Skip to content

Commit

Permalink
Adding Support for Child OUs (cloudposse/terraform-aws-components#898)
Browse files Browse the repository at this point in the history 
Co-authored-by: cloudpossebot <[email protected]>
  • Loading branch information
@jamengual @cloudpossebot
jamengual and cloudpossebot authored Nov 14, 2023
1 parent dcc9450 commit ab83293
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 9 deletions.
1 change: 1 addition & 0 deletions src/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,7 @@ atmos terraform apply account --stack gbl-root
| [aws_organizations_account.organization_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource |
| [aws_organizations_account.organizational_units_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource |
| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource |
| [aws_organizations_organizational_unit.child](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) | resource |
| [aws_organizations_organizational_unit.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) | resource |
| [aws_organizations_organization.existing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
Expand Down
36 changes: 27 additions & 9 deletions src/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@ locals {
organization = lookup(var.organization_config, "organization", {})

# Organizational Units list and map configuration
organizational_units = lookup(var.organization_config, "organizational_units", [])
organizational_units_map = { for ou in local.organizational_units : ou.name => ou }
organizational_units = lookup(var.organization_config, "organizational_units", [])
organizational_units_map = { for ou in local.organizational_units : ou.name => merge(ou, {
parent_ou = contains(keys(ou), "parent_ou") ? ou.parent_ou : "none"
}) }

# Organization's Accounts list and map configuration
organization_accounts = lookup(var.organization_config, "accounts", [])
Expand All @@ -13,7 +15,7 @@ locals {
# Organizational Units' Accounts list and map configuration
organizational_units_accounts = flatten([
for ou in local.organizational_units : [
for account in lookup(ou, "accounts", []) : merge({ "ou" = ou.name, "account_email_format" = lookup(ou, "account_email_format", var.account_email_format) }, account)
for account in lookup(ou, "accounts", []) : merge({ "ou" = ou.name, "account_email_format" = lookup(ou, "account_email_format", var.account_email_format), parent_ou = contains(keys(ou), "parent_ou") ? ou.parent_ou : "none" }, account)
]
])
organizational_units_accounts_map = { for acc in local.organizational_units_accounts : acc.name => acc }
Expand All @@ -22,13 +24,22 @@ locals {
all_accounts = concat(local.organization_accounts, local.organizational_units_accounts)

# List of Organizational Unit names
organizational_unit_names = values(aws_organizations_organizational_unit.this)[*]["name"]
organizational_unit_names = concat(
values(aws_organizations_organizational_unit.this)[*]["name"],
values(aws_organizations_organizational_unit.child)[*]["name"]
)

# List of Organizational Unit ARNs
organizational_unit_arns = values(aws_organizations_organizational_unit.this)[*]["arn"]
organizational_unit_arns = concat(
values(aws_organizations_organizational_unit.this)[*]["arn"],
values(aws_organizations_organizational_unit.child)[*]["arn"]
)

# List of Organizational Unit IDs
organizational_unit_ids = values(aws_organizations_organizational_unit.this)[*]["id"]
organizational_unit_ids = concat(
values(aws_organizations_organizational_unit.this)[*]["id"],
values(aws_organizations_organizational_unit.child)[*]["id"]
)

# Map of account names to OU names (used for lookup `parent_id` for each account under an OU)
account_names_organizational_unit_names_map = length(local.organizational_units) > 0 ? merge(
Expand Down Expand Up @@ -127,18 +138,25 @@ resource "aws_organizations_account" "organization_accounts" {
}
}

# Provision Organizational Units
# Provision Organizational Units w/o Child Orgs
resource "aws_organizations_organizational_unit" "this" {
for_each = local.organizational_units_map
for_each = { for key, value in local.organizational_units_map : key => value if value.parent_ou == "none" }
name = each.value.name
parent_id = local.organization_root_account_id
}

# Provision Child Organizational Units
resource "aws_organizations_organizational_unit" "child" {
for_each = { for key, value in local.organizational_units_map : key => value if value.parent_ou != "none" }
name = each.value.name
parent_id = aws_organizations_organizational_unit.this[each.value.parent_ou].id
}

# Provision Accounts connected to Organizational Units
resource "aws_organizations_account" "organizational_units_accounts" {
for_each = local.organizational_units_accounts_map
name = each.value.name
parent_id = aws_organizations_organizational_unit.this[local.account_names_organizational_unit_names_map[each.value.name]].id
parent_id = each.value.parent_ou != "none" ? aws_organizations_organizational_unit.child[each.value.ou].id : aws_organizations_organizational_unit.this[local.account_names_organizational_unit_names_map[each.value.name]].id
email = try(format(each.value.account_email_format, each.value.name), each.value.account_email_format)
iam_user_access_to_billing = var.account_iam_user_access_to_billing
tags = merge(module.this.tags, try(each.value.tags, {}), { Name : each.value.name })
Expand Down

0 comments on commit ab83293

Please sign in to comment.