When you specify an OU within the accounts section each account within the OU is configured in the exact same way. You can already using AWS Organizations account tags to add tags to individual accounts and you can use override or append to configure the regions_enabled and default_region. If you have many accounts that have different default_region or regions_enabled values it can be cumbersome to maintain this in the manifest file. With this feature you can specify default_region and regions_enabled values in SSM per account allowing you to configure this easily at account vending time.
When defining an OU you must set the external_account_overrides correctly:
accounts:
- ou: "/dev"
name: "dev-accounts"
external_account_overrides:
default_region:
source: ssm
enabled_regions:
source: ssm
tags:
- "type:dev"Here we are saying we want default_region and enabled_regions values to come from SSM.
In SSM you must create parameters with the names:
where <account_id> is replaced with the 12 character AWS Account Id you want to override the default_region and enabled_regions for.
If an account within the OU is not present within SSM you will get an error unless you set a value for fail_if_missing:
accounts:
- ou: "/dev"
name: "dev-accounts"
external_account_overrides:
default_region:
fail_if_missing: false
source: ssm
enabled_regions:
fail_if_missing: false
source: ssm
tags:
- "type:dev"