Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Organizations: Add Mechanism to enable Service control policies on the root #4545

Closed
rayterrill opened this issue May 15, 2018 · 5 comments · Fixed by #8588
Closed

Organizations: Add Mechanism to enable Service control policies on the root #4545

rayterrill opened this issue May 15, 2018 · 5 comments · Fixed by #8588
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/organizations Issues and PRs that pertain to the organizations service.
Milestone
v2.10.0

Comments

@rayterrill
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Need a mechanism to enable Service control policies on the root. It looks like this needs to be done manually before you can successfully apply policies with Organizations (Organizations, Organize accounts, click the Root on the left pane, click Enable under ENABLE/DISABLE POLICY TYPES, Service control policies.

Attempting to add policies without toggling this setting results in this:

aws_organizations_policy_attachment.root_FullAccess: Creating...
  policy_id: "" => "p-FullAWSAccess"
  target_id: "" => "r-SECRET"
Releasing state lock. This may take a few moments...

Error: Error applying plan:

1 error(s) occurred:

* aws_organizations_policy_attachment.root_FullAccess: 1 error(s) occurred:

* aws_organizations_policy_attachment.root_FullAccess: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
        status code: 400, request id: 50573131-5866-11e8-a4c8-2f34931e1acc

References

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#enable_policies_on_root
@bill-rich bill-rich added the enhancement Requests to existing resources that expand the functionality or scope. label May 15, 2018
@bflad bflad added the service/organizations Issues and PRs that pertain to the organizations service. label May 18, 2018
@paurullan
Copy link

I stumbled with this same problem. The work-arround is to manually launch policy enabler.
Luckly I found this lines from @jchrisfarris
https://github.com/jchrisfarris/aws-service-control-policies

@bflad bflad mentioned this issue May 9, 2019
Closed
bflad added a commit that referenced this issue May 9, 2019
@bflad
resource/aws_organizations_organization: Add enabled_policy_types arg…
4f11037 
…ument

Reference: #4545

The `aws_organizations_policy_attachment` acceptance testing was previously written to assume that the account running it was already in an Organization, manually had enabled Service Control Policies in the Root, and did not check Root or Organizational Unit policy attachments as the appropriate attributes/resources did not exist. The updates to those tests now verify the SCP attachment workflow end-to-end with creating a new Organization, enabling SCPs, and SCP attachments to an account, Root, and OU.

Previous output from acceptance testing (before `enabled_policy_types` implementation):

```
    --- FAIL: TestAccAWSOrganizations/PolicyAttachment (37.12s)
        --- FAIL: TestAccAWSOrganizations/PolicyAttachment/Account (14.00s)
            testing.go:568: Step 0 error: errors during apply:

                Error: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
                  status code: 400, request id: 381509e0-7225-11e9-b974-09edfb312bea

                  on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test737240811/main.tf line 11:
                  (source code not available)

        --- FAIL: TestAccAWSOrganizations/PolicyAttachment/OrganizationalUnit (10.85s)
            testing.go:568: Step 0 error: errors during apply:

                Error: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
                  status code: 400, request id: 3f587964-7225-11e9-96c5-1d623fb91cbf

                  on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test570985045/main.tf line 16:
                  (source code not available)

        --- FAIL: TestAccAWSOrganizations/PolicyAttachment/Root (12.27s)
            testing.go:568: Step 0 error: errors during apply:

                Error: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
                  status code: 400, request id: 46589efd-7225-11e9-b974-09edfb312bea

                  on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test865604943/main.tf line 11:
                  (source code not available)
```

Output from acceptance testing:

```
    --- PASS: TestAccAWSOrganizations/Organization (79.29s)
        --- PASS: TestAccAWSOrganizations/Organization/basic (13.66s)
        --- PASS: TestAccAWSOrganizations/Organization/AwsServiceAccessPrincipals (24.59s)
        --- PASS: TestAccAWSOrganizations/Organization/EnabledPolicyTypes (30.29s)
        --- PASS: TestAccAWSOrganizations/Organization/FeatureSet (10.75s)
    --- PASS: TestAccAWSOrganizations/PolicyAttachment (58.58s)
        --- PASS: TestAccAWSOrganizations/PolicyAttachment/Account (21.28s)
        --- PASS: TestAccAWSOrganizations/PolicyAttachment/OrganizationalUnit (20.48s)
        --- PASS: TestAccAWSOrganizations/PolicyAttachment/Root (16.82s)
```
@bflad bflad mentioned this issue May 9, 2019
Merged
@bflad
Copy link
Contributor

bflad commented May 9, 2019

Pull request submitted: #8588

@bflad bflad added this to the v2.10.0 milestone May 9, 2019
@bflad
Copy link
Contributor

bflad commented May 10, 2019

Support for this has been merged via a new enabled_policy_types argument on the aws_organizations_organization resource (e.g. enabled_policy_types = ["SERVICE_CONTROL_POLICY"]). This will be released in version 2.10.0 of the Terraform AWS Provider, likely later today. 👍

@bflad
Copy link
Contributor

bflad commented May 10, 2019

This has been released in version 2.10.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/organizations Issues and PRs that pertain to the organizations service.
Projects
None yet
Milestone
v2.10.0
4 participants
@bflad @paurullan @bill-rich @rayterrill