-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resource/aws_organizations_account: Add parent_id argument (support moving accounts) #8583
Conversation
…entation References: * #4405 * #8281 Please note that automated acceptance testing is not currently possible with this resource, due to manual steps required to remove an account from an organization: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html These changes were manually verified via the following. Given an existing configuration, previously applied with version 2.9.0 of the Terraform AWS Provider: ```hcl resource "aws_organizations_organization" "organization" { feature_set = "ALL" } resource "aws_organizations_account" "bflad-dev1" { name = "bflad-dev1" email = "--OMITTED--" } resource "aws_organizations_account" "bflad-dev2" { name = "bflad-dev2" email = "--OMITTED--" } ``` Overwrite Terraform AWS Provider binary including this changeset, ensure plan shows no changes, and ensure `parent_id` is properly written to Terraform state: ```console $ cp ~/go/bin/terraform-provider-aws .terraform/plugins/darwin_amd64/terraform-provider-aws_v2.9.0_x4 $ terraform init ... $ terraform plan ... aws_organizations_organization.organization: Refreshing state... (ID: o-p687o6l073) aws_organizations_account.bflad-dev2: Refreshing state... (ID: --OMITTED--) aws_organizations_account.bflad-dev1: Refreshing state... (ID: --OMITTED--) ------------------------------------------------------------------------ No changes. Infrastructure is up-to-date. $ terraform refresh ... $ terraform state show aws_organizations_account.bflad-dev1 | grep parent_id parent_id = r-cg2b ``` Add organizational unit to configuration and add `parent_id` to an existing account pointing to it: ```hcl resource "aws_organizations_organization" "organization" { feature_set = "ALL" } resource "aws_organizations_organizational_unit" "test1" { name = "test1" parent_id = "${aws_organizations_organization.organization.roots.0.id}" } resource "aws_organizations_account" "bflad-dev1" { name = "bflad-dev1" email = "--OMITTED--" parent_id = "${aws_organizations_organizational_unit.test1.id}" } resource "aws_organizations_account" "bflad-dev2" { name = "bflad-dev2" email = "--OMITTED--" } ``` Verifying `Update` functionality: ``` $ terraform apply ... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: ~ aws_organizations_account.bflad-dev1 parent_id: "r-cg2b" => "${aws_organizations_organizational_unit.test1.id}" + aws_organizations_organizational_unit.test1 id: <computed> arn: <computed> name: "test1" parent_id: "r-cg2b" Plan: 1 to add, 1 to change, 0 to destroy. ... aws_organizations_organizational_unit.test1: Creating... arn: "" => "<computed>" name: "" => "test1" parent_id: "" => "r-cg2b" aws_organizations_organizational_unit.test1: Creation complete after 0s (ID: ou-cg2b-7aa8b56k) aws_organizations_account.bflad-dev1: Modifying... (ID: --OMITTED--) parent_id: "r-cg2b" => "ou-cg2b-7aa8b56k" aws_organizations_account.bflad-dev1: Modifications complete after 1s (ID: --OMITTED--) $ terraform state show aws_organizations_account.bflad-dev1 | grep parent_id parent_id = ou-cg2b-7aa8b56k ``` Add account with `parent_id` to configuration: ```hcl resource "aws_organizations_organization" "organization" { feature_set = "ALL" } resource "aws_organizations_organizational_unit" "test1" { name = "test1" parent_id = "${aws_organizations_organization.organization.roots.0.id}" } resource "aws_organizations_account" "bflad-dev1" { name = "bflad-dev1" email = "--OMITTED--" parent_id = "${aws_organizations_organizational_unit.test1.id}" } resource "aws_organizations_account" "bflad-dev2" { name = "bflad-dev2" email = "--OMITTED--" } resource "aws_organizations_account" "bflad-dev3" { name = "bflad-dev3" email = "--OMITTED--" parent_id = "${aws_organizations_organizational_unit.test1.id}" } ``` Verifying `Create` functionality: ``` $ terraform apply ... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: + aws_organizations_account.bflad-dev3 id: <computed> arn: <computed> email: "--OMITTED--" joined_method: <computed> joined_timestamp: <computed> name: "bflad-dev3" parent_id: "ou-cg2b-7aa8b56k" status: <computed> Plan: 1 to add, 0 to change, 0 to destroy. ... aws_organizations_account.bflad-dev3: Creating... arn: "" => "<computed>" email: "" => "--OMITTED--" joined_method: "" => "<computed>" joined_timestamp: "" => "<computed>" name: "" => "bflad-dev3" parent_id: "" => "ou-cg2b-7aa8b56k" status: "" => "<computed>" aws_organizations_account.bflad-dev3: Still creating... (10s elapsed) aws_organizations_account.bflad-dev3: Creation complete after 12s (ID: --OMITTED--) $ terraform state show aws_organizations_account.bflad-dev3 | grep parent_id parent_id = ou-cg2b-7aa8b56k ```
This really is they key to making orgs usable in tf. Keep up the great work! |
@@ -12,7 +12,8 @@ func TestAccAWSOrganizations(t *testing.T) { | |||
"FeatureSet": testAccAwsOrganizationsOrganization_FeatureSet, | |||
}, | |||
"Account": { | |||
"basic": testAccAwsOrganizationsAccount_basic, | |||
"basic": testAccAwsOrganizationsAccount_basic, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✔️
@@ -12,6 +12,8 @@ import ( | |||
) | |||
|
|||
func testAccAwsOrganizationsAccount_basic(t *testing.T) { | |||
t.Skip("AWS Organizations Account testing is not currently automated due to manual account deletion steps.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense to include a comment with a link back to this PR to show the verification steps taken as an example? Or maybe a comment with the link https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Including testing documentation in some form is probably not a bad idea. Let's discuss what form this should take (probably in a multi-line skip message) after we cut the release.
Luckily this is the first time we've needed to touch this resource since its creation so this awful manual process isn't required too much, but surely easy to forget!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely done 👍 The testing write-up is greatly appreciated.
This has been released in version 2.11.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Includes 2 relevant commits from #4405
Closes #8281
Release note for CHANGELOG:
Please note that automated acceptance testing is not currently possible with this resource, due to manual steps required to remove an account from an organization: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html
These changes were manually verified via the following.
Given an existing configuration, previously applied with version 2.9.0 of the Terraform AWS Provider:
Overwrite Terraform AWS Provider binary including this changeset, ensure plan shows no changes, and ensure
parent_id
is properly written to Terraform state:Add organizational unit to configuration and add
parent_id
to an existing account pointing to it:Verifying
Update
functionality:Add account with
parent_id
to configuration:Verifying
Create
functionality: