Terraform-provider-aws: AWS Organizations Move Account support
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
In a AWS micro accounts model, ease and automation of accounts creation with the configuration of these accounts in an AWS Organization is required. For managing an AWS organization and its accounts via terraform, I see the need of being able to create AWS Organizations Organization unit (OU) and associate accounts with it.
New Resource(s)
- aws_organizations_organization_unit - Creates an organizational unit (OU) within a root or parent OU.
- aws_organizations_organization_move_account - Moves an account from its current source parent root or organizational unit (OU) to the specified destination parent root or OU
Potential Terraform Configuration
resource "aws_organizations_organization_unit" "unit" {
name = "name"
parent_id = "ou-1234567" or "r-1234567"
}
resource "aws_organizations_move_account" "move_account" {
account_id = "111111111111"
source_parent_id = "r-1234567"
destination_parent_id = "ou-1234567"
}
References
- https://docs.aws.amazon.com/cli/latest/reference/organizations/index.html#cli-aws-organizations
- https://docs.aws.amazon.com/cli/latest/reference/organizations/create-organizational-unit.html
- https://docs.aws.amazon.com/cli/latest/reference/organizations/move-account.html
- https://www.terraform.io/docs/providers/aws/r/organizations_organization.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
acarrasquillo
All 7 comments
Think #4207 already has this covered - looks like it should be merged soon
murraypete
on 24 Apr 2019
Thanks for the update @murraypete ๐
acarrasquillo
on 2 May 2019
Thanks to @afeld and @bryanlalexander, we just merged a new aws_organizations_organizational_unit resource for managing Organizational Units, which will be released with version 2.10.0 of the Terraform AWS Provider, likely tomorrow. ๐
The second ask of this feature request is a little bit more nuanced, I believe. This seems like it should be modeled as a new optional argument on the existing aws_organizations_account resource instead of a new resource as we do not typically require operators to manage resources to perform a one time infrastructure update. By example, I believe it could be handled with a new parent_id argument like the following.
Given an existing configuration, we could continue to allow this new parent_id argument to be omitted:
resource "aws_organizations_organization" "example" {}
resource "aws_organizations_account" "example" {
email = "[email protected]"
name = "example"
}
In this example configuration, the value of the parent_id attribute is implicitly the Organization root ID (in the real world an account could already be under an Organizational Unit too!), but importantly, the difference is not shown to operators so when this is introduced it is not a breaking change.
The above configuration would be equivalent to the following where it is explicitly defined and checked for drift detection. (Note: this is utilizing our recent addition of the roots attribute, which will also be released in version 2.10.0 of the Terraform AWS Provider)
resource "aws_organizations_organization" "example" {}
resource "aws_organizations_account" "example" {
email = "[email protected]"
name = "example"
parent_id = "${aws_organizations_organization.example.roots.0.id}"
}
Now if we want to create a new Organizational Unit and move the account under it, we could write the following to perform the update:
resource "aws_organizations_organization" "example" {}
resource "aws_organizations_organizational_unit" "example" {
name = "example"
parent_id = "${aws_organizations_organization.test.roots.0.id}"
}
resource "aws_organizations_account" "example" {
email = "[email protected]"
name = "example"
parent_id = "${aws_organizations_organizational_unit.example.id}"
}
Under the hood, this would be performing the MoveAccount call both during the aws_organizations_account resource Create function (if parent_id is configured and different than the Organization root) and Update function (if parent_id is updated). Hopefully this makes sense. ๐
I'm going to retitle this feature request issue to reflect the second ask since the first part (managing OUs) has been implemented.
bflad
on 8 May 2019
Pull request submitted for parent_id functionality, based off some work done in #4405: #8583
bflad
on 9 May 2019
Support for moving AWS Organizations Accounts via a new parent_id argument, has been merged and will release with version 2.11.0 of the Terraform AWS Provider, very shortly. ๐
bflad
on 17 May 2019
This has been released in version 2.11.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 17 May 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
dvishniakov
ยท
3Comments
hazmeister
ยท
3Comments
blaltarriba
ยท
3Comments
andywirv
ยท
3Comments
hashibot
ยท
3Comments
Most helpful comment
This has been released in version 2.11.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.