-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data source for querying account OU membership in AWS Organizations #16153
Comments
Hello, I'm now in a similar issue and have just found this! @mmerickel, your idea and the proposal sound really nice! 💪 As this issue seems to have no update until last November, is anyone working in progress? If not, I will try to implement and submit a Pull Request! |
I think this might be missing a use case, or perhaps what I want is a different feature request: Similar to using I don't think the proposed solution allows this check for AWS accounts that are not the root account, as the Do y'all think this is a different issue entirely or is it still related to this? |
Thats absolutely correct if this is allowed then it would be a big lapse in security as a child account is now able to access details about its parents. |
I too have found my way here with the same need. I'll also comment that the security concern is real and why the AWS API doesn't allow a child account to access such information about the Organization. However, a principal with the proper authorization to make the API call to Organization or it's delegated administration account wouldn't be. I think the OP's suggestion follows this security model, and is what I'd love to see implemented. |
In #24350 I've made a go at creating two new data sources that allow you to gather direct child accounts within an OU as well as all generations of child accounts within an OU. I've build a custom provider off of this branch and am using it internally to help manage assignments of SSO permission sets. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Description
There's a missing data source for querying information about account membership. Currently the
aws_organizations_organization
provides a list of all accounts, andaws_organizations_organizational_units
provides a list of OUs by parent. However, there's neither the accounts list nor the ou list provide something that can map between the two.The AWS API ListAccountsForParent would allow querying the accounts within an OU.
New or Affected Resource(s)
data "aws_organizations_accounts"
required parameter:
parent_id
Potential Terraform Configuration
The text was updated successfully, but these errors were encountered: