hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

Exclusive management of aws_organizations_policy_attachments #26352

Open lorengordon opened 2 years ago

lorengordon commented 2 years ago

Community Note

Description

I am noticing some limitations between how the AWS SCP API is implemented and the implementation of aws_organizations_policy_attachment...

I would like to be able to:

I think both of those would be possible with a couple mechanisms:

I am not entirely sure what the "best" or most "canonical" way of getting there might be, but I was considering the "exclusive" management feature that some resources have for some attachments/rules, such as IAM Roles and Security Groups. I could see such a feature being implemented in the aws_organizations_account and aws_organizations_organizational_unit resources, as a new policy_ids argument, or perhaps as a new "plural" resource aws_organizations_policy_attachments?

Happy to adjust this feature request if there is a more preferable approach!

New or Affected Resource(s)

Potential Terraform Configuration

resource "aws_organizations_account" "account" {
  name  = "my_new_account"
  email = "john@doe.org"

  policy_ids = [
    aws_organizations_policy.example.id
  ]
}

resource "aws_organizations_organizational_unit" "example" {
  name      = "example"
  parent_id = aws_organizations_organization.example.roots[0].id

  policy_ids = [
    aws_organizations_policy.example.id
  ]
}

resource "aws_organizations_policy_attachments" "account" {
  target_id = "123456789012"

  policy_ids = [
    aws_organizations_policy.example.id
  ]
}

References

lauraseidler commented 1 year ago

Adding one limitation that we're running into:

bulebuk commented 1 year ago

If the aws_organizations_organizational_unit and aws_organizations_account resources offered nested policy attachments, it could solve this problem. Terraform would remove any policies not explicitly listed in the nested list of policies, including the FullAWSAccess policy.

lorengordon commented 1 year ago

@bulebuk Give the issue a 👍 if you want to help prioritize it!

lorengordon commented 1 year ago

Not a solution for the exclusive management component of this request, but we just published a lambda terraform module that will replace one SCP with another. It has logic to handle the condition when there is a single SCP attached, as is the case with the FullAWSAccess policy when an account or OU is first created. Using this module in the Organizations account, we're able to utilize the max number of SCP attachments (5), and also effectively able to utilize the AllowList strategy by replacing the FullAWSAccess policy with our own custom allow list.