vendor_fabric.aws.organizations¶
AWS Organizations and Control Tower operations.
This module provides operations for managing AWS accounts through AWS Organizations and Control Tower.
Module Contents¶
Classes¶
Mixin providing AWS Organizations operations. |
API¶
- class vendor_fabric.aws.organizations.AWSOrganizationsMixin¶
Mixin providing AWS Organizations operations.
This mixin requires the base AWSConnector class to provide:
get_aws_client()
logger
execution_role_arn
- get_organization_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Get all AWS accounts from AWS Organizations.
Recursively traverses the organization hierarchy to get all accounts with their organizational unit information and tags.
Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping account IDs to account data including: - Name, Email, Status, JoinedTimestamp - OuId, OuArn, OuName (organizational unit info) - tags (account tags) - managed (always False for org accounts)
Raises: RuntimeError: If unable to find root parent ID.
- get_controltower_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Get all AWS accounts managed by AWS Control Tower.
Retrieves accounts from the Control Tower Account Factory.
Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping account IDs to account data with managed=True.
- get_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, include_controltower: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Get all AWS accounts from Organizations and Control Tower.
Combines accounts from AWS Organizations and Control Tower, marking Control Tower accounts as ‘managed’.
Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. include_controltower: Include Control Tower accounts. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping account IDs to account data with ‘managed’ flag.
- get_organization_units(unhump_units: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Get all organizational units from AWS Organizations.
Args: unhump_units: Convert keys to snake_case. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping OU IDs to OU data.
- label_account(account_id: str, labels: collections.abc.Mapping[str, str], execution_role_arn: str | None = None) None¶
Apply labels (tags) to an AWS account.
Args: account_id: AWS account ID. labels: Dictionary of label key-value pairs to apply. execution_role_arn: ARN of role to assume for cross-account access.
- classify_accounts(accounts: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, classification_rules: collections.abc.Mapping[str, collections.abc.Sequence[str]] | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Classify AWS accounts based on OU paths or tags.
Default classification rules:
‘production’: accounts in OUs containing ‘prod’ or ‘production’
‘staging’: accounts in OUs containing ‘stage’ or ‘staging’
‘development’: accounts in OUs containing ‘dev’ or ‘development’
‘sandbox’: accounts in OUs containing ‘sandbox’
‘security’: accounts in OUs containing ‘security’
Args: accounts: Pre-fetched accounts dict. Fetched if not provided. classification_rules: Custom rules mapping classification -> OU patterns. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Accounts dict with added ‘classification’ field.
- label_aws_accounts(domains: collections.abc.Mapping[str, str], aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Return normalized metadata for every AWS account.
Args: domains: Mapping of environment -> root domain. aws_organization_units: Optional precomputed OU metadata (with tags). caller_account_id: Optional root account id. Auto-discovered if omitted. execution_role_arn: ARN used for cross-account access.
Returns: Dictionary keyed by account id with normalized metadata (network_name, json_key, execution role ARN, classifications, etc.).
- label_aws_account(account_id: str, domains: collections.abc.Mapping[str, str], aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Return metadata for a single AWS account.
- classify_aws_accounts(labeled_accounts: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, suffix: str | None = None, domains: collections.abc.Mapping[str, str] | None = None, aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Group accounts by classification for infrastructure data consumers.
- preprocess_aws_organization(domains: collections.abc.Mapping[str, str], suffix: str | None = None, aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Build full organization context (accounts, units, lookups).
- preprocess_organization(include_tags: bool = True, include_classification: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Preprocess AWS Organization data for infrastructure workflows.
Returns a structured dictionary suitable for downstream data sources.
Args: include_tags: Include account tags. Defaults to True. include_classification: Include account classification. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary with ‘accounts’, ‘organizational_units’, and ‘root_id’.