Terraform-provider-aws: An aws_organizations data source using list-accounts-for-parent

Created on 12 Dec 2019  路  3Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

For MSPs with delegated AWS Organisations OU for their clients it would be very helpful for those clients if we can use a data source that has read access to the specific delegated OU for that client. For example, a CLI call might look like aws organizations list-accounts-for-parent --parent-id ou-abcd-e3e3e3e and return all the accounts for that client that are added to the managed OU by the MSP. The MSP can limit the scope of those delegated access roles to only the OU for that specific client. This is not possible with other organizations API calls.

New or Affected Resource(s)

  • aws_ organizations

Potential Terraform Configuration

data "aws_organizations_ou" "example" {}
  parent_id = ou-abcd-e3e3e3e

output "account_ids" {
  value = data.aws_organizations_ou.example.accounts[*].id
}

References

  • 0000

    • new-data-source servicorganizations
    Source
    picture johnkeates
    👍14

    Most helpful comment

    Ah, sorry, this is centered around _accounts_ and not underlying OUs -- reopening!

    picture bflad on 12 Dec 2019
    😄3

    All 3 comments

    Hi @johnkeates 馃憢 Thank you for submitting this. I believe this is covered by the previous https://github.com/terraform-providers/terraform-provider-aws/issues/9884 and associated pull request https://github.com/terraform-providers/terraform-provider-aws/pull/10395. To consolidate efforts and discussions, I'm going to close this issue in preference of the earlier ones. 馃憤

    bflad picture bflad on 12 Dec 2019

    Ah, sorry, this is centered around _accounts_ and not underlying OUs -- reopening!

    bflad picture bflad on 12 Dec 2019
    😄3

    Yeah, it's a slightly different scope, and mostly just because of a current AWS limitation. As far as I know there is no other way for a managed AWS Organisation to delegate OU sub-account read access besides the list-accounts-for-parent call. All calls above that one can't really be scoped successfully so the existing aws_organizations resource and datasource are fine as-is. I do hope AWS improves that in the future (and in turn we can then improve the provider).

    johnkeates picture johnkeates on 12 Dec 2019
    👍2
    Was this page helpful?
    0 / 5 - 0 ratings

    Related issues

    andywirv picture andywirv  路  3Comments
    EmmN picture EmmN  路  3Comments
    joelittlejohn picture joelittlejohn  路  3Comments
    ghost picture ghost  路  3Comments
    hashibot picture hashibot  路  3Comments