Migrate modules from terraform-aws-account

Author: posquit0

README.md

@@ -0,0 +1,56 @@
+# terraform-aws-organization
+
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/tedilabs/terraform-aws-organization?color=blue&sort=semver&style=flat-square)
+![GitHub](https://img.shields.io/github/license/tedilabs/terraform-aws-organization?color=blue&style=flat-square)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white&style=flat-square)](https://github.com/pre-commit/pre-commit)
+
+Terraform modules to manage Organization related resources on AWS.
+
+- [account](./modules/account)
+- [organization](./modules/organization)
+- [organizational-unit](./modules/organizational-unit)
+- [ram-share](./modules/ram-share)
+- [sso-access-control-attributes](./modules/sso-access-control-attributes)
+- [sso-account-assignment](./modules/sso-account-assignment)
+- [sso-permission-set](./modules/sso-permission-set)
+
+
+## Target AWS Services
+
+Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-organization) were written to manage the following AWS Services with Terraform.
+
+- **AWS IAM Identity Center (AWS SSO)**
+  - Access Control Attributes
+  - Account Assignment
+  - Permission Set
+- **AWS Organization**
+  - Organization
+  - Organization Unit
+  - Account
+- **AWS RAM (Resource Access Manager)**
+  - Share
+
+
+## Other Terraform Modules from Tedilabs
+
+Enjoying [terraform-aws-organization](https://github.com/tedilabs/terraform-aws-organization)? Check out some of our other modules:
+
+- [AWS Container](https://github.com/tedilabs/terraform-aws-container) - A package of Terraform Modules to manage AWS Container resources.
+- [AWS Domain](https://github.com/tedilabs/terraform-aws-domain) - A package of Terraform Modules to manage AWS Domain resources.
+- [AWS Load Balancer](https://github.com/tedilabs/terraform-aws-load-balancer) - A package of Terraform Modules to manage AWS Load Balancer resources.
+- [AWS Network](https://github.com/tedilabs/terraform-aws-network) - A package of Terraform Modules to manage AWS Network resources.
+- [AWS Security](https://github.com/tedilabs/terraform-aws-security) - A package of Terraform Modules to manage AWS Security resources.
+
+Or check out [the full list](https://github.com/search?q=org%3Atedilabs+topic%3Aterraform-module&type=repositories)
+
+
+## Self Promotion
+
+Like this project? Follow the repository on [GitHub](https://github.com/tedilabs/terraform-aws-organization). And if you're feeling especially charitable, follow **[posquit0](https://github.com/posquit0)** on GitHub.
+
+
+## License
+
+Provided under the terms of the [Apache License](LICENSE).
+
+Copyright © 2024, [Byungjin Park](https://www.posquit0.com).

modules/account/README.md

@@ -0,0 +1,79 @@
+# account
+
+This module creates following resources.
+
+- `aws_organizations_account`
+- `aws_organizations_policy_attachment` (optional)
+- `aws_organizations_delegated_administrator` (optional)
+- `aws_fms_admin_account` (optional)
+- `aws_guardduty_organization_admin_account` (optional)
+- `aws_macie2_organization_admin_account` (optional)
+- `aws_securityhub_organization_admin_account` (optional)
+- `aws_vpc_ipam_organization_admin_account` (optional)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.65 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_fms_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_admin_account) | resource |
+| [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource |
+| [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource |
+| [aws_organizations_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource |
+| [aws_organizations_delegated_administrator.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator) | resource |
+| [aws_organizations_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
+| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource |
+| [aws_vpc_ipam_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_organization_admin_account) | resource |
+| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_email"></a> [email](#input\_email) | The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A friendly name for the member account. | `string` | n/a | yes |
+| <a name="input_delegated_services"></a> [delegated\_services](#input\_delegated\_services) | A list of service principals of the AWS service for which you want to make the member account a delegated administrator. | `set(string)` | `[]` | no |
+| <a name="input_iam_user_access_to_billing_allowed"></a> [iam\_user\_access\_to\_billing\_allowed](#input\_iam\_user\_access\_to\_billing\_allowed) | If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information. | `bool` | `false` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_parent_id"></a> [parent\_id](#input\_parent\_id) | Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. | `string` | `null` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | List of IDs of the policies to be attached to the Account. | `list(string)` | `[]` | no |
+| <a name="input_preconfigured_administrator_role_name"></a> [preconfigured\_administrator\_role\_name](#input\_preconfigured\_administrator\_role\_name) | The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. | `string` | `null` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of this account. |
+| <a name="output_created_at"></a> [created\_at](#output\_created\_at) | The datetime which this account joined to the organization. |
+| <a name="output_created_by"></a> [created\_by](#output\_created\_by) | The method how this account joined to the organization. |
+| <a name="output_delegated_services"></a> [delegated\_services](#output\_delegated\_services) | A list of service principals of the AWS service which the member account is a delegated administrator. |
+| <a name="output_email"></a> [email](#output\_email) | The email address of this account. |
+| <a name="output_iam_user_access_to_billing_allowed"></a> [iam\_user\_access\_to\_billing\_allowed](#output\_iam\_user\_access\_to\_billing\_allowed) | Whether accessing account billing information by IAM User is allowed. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of this account. |
+| <a name="output_name"></a> [name](#output\_name) | The name of this account. |
+| <a name="output_parent_id"></a> [parent\_id](#output\_parent\_id) | The ID of the parent Organizational Unit. |
+| <a name="output_preconfigured_administrator_role_name"></a> [preconfigured\_administrator\_role\_name](#output\_preconfigured\_administrator\_role\_name) | The name of an IAM role that allow users in the master account to assume as administrator. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/account/delegated-administrators.tf

