An aws_organizations data source using list-accounts-for-parent

[johnkeates]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

For MSPs with delegated AWS Organisations OU for their clients it would be very helpful for those clients if we can use a data source that has read access to the specific delegated OU for that client. For example, a CLI call might look like aws organizations list-accounts-for-parent --parent-id ou-abcd-e3e3e3e and return all the accounts for that client that are added to the managed OU by the MSP. The MSP can limit the scope of those delegated access roles to only the OU for that specific client. This is not possible with other organizations API calls.

New or Affected Resource(s)

• aws_ organizations

Potential Terraform Configuration

data "aws_organizations_ou" "example" {}
  parent_id = ou-abcd-e3e3e3e

output "account_ids" {
  value = data.aws_organizations_ou.example.accounts[*].id
}

References

• #0000

[bflad]

Hi @johnkeates 👋 Thank you for submitting this. I believe this is covered by the previous #9884 and associated pull request #10395. To consolidate efforts and discussions, I'm going to close this issue in preference of the earlier ones. 👍

[bflad]

Ah, sorry, this is centered around accounts and not underlying OUs -- reopening!

[johnkeates]

Yeah, it's a slightly different scope, and mostly just because of a current AWS limitation. As far as I know there is no other way for a managed AWS Organisation to delegate OU sub-account read access besides the list-accounts-for-parent call. All calls above that one can't really be scoped successfully so the existing aws_organizations resource and datasource are fine as-is. I do hope AWS improves that in the future (and in turn we can then improve the provider).

[willhughes-au]

Now that initial SSOAdmin support has been released in #15108, it would be great if we could have this data source added.

This would allow operations such as assigning a permissionset to a group for every account within an OU.

[rpf3]

I think #18589 is attempting to do this but seems to be stalled

[joshuamkite]

I think that we can either close or re-define this issue now since it has been fixed in v4.55.0 for the queries made to the Organization Management Account with:

• New Data Source: aws_organizations_organizational_unit_child_accounts (#24350)
• New Data Source: aws_organizations_organizational_unit_descendant_accounts (#24350)

I have written up how to make use of these features in an article on my website to cover exactly the sceantrio described by @willhughes-au 2 years ago

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.