AWS Cloudformation terraform script to create the Drata Autopilot role across an Organizational Unit. NOTE: Make sure you run this script with the management account credentials.
Optionally you may create the CloudFormation StackSet directly in the console, download the json template and upload it as a template resource.
The example below uses ref=main (which is appended in the URL), but it is recommended to use a specific tag version (i.e. ref=1.0.0) to avoid breaking changes. Go to the release page for a list of published versions.
Replace YOUR_EXTERNAL_ID with the external id provided in the Drata UI. i.e. 00000000-0000-0000-0000-000000000000.
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
# Optional: Change the default region (default: us-west-2)
# stackset_region = "us-east-1"
# Optional: Specify organizational units (default: organization root)
# organizational_unit_ids = ["ou-xxxx-xxxxxxxx", "ou-yyyy-yyyyyyyy"]
# Optional: Target specific account IDs
# target_account_ids = ["123456789012", "234567890123"]
# Optional: Control account filtering behavior (default: INTERSECTION)
# account_filter_type = "INTERSECTION" # Options: NONE, INTERSECTION, DIFFERENCE, UNION
# Optional: Customize the StackSet name (default: drata-role-terraform-stack-set)
# stack_set_name = "my-custom-drata-stackset"
# Optional: Apply custom tags to resources
# tags = {
# Environment = "production"
# Team = "security"
# CostCenter = "compliance"
# }
# Optional: Override Drata's AWS account ID (rarely needed)
# drata_aws_account_id = "269135526815"
}The following steps will guide you on how to run this script.
- Add the code above to your terraform code.
- Replace
maininref=mainwith the latest version from the release page. - In your browser, open https://app.drata.com/account-settings/connections/connection?provId=AWS_ORG_UNITS.
- Copy the
Drata External IDfrom the AWS Org Units connection panel in Drata and replaceYOUR_EXTERNAL_IDin the module with the ID you copied. - Replace
stackset_regionif the desired region is different than the default valueus-west-2. - Configure Organizational Units (Optional): If you don't wish to assign the role to all accounts in your organization, specify the organizational unit IDs in
organizational_unit_ids. If omitted, defaults to the organization root. - Target Specific Accounts (Optional): To target specific AWS account IDs, add them to
target_account_ids. Account IDs must be exactly 12 digits. See "Account Targeting Options" below for details on how this interacts withorganizational_unit_ids. - Configure Account Filtering (Optional): When both
organizational_unit_idsandtarget_account_idsare specified, useaccount_filter_typeto control the filtering behavior:INTERSECTION(default): Deploy only to specified accounts that exist within the specified OUsUNION: Deploy to all accounts in the OUs plus the specified accountsDIFFERENCE: Deploy to all accounts in the OUs except the specified accountsNONE: Deploy to all accounts in the specified OUs (ignorestarget_account_ids)
- Apply Custom Tags (Optional): Add custom tags to
tagsif you want to apply them to the StackSet and StackSet Instances resources. Note: Tags are applied to Terraform-managed resources but not to the IAM role created by the CloudFormation template. - Customize StackSet Name (Optional): If you need to avoid naming conflicts or prefer a different name, set
stack_set_name. The default isdrata-role-terraform-stack-set. - Override Drata Account ID (Rarely Needed):
drata_aws_account_idshouldn't be changed as the default value is sufficient for most use cases. - Back in your terminal, run
terraform initto download/update the module. - Run
terraform applyand IMPORTANT review the plan output before typing yes. - If successful, go back to the AWS console and verify the Role has been generated in all the target accounts.
- If you want to roll back the operations this script just performed, type
terraform destroyandenter.
This module provides flexible options for targeting AWS accounts with fine-grained control over deployment scope.
