AWS Cloudformation terraform script to create the Drata Autopilot role across an Organizational Unit. NOTE: Make sure you run this script with the management account credentials.
Optionally you may create the CloudFormation StackSet directly in the console, download the json template and upload it as a template resource.
The example below uses ref=main (which is appended in the URL), but it is recommended to use a specific tag version (i.e. ref=1.0.0) to avoid breaking changes. Go to the release page for a list of published versions.
Replace YOUR_EXTERNAL_ID with the external id provided in the Drata UI. i.e. 00000000-0000-0000-0000-000000000000.
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
# stackset_region = "REGION" # Uncomment if you'd like to change the default value of 'us-west-2'
# organizational_unit_ids = ["ORG_ID_1", "ORG_ID_2"] # Uncomment if you'd like to change the default behavior, which assigns the role to all sub accounts within the organization
# drata_aws_account_id = "XXXXXXXXXXXX" # Uncomment if you'd like to change the default value. The default value should be sufficient for most use cases
}
The following steps will guide you on how to run this script.
- Add the code above to your terraform code.
- Replace
maininref=mainwith the latest version from the release page. - In your browser, open https://app.drata.com/account-settings/connections/connection?provId=AWS_ORG_UNITS.
- Copy the
Drata External IDfrom the AWS Org Units connection panel in Drata and replaceYOUR_EXTERNAL_IDin the module with the ID you copied. - Replace
stackset_regionif the desired region is different than the default valueus-west-2. - If you don't wish to assign the role to all sub accounts, add the organizational unit ids to
organizational_unit_ids. drata_aws_account_idshouldn't be set because the default value is enough for most use cases.- Back in your terminal, run terraform init to download/update the module.
- Run terraform apply and IMPORTANT review the plan output before typing yes.
- If successful, go back to the AWS console and verify the Role has been generated in all the sub accounts.
- If you want to roll back the operations this script just performed, type
terraform destroyandenter.
AWS CloudFormation StackSets isn't able to create resources under the management account. If you wish to create the DrataAutopilotRole in the management account you can use this repo or create it manually following our help documentation.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_cloudformation_stack_set.stack_set | resource |
| aws_cloudformation_stack_set_instance.instances | resource |
| aws_organizations_organization.organization | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| drata_aws_account_id | Drata's AWS account ID | string |
"269135526815" |
no |
| organizational_unit_ids | Organizational Unit Ids to assign the role to. | list(string) |
null |
no |
| role_sts_externalid | Drata External ID from the Drata UI. | string |
n/a | yes |
| stackset_region | Region where the stackset instance will be executed. | string |
"us-west-2" |
no |
No outputs.