Support trusted access with RAM (#95)

tedilabs · Sep 19, 2023 · 6df8a7a · 6df8a7a
1 parent fe83db9
commit 6df8a7a
Show file tree

Hide file tree

Showing 7 changed files with 1,060 additions and 255 deletions.
diff --git a/modules/org-organization/README.md b/modules/org-organization/README.md
@@ -4,20 +4,21 @@ This module creates following resources.
 
 - `aws_organizations_organization`
 - `aws_organizations_policy_attachment` (optional)
+- `aws_ram_sharing_with_organization` (optional)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.65 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.13 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.40.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.17.0 |
 
 ## Modules
 
@@ -29,20 +30,21 @@ No modules.
 |------|------|
 | [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource |
 | [aws_organizations_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
+| [aws_ram_sharing_with_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_sharing_with_organization) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_name"></a> [name](#input\_name) | The name of the Organization. | `string` | n/a | yes |
-| <a name="input_ai_services_opt_out_policy_type_enabled"></a> [ai\_services\_opt\_out\_policy\_type\_enabled](#input\_ai\_services\_opt\_out\_policy\_type\_enabled) | Whether to enable AI services opt-out polices in the Organization. | `bool` | `false` | no |
-| <a name="input_all_features_enabled"></a> [all\_features\_enabled](#input\_all\_features\_enabled) | Whether to create AWS Organization with all features or only consolidated billing feature. | `bool` | `true` | no |
-| <a name="input_backup_policy_type_enabled"></a> [backup\_policy\_type\_enabled](#input\_backup\_policy\_type\_enabled) | Whether to enable Backup polices in the Organization. | `bool` | `false` | no |
-| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_policies"></a> [policies](#input\_policies) | List of IDs of the policies to be attached to the Organization. | `list(string)` | `[]` | no |
-| <a name="input_service_control_policy_type_enabled"></a> [service\_control\_policy\_type\_enabled](#input\_service\_control\_policy\_type\_enabled) | Whether to enable Service control polices(SCPs) in the Organization. | `bool` | `true` | no |
-| <a name="input_tag_policy_type_enabled"></a> [tag\_policy\_type\_enabled](#input\_tag\_policy\_type\_enabled) | Whether to enable Tag polices in the Organization. | `bool` | `false` | no |
-| <a name="input_trusted_access_enabled_service_principals"></a> [trusted\_access\_enabled\_service\_principals](#input\_trusted\_access\_enabled\_service\_principals) | List of AWS service principal names for which you want to enable integration with the organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must `all_featrues_enabled` set to true. | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the Organization. | `string` | n/a | yes |
+| <a name="input_ai_services_opt_out_policy_type_enabled"></a> [ai\_services\_opt\_out\_policy\_type\_enabled](#input\_ai\_services\_opt\_out\_policy\_type\_enabled) | (Optional) Whether to enable AI services opt-out polices in the Organization. | `bool` | `false` | no |
+| <a name="input_all_features_enabled"></a> [all\_features\_enabled](#input\_all\_features\_enabled) | (Optional) Whether to create AWS Organization with all features or only consolidated billing feature. | `bool` | `true` | no |
+| <a name="input_backup_policy_type_enabled"></a> [backup\_policy\_type\_enabled](#input\_backup\_policy\_type\_enabled) | (Optional) Whether to enable Backup polices in the Organization. | `bool` | `false` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | (Optional) List of IDs of the policies to be attached to the Organization. | `list(string)` | `[]` | no |
+| <a name="input_service_control_policy_type_enabled"></a> [service\_control\_policy\_type\_enabled](#input\_service\_control\_policy\_type\_enabled) | (Optional) Whether to enable Service control polices(SCPs) in the Organization. | `bool` | `true` | no |
+| <a name="input_tag_policy_type_enabled"></a> [tag\_policy\_type\_enabled](#input\_tag\_policy\_type\_enabled) | (Optional) Whether to enable Tag polices in the Organization. | `bool` | `false` | no |
+| <a name="input_trusted_access_enabled_service_principals"></a> [trusted\_access\_enabled\_service\_principals](#input\_trusted\_access\_enabled\_service\_principals) | (Optional) List of AWS service principal names for which you want to enable integration with the organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must `all_featrues_enabled` set to true. | `set(string)` | `[]` | no |
 
