vendor_fabric.aws.organizations

AWS Organizations and Control Tower operations.

This module provides operations for managing AWS accounts through AWS Organizations and Control Tower.

Module Contents

Classes

AWSOrganizationsMixin

Mixin providing AWS Organizations operations.

API

class vendor_fabric.aws.organizations.AWSOrganizationsMixin

Mixin providing AWS Organizations operations.

This mixin requires the base AWSConnector class to provide:

  • get_aws_client()

  • logger

  • execution_role_arn

get_organization_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Get all AWS accounts from AWS Organizations.

Recursively traverses the organization hierarchy to get all accounts with their organizational unit information and tags.

Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping account IDs to account data including: - Name, Email, Status, JoinedTimestamp - OuId, OuArn, OuName (organizational unit info) - tags (account tags) - managed (always False for org accounts)

Raises: RuntimeError: If unable to find root parent ID.

get_controltower_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Get all AWS accounts managed by AWS Control Tower.

Retrieves accounts from the Control Tower Account Factory.

Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping account IDs to account data with managed=True.

get_accounts(unhump_accounts: bool = True, sort_by_name: bool = False, include_controltower: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Get all AWS accounts from Organizations and Control Tower.

Combines accounts from AWS Organizations and Control Tower, marking Control Tower accounts as ‘managed’.

Args: unhump_accounts: Convert keys to snake_case. Defaults to True. sort_by_name: Sort accounts by name. Defaults to False. include_controltower: Include Control Tower accounts. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping account IDs to account data with ‘managed’ flag.

get_organization_units(unhump_units: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Get all organizational units from AWS Organizations.

Args: unhump_units: Convert keys to snake_case. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping OU IDs to OU data.

label_account(account_id: str, labels: collections.abc.Mapping[str, str], execution_role_arn: str | None = None) None

Apply labels (tags) to an AWS account.

Args: account_id: AWS account ID. labels: Dictionary of label key-value pairs to apply. execution_role_arn: ARN of role to assume for cross-account access.

classify_accounts(accounts: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, classification_rules: collections.abc.Mapping[str, collections.abc.Sequence[str]] | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Classify AWS accounts based on OU paths or tags.

Default classification rules:

  • ‘production’: accounts in OUs containing ‘prod’ or ‘production’

  • ‘staging’: accounts in OUs containing ‘stage’ or ‘staging’

  • ‘development’: accounts in OUs containing ‘dev’ or ‘development’

  • ‘sandbox’: accounts in OUs containing ‘sandbox’

  • ‘security’: accounts in OUs containing ‘security’

Args: accounts: Pre-fetched accounts dict. Fetched if not provided. classification_rules: Custom rules mapping classification -> OU patterns. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Accounts dict with added ‘classification’ field.

label_aws_accounts(domains: collections.abc.Mapping[str, str], aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Return normalized metadata for every AWS account.

Args: domains: Mapping of environment -> root domain. aws_organization_units: Optional precomputed OU metadata (with tags). caller_account_id: Optional root account id. Auto-discovered if omitted. execution_role_arn: ARN used for cross-account access.

Returns: Dictionary keyed by account id with normalized metadata (network_name, json_key, execution role ARN, classifications, etc.).

label_aws_account(account_id: str, domains: collections.abc.Mapping[str, str], aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Return metadata for a single AWS account.

classify_aws_accounts(labeled_accounts: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, suffix: str | None = None, domains: collections.abc.Mapping[str, str] | None = None, aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Group accounts by classification for infrastructure data consumers.

preprocess_aws_organization(domains: collections.abc.Mapping[str, str], suffix: str | None = None, aws_organization_units: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, caller_account_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Build full organization context (accounts, units, lookups).

preprocess_organization(include_tags: bool = True, include_classification: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Preprocess AWS Organization data for infrastructure workflows.

Returns a structured dictionary suitable for downstream data sources.

Args: include_tags: Include account tags. Defaults to True. include_classification: Include account classification. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary with ‘accounts’, ‘organizational_units’, and ‘root_id’.