# Deploy accounts

Deploy infrastructure configured with config sets to the specified organizational units and accounts.

## Usage

```bash
tkm org accounts deploy [ou-path...] \
  [--account <account_id>]... \
  [--concurrent-accounts <number>] \
  [--config-set <config-set>] \
  [--command-path <command-path>]
```

## Positional arguments

* `ou-path...`
  * You can pass one or more organizational unit paths to deploy only the accounts that belong to organizational units located under the given paths in the organization hierarchy.

## Options

In addition to the [common options](https://docs.takomo.io/command-line-usage/common-options), this command has the following options.

* `--account <account id>`
  * Choose accounts to deploy. You can use this option multiple times to specify more accounts.
* `--concurrent-accounts <number>`
  * Number of accounts to deploy concurrently.
* `--config-set <config-set>`
  * Teardown only this config set.
  * Optional.
* `--command-path <command-path>`
  * Teardown only stacks under this command path.
  * Optional.
  * To use this option, also the `--config-set` option must be given.

## IAM permissions

These are the minimum IAM permissions required to run this command.

```yaml
Statement:
  - Effect: Allow
    Action:
      - organizations:ListRoots
      - organizations:ListTargetsForPolicy
      - organizations:ListAWSServiceAccessForOrganization
      - organizations:DescribePolicy
      - organizations:ListPolicies
      - organizations:ListAccountsForParent
      - organizations:ListAccounts
      - organizations:DescribeOrganization
      - organizations:ListOrganizationalUnitsForParent
    Resource: "*"

  # IAM permissions needed to assume role from the target accounts.
  # Specify resource to restrict access to specific roles.  
  - Sid: IAM
    Effect: Allow
    Action:
      - sts:AssumeRole
    Resource: "*"
```

## Examples

Deploy all accounts in the organization.

```bash
tkm org accounts deploy
```

Deploy only accounts that belong to the organizational unit **Root/Sandbox** or to any organizational units under it.

```bash
tkm org accounts deploy Root/Sandbox
```

Deploy only accounts that belong to the organizational unit **Root/Apps/Dev** or **Root/Apps/Test**, or to any organizational units under them.

```bash
tkm org accounts deploy Root/Apps/Dev Root/Apps/Test
```

Deploy only account **123456789012**.

```bash
tkm org accounts deploy --account 123456789012
```

Deploy only account **123456789012** and **777777777777**.

```bash
tkm org accounts deploy \
  --account 123456789012 \
  --account 777777777777
```