Open borgoat opened 5 years ago
Regions keep popping up. May be AWS could have a switch at the time of account creation to not to create default stufff.
I agree that these default resources are a nuisance, but I don't think this is something that the Terraform provider can/should solve.
There is no well-defined set of actions that must be taken to clean up those default resources - it's completely in AWS's own discretion. Unless AWS provides an additional flag during account creation, implementing such complex behaviour in Terraform seems wrong to me.
Also, about the OrganizationAccountAccessRole
, there's this document on how it's used: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
If such a role isn't created during organization account creation, how will you be able to modify resources in that account from the super account? You won't even be able to create the role itself. Maybe I'm missing something here, and there is another trust policy that solves this issue, but if there is, what's the point of restricting the OrganizationAccountAccessRole
?
These are all limitations of the AWS Organizations framework, and IMHO must be solved there. If Terraform tries to patch over them, there is a high risk those patches will stop working or cause problems at some point.
If you're happy for the role to stick around, you could just use a datasource to read it, and then a role_policy or role_policy_attachment to deny "" on resource "" - thereby making it totally useless.
You could also add depends_on to spin up the roles you want first before doing so.
Just came accross this. As @gtmtech pointed out, there is an approach to deal with OrganizationAccountAccessRole role.
With regards to the default vpc - if you add this to your service control policy, default vpc wont be provisioned:
statement {
sid = "DenyCreatingDefaultVPC"
effect = "Deny"
actions = [
"ec2:CreateDefaultVpc",
"ec2:CreateDefaultSubnet"
]
resources = ["*"]
}
Just came accross this. As @gtmtech pointed out, there is an approach to deal with OrganizationAccountAccessRole role.
With regards to the default vpc - if you add this to your service control policy, default vpc wont be provisioned:
statement { sid = "DenyCreatingDefaultVPC" effect = "Deny" actions = [ "ec2:CreateDefaultVpc", "ec2:CreateDefaultSubnet" ] resources = ["*"] }
@sidekick-eimantas Could you elaborate further? I have tried this and organizations still provisions accounts with the default VPC enabled. I have created it as you stated and attached it to Root OU. This seems like a great solution, should it actually work.
Community Note
Description
We use
aws_organizations_account
to create accounts in our organization. For each generated account, a file calledaccount-name.tf.json
is created. In this file, the provider uses anassume_role
config block to escalate into the newly created account, and a module is applied (what we call an account skeleton) to create a basic set of resources that all accounts will need (a VPC, a SAML IdP and roles that may be assumed, and so on...).However, a step we are missing is to delete:
OrganizationAccountAccessRole
(we'd like to replace this with something more sensible than Allow:*. Not really sure how to handle this though, as first we'd have to create a sensible role"This is how we create the account:
and this is the template used to create the account specific config:
New or Affected Resource(s)
Potential Terraform Configuration
An option could be to add some optional flags to
aws_organizations_account
or even a provisioner (could be kept separately, however, looking at some discussions in Terraform repo, custom provisioners are not recommended)
Another idea could be (but would have to be carefully validated), to "inject" the state of the automatically created resources into a given state backend, so that they could then very simply be managed by Terraform.
References
This lambda from the account factory of AWS Control Tower gives an idea on how this is handled there.