@@ -0,0 +1,55 @@
+locals {
+  independent_services = [
+    "fms.amazonaws.com",
+    "guardduty.amazonaws.com",
+    "ipam.amazonaws.com",
+    "macie.amazonaws.com",
+    "securityhub.amazonaws.com",
+  ]
+}
+
+
+###################################################
+# Delegated Administrators for Organization Account
+###################################################
+
+resource "aws_organizations_delegated_administrator" "this" {
+  for_each = toset([
+    for service in var.delegated_services :
+    service
+    if !contains(local.independent_services, service)
+  ])
+
+  account_id        = aws_organizations_account.this.id
+  service_principal = each.key
+}
+
+resource "aws_fms_admin_account" "this" {
+  count = contains(var.delegated_services, "fms.amazonaws.com") ? 1 : 0
+
+  account_id = aws_organizations_account.this.id
+}
+
+resource "aws_guardduty_organization_admin_account" "this" {
+  count = contains(var.delegated_services, "guardduty.amazonaws.com") ? 1 : 0
+
+  admin_account_id = aws_organizations_account.this.id
+}
+
+resource "aws_macie2_organization_admin_account" "this" {
+  count = contains(var.delegated_services, "macie.amazonaws.com") ? 1 : 0
+
+  admin_account_id = aws_organizations_account.this.id
+}
+
+resource "aws_securityhub_organization_admin_account" "this" {
+  count = contains(var.delegated_services, "securityhub.amazonaws.com") ? 1 : 0
+
+  admin_account_id = aws_organizations_account.this.id
+}
+
+resource "aws_vpc_ipam_organization_admin_account" "this" {
+  count = contains(var.delegated_services, "ipam.amazonaws.com") ? 1 : 0
+
+  delegated_admin_account_id = aws_organizations_account.this.id
+}

modules/account/main.tf

@@ -0,0 +1,58 @@
+locals {
+  metadata = {
+    package = "terraform-aws-organization"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+data "aws_organizations_organization" "this" {}
+
+locals {
+  organization_root_id = data.aws_organizations_organization.this.roots[0].id
+}
+
+resource "aws_organizations_account" "this" {
+  name      = var.name
+  email     = var.email
+  parent_id = coalesce(var.parent_id, local.organization_root_id)
+
+  iam_user_access_to_billing = var.iam_user_access_to_billing_allowed ? "ALLOW" : "DENY"
+  role_name                  = var.preconfigured_administrator_role_name
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+
+  # There is no AWS Organizations API for reading role_name
+  lifecycle {
+    ignore_changes = [
+      iam_user_access_to_billing,
+      role_name,
+    ]
+  }
+}
+
+
+###################################################
+# AWS Managed Policies
+###################################################
+
+resource "aws_organizations_policy_attachment" "this" {
+  for_each = toset(var.policies)
+
+  target_id = aws_organizations_account.this.id
+  policy_id = each.key
+}

modules/account/outputs.tf

@@ -0,0 +1,49 @@
+output "name" {
+  description = "The name of this account."
+  value       = aws_organizations_account.this.name
+}
+
+output "email" {
+  description = "The email address of this account."
+  value       = aws_organizations_account.this.email
+}
+
+output "id" {
+  description = "The ID of this account."
+  value       = aws_organizations_account.this.id
+}
+
+output "arn" {
+  description = "The Amazon Resource Name (ARN) of this account."
+  value       = aws_organizations_account.this.arn
+}
+
+output "parent_id" {
+  description = "The ID of the parent Organizational Unit."
+  value       = aws_organizations_account.this.parent_id
+}
+
+output "iam_user_access_to_billing_allowed" {
+  description = "Whether accessing account billing information by IAM User is allowed."
+  value       = var.iam_user_access_to_billing_allowed
+}
+
+output "preconfigured_administrator_role_name" {
+  description = "The name of an IAM role that allow users in the master account to assume as administrator."
+  value       = var.preconfigured_administrator_role_name
+}
+
+output "delegated_services" {
+  description = "A list of service principals of the AWS service which the member account is a delegated administrator."
+  value       = var.delegated_services
+}
+
+output "created_by" {
+  description = "The method how this account joined to the organization."
+  value       = aws_organizations_account.this.joined_method
+}
+
+output "created_at" {
+  description = "The datetime which this account joined to the organization."
+  value       = aws_organizations_account.this.joined_timestamp
+}

modules/account/resource-group.tf

@@ -0,0 +1,31 @@
+locals {
+  resource_group_name = (var.resource_group_name != ""
+    ? var.resource_group_name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+}
+
+
+module "resource_group" {
+  source  = "tedilabs/misc/aws//modules/resource-group"
+  version = "~> 0.10.0"
+
+  count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0
+
+  name        = local.resource_group_name
+  description = var.resource_group_description
+
+  query = {
+    resource_tags = local.module_tags
+  }
+
+  module_tags_enabled = false
+  tags = merge(
+    local.module_tags,
+    var.tags,
+  )
+}