Merge pull request #18 from lorengordon/patch/validate-account-id

plus3it · Aug 2, 2023 · 60f12b0 · 60f12b0
2 parents 90cb8b7 + 6393bb6
commit 60f12b0
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 17 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.0.1
+current_version = 2.0.2
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [2.0.2](https://github.com/plus3it/terraform-aws-tardigrade-sso-admin/releases/tag/2.0.2)
+
+**Commit Delta**: n/a
+
+**Released**: 2023.08.02
+
+**Summary**:
+
+* Validates the specified account ID exists in the AWS Organization during the plan
+  phase, before attempting to create the account assignment
+
 ### [2.0.1](https://github.com/plus3it/terraform-aws-tardigrade-sso-admin/releases/tag/2.0.1)
 
 **Commit Delta**: n/a

diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@ Terraform module to manage AWS SSO Admin resources, including:
 
 | Name | Type |
 |------|------|
+| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 

diff --git a/main.tf b/main.tf
@@ -18,8 +18,9 @@ module "account_assignments" {
   account_assignment = merge(
     each.value,
     {
-      identity_store_id = local.identity_store_id
-      instance_arn      = local.sso_instance_arn
+      identity_store_id     = local.identity_store_id
+      instance_arn          = local.sso_instance_arn
+      organization_accounts = local.organization_accounts
 
       permission_set_arn = (
         try(each.value.permission_set_arn, null) != null ||
@@ -42,11 +43,13 @@ module "account_assignments" {
   )
 }
 
-data "aws_ssoadmin_instances" "this" {}
+data "aws_organizations_organization" "this" {}
 data "aws_partition" "this" {}
+data "aws_ssoadmin_instances" "this" {}
 
 locals {
-  identity_store_id = data.aws_ssoadmin_instances.this.identity_store_ids[0]
-  sso_instance_arn  = data.aws_ssoadmin_instances.this.arns[0]
-  partition         = data.aws_partition.this.partition
+  identity_store_id     = data.aws_ssoadmin_instances.this.identity_store_ids[0]
+  organization_accounts = data.aws_organizations_organization.this.accounts[*].id
+  partition             = data.aws_partition.this.partition
+  sso_instance_arn      = data.aws_ssoadmin_instances.this.arns[0]
 }
diff --git a/modules/account-assignment/README.md b/modules/account-assignment/README.md
@@ -22,14 +22,15 @@ Module for managing an AWS SSO Account Assignment
 |------|------|
 | [aws_identitystore_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
 | [aws_identitystore_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 | [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_assignment"></a> [account\_assignment](#input\_account\_assignment) | Object of inputs for managing an AWS SSO Account Assignment | <pre>object({<br>    identity_store_id   = optional(string)<br>    principal_name      = string<br>    principal_type      = optional(string, "GROUP")<br>    permission_set_arn  = optional(string)<br>    permission_set_name = optional(string)<br>    instance_arn        = optional(string)<br>    target_id           = string<br>  })</pre> | n/a | yes |
+| <a name="input_account_assignment"></a> [account\_assignment](#input\_account\_assignment) | Object of inputs for managing an AWS SSO Account Assignment | <pre>object({<br>    identity_store_id     = optional(string)<br>    instance_arn          = optional(string)<br>    principal_name        = string<br>    principal_type        = optional(string, "GROUP")<br>    permission_set_arn    = optional(string)<br>    permission_set_name   = optional(string)<br>    organization_accounts = optional(list(string))<br>    target_id             = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 

diff --git a/modules/account-assignment/main.tf b/modules/account-assignment/main.tf
@@ -7,6 +7,13 @@ resource "aws_ssoadmin_account_assignment" "this" {
 
   target_id   = var.account_assignment.target_id
   target_type = "AWS_ACCOUNT"
+
+  lifecycle {
+    precondition {
+      condition     = contains(local.organization_accounts, var.account_assignment.target_id)
+      error_message = "The target account id ${var.account_assignment.target_id} does not exist in this organization."
+    }
+  }
 }
 
 data "aws_ssoadmin_permission_set" "this" {
@@ -46,9 +53,14 @@ data "aws_ssoadmin_instances" "this" {
   count = var.account_assignment.identity_store_id == null || var.account_assignment.instance_arn == null ? 1 : 0
 }
 
+data "aws_organizations_organization" "this" {
+  count = var.account_assignment.organization_accounts == null ? 1 : 0
+}
+
 locals {
   # Reduce api calls
-  identity_store_id = var.account_assignment.identity_store_id != null ? var.account_assignment.identity_store_id : data.aws_ssoadmin_instances.this[0].identity_store_ids[0]
-  sso_instance_arn  = var.account_assignment.instance_arn != null ? var.account_assignment.instance_arn : data.aws_ssoadmin_instances.this[0].arns[0]
+  identity_store_id     = var.account_assignment.identity_store_id != null ? var.account_assignment.identity_store_id : data.aws_ssoadmin_instances.this[0].identity_store_ids[0]
+  organization_accounts = var.account_assignment.organization_accounts != null ? var.account_assignment.organization_accounts : data.aws_organizations_organization.this[0].accounts[*].id
+  sso_instance_arn      = var.account_assignment.instance_arn != null ? var.account_assignment.instance_arn : data.aws_ssoadmin_instances.this[0].arns[0]
 }
 
diff --git a/modules/account-assignment/variables.tf b/modules/account-assignment/variables.tf
@@ -3,13 +3,14 @@ variable "account_assignment" {
   nullable    = false
 
   type = object({
-    identity_store_id   = optional(string)
-    principal_name      = string
-    principal_type      = optional(string, "GROUP")
-    permission_set_arn  = optional(string)
-    permission_set_name = optional(string)
-    instance_arn        = optional(string)
-    target_id           = string
+    identity_store_id     = optional(string)
+    instance_arn          = optional(string)
+    principal_name        = string
+    principal_type        = optional(string, "GROUP")
+    permission_set_arn    = optional(string)
+    permission_set_name   = optional(string)
+    organization_accounts = optional(list(string))
+    target_id             = string
   })
 
   validation {