Switch SCPs to using OU Names

primeharbor · Nov 7, 2023 · d13c841 · d13c841
1 parent 3e5440b
commit d13c841
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/modules/scp/main.tf b/modules/scp/main.tf
@@ -34,6 +34,9 @@ variable "policy_json" {
   type        = string
 }
 
+variable "ou_name_to_id" {}
+variable "root_ou" {}
+
 resource "aws_organizations_policy" "scp" {
   name        = var.policy_name
   type        = "SERVICE_CONTROL_POLICY"
@@ -44,5 +47,6 @@ resource "aws_organizations_policy" "scp" {
 resource "aws_organizations_policy_attachment" "scp_attachment" {
   count     = length(var.policy_targets)
   policy_id = aws_organizations_policy.scp.id
-  target_id = var.policy_targets[count.index]
+  target_id = var.policy_targets[count.index] == "Root" ? var.root_ou : var.ou_name_to_id[var.policy_targets[count.index]]
 }
+
diff --git a/scps.tf b/scps.tf
@@ -18,7 +18,9 @@ module "scp" {
   policy_name        = each.value["policy_name"]
   policy_description = each.value["policy_description"]
   policy_json        = templatefile(fileexists(each.value["policy_json_file"]) ? each.value["policy_json_file"] : "${path.module}/${each.value["policy_json_file"]}", lookup(each.value, "policy_vars", {}))
-  policy_targets     = lookup(each.value, "policy_targets", [aws_organizations_organization.org.roots[0].id])
+  policy_targets     = lookup(each.value, "policy_targets", ["Root"])
+  ou_name_to_id      = local.ou_name_to_id # Pass the map to avoid regenerating it
+  root_ou            = aws_organizations_organization.org.roots[0].id
 }