Open lorengordon opened 2 years ago
Adding one limitation that we're running into:
FullAWSAccess
policy is automatically attached, it can't be managed by Terraform without importing it for each new account (which is not really feasible with a large number of accounts), so it will also not be re-created if it's accidentally deleted manuallyIf the aws_organizations_organizational_unit
and aws_organizations_account
resources offered nested policy attachments, it could solve this problem. Terraform would remove any policies not explicitly listed in the nested list of policies, including the FullAWSAccess
policy.
@bulebuk Give the issue a 👍 if you want to help prioritize it!
Not a solution for the exclusive management component of this request, but we just published a lambda terraform module that will replace one SCP with another. It has logic to handle the condition when there is a single SCP attached, as is the case with the FullAWSAccess
policy when an account or OU is first created. Using this module in the Organizations account, we're able to utilize the max number of SCP attachments (5), and also effectively able to utilize the AllowList strategy by replacing the FullAWSAccess
policy with our own custom allow list.
Community Note
Description
I am noticing some limitations between how the AWS SCP API is implemented and the implementation of
aws_organizations_policy_attachment
...aws_organizations_policy_attachment
doesn't have any way of removing the auto-attached policy, so the limit is suddenly 4I would like to be able to:
I think both of those would be possible with a couple mechanisms:
I am not entirely sure what the "best" or most "canonical" way of getting there might be, but I was considering the "exclusive" management feature that some resources have for some attachments/rules, such as IAM Roles and Security Groups. I could see such a feature being implemented in the
aws_organizations_account
andaws_organizations_organizational_unit
resources, as a newpolicy_ids
argument, or perhaps as a new "plural" resourceaws_organizations_policy_attachments
?Happy to adjust this feature request if there is a more preferable approach!
New or Affected Resource(s)
Potential Terraform Configuration
References