Update organization related modules (#6)

tedilabs · Apr 17, 2024 · 932bfe5 · 932bfe5
1 parent f5dc012
commit 932bfe5
Show file tree

Hide file tree

Showing 23 changed files with 193 additions and 118 deletions.
diff --git a/modules/account/README.md b/modules/account/README.md
@@ -16,14 +16,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.65 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.13 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.45.0 |
 
 ## Modules
 
@@ -35,6 +35,8 @@ This module creates following resources.
 
 | Name | Type |
 |------|------|
+| [aws_auditmanager_organization_admin_account_registration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/auditmanager_organization_admin_account_registration) | resource |
+| [aws_detective_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/detective_organization_admin_account) | resource |
 | [aws_fms_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_admin_account) | resource |
 | [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource |
 | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource |
@@ -49,18 +51,19 @@ This module creates following resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_email"></a> [email](#input\_email) | The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `string` | n/a | yes |
-| <a name="input_name"></a> [name](#input\_name) | A friendly name for the member account. | `string` | n/a | yes |
-| <a name="input_delegated_services"></a> [delegated\_services](#input\_delegated\_services) | A list of service principals of the AWS service for which you want to make the member account a delegated administrator. | `set(string)` | `[]` | no |
-| <a name="input_iam_user_access_to_billing_allowed"></a> [iam\_user\_access\_to\_billing\_allowed](#input\_iam\_user\_access\_to\_billing\_allowed) | If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information. | `bool` | `false` | no |
-| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_parent_id"></a> [parent\_id](#input\_parent\_id) | Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. | `string` | `null` | no |
-| <a name="input_policies"></a> [policies](#input\_policies) | List of IDs of the policies to be attached to the Account. | `list(string)` | `[]` | no |
-| <a name="input_preconfigured_administrator_role_name"></a> [preconfigured\_administrator\_role\_name](#input\_preconfigured\_administrator\_role\_name) | The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. | `string` | `null` | no |
-| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
-| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_email"></a> [email](#input\_email) | (Required) The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) A friendly name for the member account. | `string` | n/a | yes |
+| <a name="input_close_on_delete"></a> [close\_on\_delete](#input\_close\_on\_delete) | (Optional) Whether to close the account on deletion. It will only remove from the organization if true. This is not supported for GovCloud accounts. Defaults to `false`. | `bool` | `false` | no |
+| <a name="input_delegated_services"></a> [delegated\_services](#input\_delegated\_services) | (Optional) A list of service principals of the AWS service for which you want to make the member account a delegated administrator. | `set(string)` | `[]` | no |
+| <a name="input_iam_user_access_to_billing_allowed"></a> [iam\_user\_access\_to\_billing\_allowed](#input\_iam\_user\_access\_to\_billing\_allowed) | (Optional) If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information. Defaults to `false`. | `bool` | `false` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_parent_id"></a> [parent\_id](#input\_parent\_id) | (Optional) Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. | `string` | `null` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | (Optional) List of IDs of the policies to be attached to the Account. | `list(string)` | `[]` | no |
+| <a name="input_preconfigured_administrator_role_name"></a> [preconfigured\_administrator\_role\_name](#input\_preconfigured\_administrator\_role\_name) | (Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. Defaults to `OrganizationAccountAccessRole`. | `string` | `"OrganizationAccountAccessRole"` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 
 ## Outputs
 
@@ -71,9 +74,11 @@ This module creates following resources.
 | <a name="output_created_by"></a> [created\_by](#output\_created\_by) | The method how this account joined to the organization. |
 | <a name="output_delegated_services"></a> [delegated\_services](#output\_delegated\_services) | A list of service principals of the AWS service which the member account is a delegated administrator. |
 | <a name="output_email"></a> [email](#output\_email) | The email address of this account. |
+| <a name="output_govcloud_account_id"></a> [govcloud\_account\_id](#output\_govcloud\_account\_id) | The ID for a GovCloud account created with the account. |
 | <a name="output_iam_user_access_to_billing_allowed"></a> [iam\_user\_access\_to\_billing\_allowed](#output\_iam\_user\_access\_to\_billing\_allowed) | Whether accessing account billing information by IAM User is allowed. |
-| <a name="output_id"></a> [id](#output\_id) | The ID of this account. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of this AWS account. |
 | <a name="output_name"></a> [name](#output\_name) | The name of this account. |
 | <a name="output_parent_id"></a> [parent\_id](#output\_parent\_id) | The ID of the parent Organizational Unit. |
 | <a name="output_preconfigured_administrator_role_name"></a> [preconfigured\_administrator\_role\_name](#output\_preconfigured\_administrator\_role\_name) | The name of an IAM role that allow users in the master account to assume as administrator. |
+| <a name="output_status"></a> [status](#output\_status) | The status of the account in the organization. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/account/delegated-administrators.tf b/modules/account/delegated-administrators.tf
@@ -1,5 +1,7 @@
 locals {
   independent_services = [
+    "auditmanager.amazonaws.com",
+    "detective.amazonaws.com",
     "fms.amazonaws.com",
     "guardduty.amazonaws.com",
     "ipam.amazonaws.com",
@@ -13,6 +15,9 @@ locals {
 # Delegated Administrators for Organization Account
 ###################################################
 
