News

• News
• Payer-Account CloudFormation, Managed from Org Kickstart
• Releases
• Org Kickstart v0.3.0 Released
• Org Kickstart v0.3.1 Released
• Org Kickstart v0.2.0 Released

News

Payer-Account CloudFormation, Managed from Org Kickstart

Some automation only works in the management/payer account. Cost Explorer alarms, organization-wide billing notifications, anything that has to read AWS::Billing data or talk to the Organizations API as the master account. That stuff doesn’t fit in a workload account, and it doesn’t fit in the security account either.

Until now, the answer was “click that CloudFormation in by hand” or “stand up a second Terraform config just for the payer.” Both options suck.

Org Kickstart now has a payer_cloudformation_stacks variable. Drop a map entry, point it at a template (local file or S3 URL), pick your regions, set your parameters. The next apply deploys it into the payer.

Example

payer_cloudformation_stacks = {
  billing_alerts = {
    stack_name    = "slack_billing_alerts"
    template_file = "cloudformation/slack-Template.yaml"
    regions       = ["us-east-1"]
    parameters = {
      pExecutionRate = "cron(0 09 * * ? *)"
      pEventInput = <<-EOT
        {
          "threshold": "10",
          "alert_percent": "20"
        }
      EOT
      pSlackWebhookSecret = "SlackWebHook"
      pRuleState          = "ENABLED"
      pAccountDescription = "My-Payer"
    }
  }
}

A few things worth knowing:

• Composite resource addresses. Each stack-region pair becomes aws_cloudformation_stack.payer["<key>-<region>"] (e.g., billing_alerts-us-east-1). Add a second region later and the existing stack doesn’t get renamed.
• template_file vs template_url. Exactly one per stack. template_file is a local path relative to your tfvars repo root. template_url is an HTTPS or S3 URL.
• regions is optional. Omit it and the stack deploys only in the base org-kickstart region.
• Capabilities are baked in. Every stack gets CAPABILITY_IAM, CAPABILITY_NAMED_IAM, and CAPABILITY_AUTO_EXPAND. If you want stricter capabilities, this isn’t the feature for you.
• JSON parameter values are canonicalized. CloudFormation parameter values are strings, and tfvars heredocs always end in a newline. Without normalization, every plan would show drift on JSON-string parameters. The module runs each value through jsondecode | jsonencode so the literal you write in tfvars matches what CFN stores. Non-JSON strings pass through unchanged.

See the parameter reference for the full schema and an example tfvars for context.

Releases

Org Kickstart v0.3.0 Released

Org Kickstart v0.3.0 is now available — the largest release yet. It adds the newest AWS Organizations policy types, first-class CloudFormation deployment, a managed Terraform state bucket, declarative resource adoption, the Account Configurator integration, and a full documentation site at aws-kickstart.org.

New Features

• Declarative & Resource Control Policies — manage EC2 Declarative Policies (image/snapshot BPA, IMDSv2 enforcement) and RCPs alongside SCPs in one consistent, templatable structure.
• CloudFormation everywhere — a generic StackSet capability, plus payer_cloudformation_stacks and security_account_stacks to deploy arbitrary CloudFormation stacks (per-region) into the payer and security accounts directly from Terraform.
• Managed state bucket — manage_state_bucket (default on) adopts your existing backend_bucket and enforces versioning, public-access-block, and encryption, with prevent_destroy so it can’t be deleted.
• Declarative imports — examples/local-deploy/import.tf adopts the Organization, payer account, and state bucket via import blocks, so a brand-new org no longer needs scripts/import_org.sh for the foundational resources.
• Account Configurator — optional pht-account-configurator integration (git submodule + make account-configurator) to harden new accounts on creation. See the docs.
• DataTrails — optional CloudTrail S3 data-event configuration (PR #14).
• Budgets — organizational and per-account AWS Budgets.
• Security account parity — a (now required) security_account block gives the security account the same configuration options as every other account.
• Close-on-deletion, Personal Health Dashboard delegated admin, and configurable aws_service_access_principals / enabled_policy_types exclusions (thanks Ashex!).
• Granted support — generate an AWS config from your org outputs and share your repo as a Granted Registry.
• Documentation site — full setup, parameter reference, and guides at aws-kickstart.org; the canonical sample now lives in examples/local-deploy.

Breaking Changes

• Security Account SSO delegation (major): the Security Account is no longer assigned as Delegated Admin for IAM Identity Center by default, and a security_account block is now required in your tfvars. Apply SSO delegated admin there if you want it.
• Policy module refactor (minor): SCP/RCP/Declarative policies moved into a single org_policies module and attachments switched from count to for_each. Resources will be renamed/recreated unless you terraform state mv them — see the full notes for the exact commands.

Bug Fixes

• Added explicit depends_on to several Organizations resources (AI policy, RAM sharing, the SCP/RCP/Declarative modules, and the CUR report) that previously raced creation on a first apply.
• Fixed the granted Make target so it always runs and writes granted/aws-config.

Releases & branch model

Going forward, latest is the default working branch — it always holds the newest changes. Each release is a frozen, tagged version (like 0.3.0); pin to one with source = "github.com/primeharbor/org-kickstart?ref=0.3.0".

We target quarterly releases, but may cut a new version sooner when significant new AWS organization-management features warrant it. See the Releases page for details.

The full v0.3.0 release notes — including the security-services provider→region migration — are on GitHub.

Org Kickstart v0.3.1 Released

Org Kickstart v0.3.1 is a small bug-fix release.

Bug Fixes

• Configurable Identity Center region — all SSO resources (the admin permission set, the admin group, the managed-policy attachment, and the payer and per-account assignments) now honor sso_instance_region. Previously only the data sources were region-aware, so deploying with Identity Center enabled in a non-default region targeted the wrong region. Thanks to @mattgillard for the fix and for flagging it (PR #30).

See the full release notes on GitHub.

Org Kickstart v0.2.0 Released

Org Kickstart v0.2.0 is now available with expanded account management capabilities and several new optional features.

New Features

• Generic CloudFormation StackSet support — Deploy arbitrary CloudFormation stacks to all accounts
• Delegated Admin — Account definitions can now specify which services the account is Delegated Admin for
• Organizational Budget — Set a total budget for the organization alongside per-account budgets
• DataTrails — Optional advanced CloudTrail with S3 data events
• Personal Health Dashboard delegation — Security Account receives PHD events from all accounts
• Security Account parity — Security Account now has feature parity with all other accounts
• Account close-on-deletion — Control whether accounts are closed when removed from Terraform state

Breaking Changes

• A security_account block is now required in the tfvars file
• The Security Account is no longer automatically made Delegated Admin for IAM Identity Center

See the full release notes on GitHub.