization.yml
# This is how you set the defaults for account creation.
accountCreation:
  defaults:
    iamUserAccessToBilling: true
    roleName: MyAccountAdminRole 

masterAccountId: "098765432100"

organizationAdminRoleName: MyOrganizationAdminRole

serviceControlPolicies:
  restrict-by-regions:
    description: Restrict regions
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true
    
backupPolicies:
  MyBackups:
    description: Backup policy    
    
organizationalUnits:
  Root:
    serviceControlPolicies: FullAWSAccess
    accounts:
      - "098765432100"    
  Root/Workloads:
    serviceControlPolicies: restrict-by-regions
  Root/Workloads/Dev: {}
  Root/Workloads/Test: {}
  Root/Workloads/Prod: 
    accounts:
      - id: "876754648373"
        name: MyAccount
        email: account@example.com
        description: This is a production account
  Root/Sandbox:
    accounts:
      - id: "123456789012"
        backupPolicies:
          - MyBackups
      - "448873940474"

Account contraints

You can set accepted pattern for account name and email by providing constraints property under account creation configuration:

organization.yml
accountCreation:
  defaults:
    iamUserAccessToBilling: true
    roleName: MyAccountAdminRole 

  # This is how you set constraints for account name and email.  
  constraints:
    # Account name must match this regex pattern
    namePattern: "^my-account-[a-z0-9-]+$"
    # Account email must match this regex pattern
    emailPattern: "^admin\\+my-account-[0-9a-z-]+@example.com$"

masterAccountId: "098765432100"

organizationAdminRoleName: MyOrganizationAdminRole

serviceControlPolicies:
  restrict-by-regions:
    description: Restrict regions
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true
    
backupPolicies:
  MyBackups:
    description: Backup policy    
    
organizationalUnits:
  Root:
    serviceControlPolicies: FullAWSAccess
    accounts:
      - "098765432100"    
  Root/Workloads:
    serviceControlPolicies: restrict-by-regions
  Root/Workloads/Dev: {}
  Root/Workloads/Test: {}
  Root/Workloads/Prod: 
    accounts:
      - id: "876754648373"
        name: MyAccount
        email: account@example.com
        description: This is a production account
  Root/Sandbox:
    accounts:
      - id: "123456789012"
        backupPolicies:
          - MyBackups
      - "448873940474"
create account command