+# INFO: confirmed service principals
+# - `account.amazonaws.com`
+# - `sso.amazonaws.com`
 resource "aws_organizations_delegated_administrator" "this" {
   for_each = toset([
     for service in var.delegated_services :
@@ -24,6 +29,18 @@ resource "aws_organizations_delegated_administrator" "this" {
   service_principal = each.key
 }
 
+resource "aws_auditmanager_organization_admin_account_registration" "this" {
+  count = contains(var.delegated_services, "auditmanager.amazonaws.com") ? 1 : 0
+
+  admin_account_id = aws_organizations_account.this.id
+}
+
+resource "aws_detective_organization_admin_account" "this" {
+  count = contains(var.delegated_services, "detective.amazonaws.com") ? 1 : 0
+
+  account_id = aws_organizations_account.this.id
+}
+
 resource "aws_fms_admin_account" "this" {
   count = contains(var.delegated_services, "fms.amazonaws.com") ? 1 : 0
 

diff --git a/modules/account/main.tf b/modules/account/main.tf
@@ -20,14 +20,23 @@ locals {
   organization_root_id = data.aws_organizations_organization.this.roots[0].id
 }
 
+
+###################################################
+# Organization Acoount
+###################################################
+
+# INFO: Not supported attributes
+# - 'create_govcloud'
 resource "aws_organizations_account" "this" {
-  name      = var.name
-  email     = var.email
-  parent_id = coalesce(var.parent_id, local.organization_root_id)
+  name              = var.name
+  email             = var.email
+  parent_id         = coalesce(var.parent_id, local.organization_root_id)
+  close_on_deletion = var.close_on_delete
 
   iam_user_access_to_billing = var.iam_user_access_to_billing_allowed ? "ALLOW" : "DENY"
   role_name                  = var.preconfigured_administrator_role_name
 
+
   tags = merge(
     {
       "Name" = local.metadata.name
@@ -39,7 +48,8 @@ resource "aws_organizations_account" "this" {
   # There is no AWS Organizations API for reading role_name
   lifecycle {
     ignore_changes = [
-      iam_user_access_to_billing,
+      # INFO: Need to change terraform states manually for imported account
+      # iam_user_access_to_billing,
       role_name,
     ]
   }
@@ -55,4 +65,6 @@ resource "aws_organizations_policy_attachment" "this" {
 
   target_id = aws_organizations_account.this.id
   policy_id = each.key
+
+  skip_destroy = false
 }
diff --git a/modules/account/outputs.tf b/modules/account/outputs.tf
@@ -9,7 +9,7 @@ output "email" {
 }
 
 output "id" {
-  description = "The ID of this account."
+  description = "The ID of this AWS account."
   value       = aws_organizations_account.this.id
 }
 
@@ -18,6 +18,16 @@ output "arn" {
   value       = aws_organizations_account.this.arn
 }
 
+output "govcloud_account_id" {
+  description = "The ID for a GovCloud account created with the account."
+  value       = aws_organizations_account.this.govcloud_id
+}
+
+output "status" {
+  description = "The status of the account in the organization."
+  value       = aws_organizations_account.this.status
+}
+
 output "parent_id" {
   description = "The ID of the parent Organizational Unit."
   value       = aws_organizations_account.this.parent_id
@@ -30,7 +40,7 @@ output "iam_user_access_to_billing_allowed" {
 
 output "preconfigured_administrator_role_name" {
   description = "The name of an IAM role that allow users in the master account to assume as administrator."
-  value       = var.preconfigured_administrator_role_name
+  value       = aws_organizations_account.this.role_name
 }
 
 output "delegated_services" {
@@ -47,3 +57,11 @@ output "created_at" {
   description = "The datetime which this account joined to the organization."
   value       = aws_organizations_account.this.joined_timestamp
 }
+
+# output "debug" {
+#   value = {
+#     for k, v in aws_organizations_account.this :
+#     k => v
+#     if !contains(["id", "arn", "name", "parent_id", "tags", "tags_all", "close_on_deletion", "joined_timestamp", "joined_method", "role_name", "email", "status", "iam_user_access_to_billing", "govcloud_id"], k)
+#   }
+# }
diff --git a/modules/account/variables.tf b/modules/account/variables.tf
@@ -11,24 +11,31 @@ variable "email" {
 }
 
 variable "parent_id" {
-  description = "(Optional) Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection."
+  description = "(Optional) Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID."
   type        = string
   default     = null
   nullable    = true
 }
 
+variable "close_on_delete" {
+  description = "(Optional) Whether to close the account on deletion. It will only remove from the organization if true. This is not supported for GovCloud accounts. Defaults to `false`."
+  default     = false
+  type        = bool
+  nullable    = false
+}
+
 variable "iam_user_access_to_billing_allowed" {
-  description = "(Optional) If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information."
+  description = "(Optional) If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information. Defaults to `false`."
   type        = bool
   default     = false
   nullable    = false
 }
 
 variable "preconfigured_administrator_role_name" {
-  description = "(Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account."
+  description = "(Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. Defaults to `OrganizationAccountAccessRole`."
   type        = string
-  default     = null
-  nullable    = true
+  default     = "OrganizationAccountAccessRole"
+  nullable    = false
 }
 
 variable "delegated_services" {

diff --git a/modules/account/versions.tf b/modules/account/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.65"
+      version = ">= 5.13"
     }
   }
 }