Skip to content

Resource: awsControltowerControl

Allows the application of pre-defined controls to organizational units. For more information on usage, please see the AWS Control Tower User Guide.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsOrganizationsOrganizationExample =
  new aws.dataAwsOrganizationsOrganization.DataAwsOrganizationsOrganization(
    this,
    "example",
    {}
  );
const dataAwsOrganizationsOrganizationalUnitsExample =
  new aws.dataAwsOrganizationsOrganizationalUnits.DataAwsOrganizationsOrganizationalUnits(
    this,
    "example_1",
    {
      parentId: `\${${dataAwsOrganizationsOrganizationExample.roots.fqn}[0].id}`,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsOrganizationsOrganizationalUnitsExample.overrideLogicalId("example");
const dataAwsRegionCurrent = new aws.dataAwsRegion.DataAwsRegion(
  this,
  "current",
  {}
);
const awsControltowerControlExample =
  new aws.controltowerControl.ControltowerControl(this, "example_3", {
    controlIdentifier: `arn:aws:controltower:\${${dataAwsRegionCurrent.name}}::control/AWS-GR_EC2_VOLUME_INUSE_CHECK`,
    targetIdentifier: [
      `\${[
    for x in ${dataAwsOrganizationsOrganizationalUnitsExample.children} :
    x.arn if x.name == "Infrastructure"
  ][0]}`,
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsControltowerControlExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • controlIdentifier - (Required) The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.
  • targetIdentifier - (Required) The ARN of the organizational unit.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ARN of the organizational unit.

Import

Control Tower Controls can be imported using their organizationalUnitArn/controlIdentifier, e.g.,

$ terraform import aws_controltower_control.example arn:aws:organizations::123456789101:ou/o-qqaejywet/ou-qg5o-ufbhdtv3,arn:aws:controltower:us-east-1::control/WTDSMKDKDNLE