Data source for querying account OU membership in AWS Organizations

[mmerickel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There's a missing data source for querying information about account membership. Currently the aws_organizations_organization provides a list of all accounts, and aws_organizations_organizational_units provides a list of OUs by parent. However, there's neither the accounts list nor the ou list provide something that can map between the two.

The AWS API ListAccountsForParent would allow querying the accounts within an OU.

New or Affected Resource(s)

• data "aws_organizations_accounts"

required parameter: parent_id

Potential Terraform Configuration

data "aws_organizations_organization" "this" {}

data "aws_organizations_organizational_units" "root" {
  parent_id = data.aws_organizations_organization.this.roots[0].id
}

data "aws_organizations_accounts" "prod" {
  parent_id = [
    for x in data.aws_organizations_organizational_units.root.children :
    x.id if x.name == "prod"
  ][0]
}

[ebi-yade]

Hello, I'm now in a similar issue and have just found this!

@mmerickel, your idea and the proposal sound really nice! 💪
And I think the parent_id should be a single string value, not like an array or a set.
You'll be able to do things like the example using for_each argument and data manipulation in locals block. 👌

As this issue seems to have no update until last November, is anyone working in progress? If not, I will try to implement and submit a Pull Request!

[ryancausey]

I think this might be missing a use case, or perhaps what I want is a different feature request:

Similar to using data "aws_organizations_organization" "current" {} to get the Organization the current AWS account Terraform is executing upon, I was hoping to be able to leverage a data "aws_organizations_organizational_units" "current" {} pattern to get the immediate OU for the current AWS account Terraform is executing upon.

I don't think the proposed solution allows this check for AWS accounts that are not the root account, as the roots attribute will be null in these cases. Thus for non-root AWS accounts it is not possible to get the ID of the Root OU, and the provided example wouldn't work.

Do y'all think this is a different issue entirely or is it still related to this?

[salecharohit]

Thats absolutely correct if this is allowed then it would be a big lapse in security as a child account is now able to access details about its parents.

[cacack]

I too have found my way here with the same need.

I'll also comment that the security concern is real and why the AWS API doesn't allow a child account to access such information about the Organization. However, a principal with the proper authorization to make the API call to Organization or it's delegated administration account wouldn't be. I think the OP's suggestion follows this security model, and is what I'd love to see implemented.

[ahublersos]

In #24350 I've made a go at creating two new data sources that allow you to gather direct child accounts within an OU as well as all generations of child accounts within an OU.

I've build a custom provider off of this branch and am using it internally to help manage assignments of SSO permission sets.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.