Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Add an aws_organizations_account_ids data source #4384

Closed
wants to merge 1 commit into from
Closed

[WIP] Add an aws_organizations_account_ids data source #4384

wants to merge 1 commit into from

Conversation

breser
Copy link

@breser breser commented Apr 28, 2018

Part of #571

Corresponds to ListAccounts and the ListAccountsForParent APIs. Motivation here is to be able to write IAM policies that automatically allow things for all accounts in an Organization or Organizational Unit (e.g. allowing all accounts belonging to an Organization to write CloudTrail logs to the same S3 bucket) without needing to hardcode the Account Ids.

I have not written the tests for this yet because to do so I really need #4207 and #4229. But I wanted to checkpoint my work and get feedback on what I already have.

I've tested it as follows:

data "aws_organizations_account_ids" "me" {}

output "account_ids" {
  value = ["${data.aws_organizations_account_ids.me.ids}"]
}

Which resulted in the following output (actual account id obfuscated):

$ terraform apply
data.aws_organizations_account_ids.me: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

account_ids = [
    123456789012
]

With the root id:

data "aws_organizations_account_ids" "me" { parent_id = "r-oi5p" }

output "account_ids" {
  value = ["${data.aws_organizations_account_ids.me.ids}"]
}

Which resulted in the following output (actual account id obfuscated):

$ terraform apply
data.aws_organizations_account_ids.me: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

account_ids = [
    123456789012
]

I then moved the account into an OU and tried it again with the root which resulted in the following output (actual account id obfuscated):

$ terraform apply
data.aws_organizations_account_ids.me: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

account_ids = []

And then finally with the OU id:

data "aws_organizations_account_ids" "me" { parent_id = "ou-oi5p-mgp77s7y" }

output "account_ids" {
  value = ["${data.aws_organizations_account_ids.me.ids}"]
}

Which resulted in the following output (actual account id obfuscated):

$ terraform apply
data.aws_organizations_account_ids.me: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

account_ids = [
    123456789012
]

I intend to test with an account with many accounts in the Organization next week at work.

@ghost ghost added the size/M Managed by automation to categorize the size of a PR. label Apr 28, 2018
@bflad bflad added new-data-source Introduces a new data source. service/organizations Issues and PRs that pertain to the organizations service. labels Apr 30, 2018
@breser
Copy link
Author

breser commented Apr 30, 2018

I'll get the conflicts and the test failure fixed tonight.

@breser
Copy link
Author

breser commented Apr 30, 2018

Tested this on an account with many accounts in an organization and it's working fine.

@ghost ghost added the size/M Managed by automation to categorize the size of a PR. label May 1, 2018
@breser breser force-pushed the organizations-account-ids branch from 6d17c92 to 87f1869 Compare May 1, 2018 03:02
@ghost ghost added the size/M Managed by automation to categorize the size of a PR. label May 1, 2018
@bflad bflad mentioned this pull request May 30, 2018
Closed
@JoshiiSinfield
Copy link

Hi,

Has there been any more movement on this?

Cheers,
Josh

@voroniys
Copy link

It is almost a year ago, there are several pull requests open, when we finally can expect the accounts data sources to be released?

@e-moshaya e-moshaya mentioned this pull request Mar 19, 2019
Closed
@e-moshaya
Copy link

any update on this?

@tdmalone tdmalone mentioned this pull request Mar 30, 2019
Closed
This was referenced May 9, 2019
Closed
Closed
@mcameron
Copy link

Now that #571 has been merged, can we get this included?

@aeschright aeschright requested a review from a team June 25, 2019 19:23
@bflad
Copy link
Contributor

bflad commented Jul 19, 2019

Hi @breser 👋 Thank you very much for your time and contribution here. My apologies for the long silence on this pull request. The support for AWS Organizations has been quite the long process and there were differing implementations offered by various members of the community. In the future, we am hoping that we can host these type of implementation discussions in design issues where the implementation choice is agreed on before we wind up in the same situation of conflicting contributions.

After evaluating all the contributions, we decided to opt for a single aws_organization_organization data source that was able to represent the same functionality as the aws_organization_organization resource. This will allow operators to have a similar experience between these two options and will have the following modes of operation:

  • If used in an account that is not part of an Organization, it will return an error
  • If used within an Organization but outside the master account, it will return the Organization ID, ARN, and master account ID information
  • If used within the Organization master account, it will return all the arguments and attributes available in the aws_organizations_organization resource including all member account information such as account ARNs and account IDs

This new aws_organizations_organization data source has been merged and will release with version 2.21.0 of the Terraform AWS Provider, in about a week. Since the functionality available in this new data source supersedes the need of an additional data source, I'm going to close out this pull request.

We really appreciate the time and effort that went into this contribution and we hope to be able to work with you again in the future.

@bflad bflad closed this Jul 19, 2019
@ghost
Copy link

ghost commented Nov 2, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
new-data-source Introduces a new data source. service/organizations Issues and PRs that pertain to the organizations service. size/M Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@breser @JoshiiSinfield @voroniys @e-moshaya @mcameron @bflad