- When neither
organizational_unit_idsnortarget_account_idsis specified, the StackSet targets all accounts in your AWS organization (uses the organization root)
- Set
organizational_unit_idsto target specific organizational units - Example:
organizational_unit_ids = ["ou-xxxx-xxxxxxxx", "ou-yyyy-yyyyyyyy"] - The StackSet will deploy to all accounts within the specified OUs
- This option can only be used in conjunction with
organizational_unit_ids. - Set
target_account_idsto target specific AWS account IDs - Example:
target_account_ids = ["123456789012", "234567890123"] - Account IDs must be exactly 12 digits
- When used alone (without
organizational_unit_ids), deploys only to the specified accounts
When both organizational_unit_ids and target_account_ids are provided, use account_filter_type to control the deployment behavior:
- Deploys only to accounts that are:
- Listed in
target_account_idsAND - Exist within the specified
organizational_unit_ids
- Listed in
- Use case: "Deploy to these specific accounts, but only if they're in these OUs"
- Example: Target production accounts within the security OU
- Deploys to accounts that are:
- In the specified
organizational_unit_idsOR - Listed in
target_account_ids
- In the specified
- Use case: "Deploy to all accounts in these OUs, plus these additional specific accounts"
- Example: All dev OU accounts plus a few specific test accounts outside the OU
- Deploys to accounts that are:
- In the specified
organizational_unit_idsBUT NOT - Listed in
target_account_ids
- In the specified
- Use case: "Deploy to all accounts in these OUs except these specific ones"
- Example: All accounts in production OU except the legacy account
- Deploys to all accounts in the specified
organizational_unit_ids - Ignores
target_account_idscompletely - Use case: When you want to explicitly ignore account filtering
- Use the
tagsvariable to apply custom tags to the StackSet and StackSet Instances resources - Tags help with cost allocation, resource organization, and compliance tracking
- Important: Tags are applied to the Terraform-managed CloudFormation resources (StackSet and StackSet Instances) but not to the IAM role created by the CloudFormation template itself
Example 1: All accounts in organization (default)
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
}Example 2: Specific organizational units only
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
organizational_unit_ids = ["ou-prod-12345678", "ou-staging-87654321"]
}Example 3: Specific accounts within OUs (default Intersectionbehavior)
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
organizational_unit_ids = ["ou-prod-12345678"]
target_account_ids = ["123456789012", "234567890123"] # Only these accounts if they're in the prod OU
account_filter_type = "INTERSECTION" # Note: This is the default behavior and is shown here for clarity
}Example 4: All accounts in specified OUs that are NOT within provided list
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
organizational_unit_ids = ["ou-prod-12345678"]
target_account_ids = ["123456789012", "234567890123"] # Accounts to exclude from deployment
account_filter_type = "DIFFERENCE" # Deploy stacks to all accounts in the prod OU except for specific accounts.
}Example 5: With custom tags
module "drata_role_cloudformation_stacksets" {
source = "git::https://github.com/drata/aws-cloudformation-drata-setup.git?ref=main"
role_sts_externalid = "YOUR_EXTERNAL_ID"
tags = {
Environment = "production"
Team = "security"
Compliance = "drata"
CostCenter = "security-ops"
}
}AWS CloudFormation StackSets isn't able to create resources under the management account. If you wish to create the DrataAutopilotRole in the management account you can use this repo or create it manually following our help documentation.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_cloudformation_stack_set.stack_set | resource |
| aws_cloudformation_stack_instances.instances | resource |
| aws_organizations_organization.organization | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_filter_type | The type of account filter to apply when both organizational_unit_ids and target_account_ids are specified: NONE, INTERSECTION, DIFFERENCE, or UNION | string |
"INTERSECTION" |
no |
| drata_aws_account_id | Drata's AWS account ID | string |
"269135526815" |
no |
| organizational_unit_ids | Organizational Unit Ids to assign the role to. | list(string) |
null |
no |
| role_sts_externalid | Drata External ID from the Drata UI. | string |
n/a | yes |
| stack_set_name | Name of the CloudFormation StackSet. Change this if you need to avoid naming conflicts. | string |
"drata-role-terraform-stack-set" |
no |
| stackset_region | Region where the stackset instance will be executed. | string |
"us-west-2" |
no |
| tags | A map of tags to apply to all created resources. | map(string) |
{} |
no |
| target_account_ids | List of specific account IDs to target. When provided, only these accounts will be targeted (in combination with organizational_unit_ids if specified). If null, all accounts in the specified OUs will be targeted. | list(string) |
null |
no |
No outputs.