 ## Outputs
 

diff --git a/modules/org-organization/main.tf b/modules/org-organization/main.tf
@@ -14,6 +14,21 @@ locals {
   } : {}
 }
 
+locals {
+  individual_trusted_accesses = toset([
+    "ram.amazonaws.com",
+  ])
+  organization_managed_trusted_accesses = setsubtract(
+    var.trusted_access_enabled_service_principals,
+    local.individual_trusted_accesses
+  )
+}
+
+
+###################################################
+# Organization
+###################################################
+
 resource "aws_organizations_organization" "this" {
   feature_set = var.all_features_enabled ? "ALL" : "CONSOLIDATED_BILLING"
   enabled_policy_types = compact([
@@ -23,7 +38,7 @@ resource "aws_organizations_organization" "this" {
     var.tag_policy_type_enabled ? "TAG_POLICY" : "",
   ])
 
-  aws_service_access_principals = var.all_features_enabled ? var.trusted_access_enabled_service_principals : []
+  aws_service_access_principals = var.all_features_enabled ? local.organization_managed_trusted_accesses : []
 }
 
 
@@ -37,3 +52,12 @@ resource "aws_organizations_policy_attachment" "this" {
   target_id = aws_organizations_organization.this.roots[0].id
   policy_id = each.key
 }
+
+
+###################################################
+# Individual Trusted Accesses
+###################################################
+
+resource "aws_ram_sharing_with_organization" "this" {
+  count = contains(var.trusted_access_enabled_service_principals, "ram.amazonaws.com") ? 1 : 0
+}
diff --git a/modules/org-organization/outputs.tf b/modules/org-organization/outputs.tf
@@ -40,7 +40,7 @@ output "tag_policy_type_enabled" {
 
 output "trusted_access_enabled_service_principals" {
   description = "List of AWS service principal names which is integrated with the organization."
-  value       = aws_organizations_organization.this.aws_service_access_principals
+  value       = var.trusted_access_enabled_service_principals
 }
 
 output "accounts" {

diff --git a/modules/org-organization/variables.tf b/modules/org-organization/variables.tf
@@ -1,52 +1,61 @@
 variable "name" {
-  description = "The name of the Organization."
+  description = "(Required) The name of the Organization."
   type        = string
+  nullable    = false
 }
 
 variable "all_features_enabled" {
-  description = "Whether to create AWS Organization with all features or only consolidated billing feature."
+  description = "(Optional) Whether to create AWS Organization with all features or only consolidated billing feature."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 variable "ai_services_opt_out_policy_type_enabled" {
-  description = "Whether to enable AI services opt-out polices in the Organization."
+  description = "(Optional) Whether to enable AI services opt-out polices in the Organization."
   type        = bool
   default     = false
+  nullable    = false
 }
 
 variable "backup_policy_type_enabled" {
-  description = "Whether to enable Backup polices in the Organization."
+  description = "(Optional) Whether to enable Backup polices in the Organization."
   type        = bool
   default     = false
+  nullable    = false
 }
 
 variable "service_control_policy_type_enabled" {
-  description = "Whether to enable Service control polices(SCPs) in the Organization."
+  description = "(Optional) Whether to enable Service control polices(SCPs) in the Organization."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 variable "tag_policy_type_enabled" {
-  description = "Whether to enable Tag polices in the Organization."
+  description = "(Optional) Whether to enable Tag polices in the Organization."
   type        = bool
   default     = false
+  nullable    = false
 }
 
 variable "trusted_access_enabled_service_principals" {
-  description = "List of AWS service principal names for which you want to enable integration with the organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must `all_featrues_enabled` set to true."
-  type        = list(string)
+  description = "(Optional) List of AWS service principal names for which you want to enable integration with the organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must `all_featrues_enabled` set to true."
+  type        = set(string)
   default     = []
+  nullable    = false
 }
 
 variable "policies" {
-  description = "List of IDs of the policies to be attached to the Organization."
+  description = "(Optional) List of IDs of the policies to be attached to the Organization."
   type        = list(string)
   default     = []
+  nullable    = false
 }
 
 variable "module_tags_enabled" {
-  description = "Whether to create AWS Resource Tags for the module informations."
+  description = "(Optional) Whether to create AWS Resource Tags for the module informations."
   type        = bool
   default     = true
+  nullable    = false
 }
diff --git a/modules/org-organization/versions.tf b/modules/org-organization/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.5"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.65"
+      version = ">= 5.13"
     }
   }
 }