add support for Organizational Units #4207
Conversation
bflad
added
new-resource
ghost
added
size/L
afeld
changed the title
|
Ready for review! I'll rebase after/if #4229 is merged to reduce the size of the pull request. Thanks! |
|
|
To provide an update, the maintainers will be circling back to looking through the various open Organizations data source pull requests to review them all at once after we determine which make the most sense for expected use cases.
Yes, I saw that pull request. 😄 My point is more centered around that data sources should not be required to provision infrastructure. That type of configuration within Terraform is discouraged where possible and the acceptance testing (analogous to real world configurations) should be able to stand up an Organization with Organizational Units from the ground up with resources only. In this case, it seems like we should be able to add the Root ID(s) in the Hope this makes sense. |
|
@bryanlalexander that is spot on. 💯 If there isn't any movement on that implementation in the next few days I can likely get that submitted. Apologies this process has been dragging out for so long. |
|
What are the next steps to get this added? : o |
|
The @afeld please let us know if you can update this pull request to just the resource and we can provide quick turnaround on subsequent reviews. Thanks so much. |
bflad
added
the
waiting-response
|
Sorry for the slow response, folks. I will try and get to it later this weekend, but can't promise. Also, haven't been working with Go or AWS Organizations for a while, so I'll be a bit rusty. If anyone else wants to pick it up and run with it in the meantime, you are more than welcome. Just reach out and I'll make you a committer on my fork. |
ghost
removed
the
waiting-response
ghost
added
size/XXL
ghost
added
size/XL
|
@bflad we should be good to go now. |
|
@afeld thank you so much for the heads up. We are all really appreciative of your work that went into this. Apologies again this was held up for so long. @bryanlalexander 💯 🥇 thanks for those updates! Taking a deeper look now, but overall looks to be in pretty good shape. |
There was a problem hiding this comment.
Thanks @afeld and @bryanlalexander! This pull request was in great shape. There were a few minor feedback items noted below, but in the effort to save you additional work after having done so much to get this in its current state and allow this to be released tomorrow, I added one followup commit to all these (4238f78), which addresses these items including the more annoying/pedantic resource and function renaming. I hope you don't mind. 😅
Output from acceptance testing:
--- PASS: TestAccAWSOrganizations/OrganizationalUnit (41.90s)
--- PASS: TestAccAWSOrganizations/OrganizationalUnit/basic (17.42s)
--- PASS: TestAccAWSOrganizations/OrganizationalUnit/Name (24.48s)
| @@ -14,6 +14,11 @@ func TestAccAWSOrganizations(t *testing.T) { | |||
| "Account": { | |||
| "basic": testAccAwsOrganizationsAccount_basic, | |||
| }, | |||
| "Unit": { | |||
| "basic": testAccAwsOrganizationsUnit_basic, | |||
| "importBasic": testAccAwsOrganizationsUnit_importBasic, | |||
There was a problem hiding this comment.
Nit: We are now preferring to add ImportState: true testing to all relevant resources tests instead of creating a separate test to cover additional configurations and remove mostly duplicate testing time/infrastructure. 👍 I don't want this to hold up this pull request though so just leaving this as a note here for future contributions!
| input := &organizations.ListParentsInput{ | ||
| ChildId: aws.String(childId), | ||
| } | ||
| resp, err := conn.ListParents(input) |
There was a problem hiding this comment.
The API documentation for this call notes:
Note
Always check the NextToken response parameter for a null value when calling a List* operation. These operations can occasionally return an empty set of results even when there are more results available. The NextToken response parameter value is null only when there are no more results to display.
It looks like the AWS Go SDK has a paginated function available here, ListParentsPages, which is likely the quickest option here.
| Config: testAccAwsOrganizationsUnitConfig(name), | ||
| Check: resource.ComposeTestCheckFunc( | ||
| testAccCheckAwsOrganizationsUnitExists(resourceName, &unit), | ||
| resource.TestCheckResourceAttrSet(resourceName, "arn"), |
There was a problem hiding this comment.
Nit: We can use our helper function testAccMatchResourceAttrRegionalARN() here to verify the ARN contains a value like we are expecting here, e.g.
| resource.TestCheckResourceAttrSet(resourceName, "arn"), | |
| testAccMatchResourceAttrGlobalARN(resourceName, "arn", regexp.MustCompile(`ou/o-.+/ou-.+`)), |
| continue | ||
| } | ||
|
|
||
| exists, err := existsOrganization(conn) |
There was a problem hiding this comment.
I'm wondering if we could use just catch and ignore ErrCodeAWSOrganizationsNotInUseException with the DescribeOrganizationalUnit call below instead of making the additional API call here. 👍
|
|
||
| if err != nil { | ||
| if isAWSErr(err, organizations.ErrCodeOrganizationalUnitNotFoundException, "") { | ||
| return nil |
There was a problem hiding this comment.
We should use continue here to ensure that if the test state contains multiple aws_organizations_organizational_unit resources that they are all checked appropriately. 😄
| return nil | |
| continue |
| @@ -592,6 +592,7 @@ func Provider() terraform.ResourceProvider { | |||
| "aws_organizations_account": resourceAwsOrganizationsAccount(), | |||
| "aws_organizations_policy": resourceAwsOrganizationsPolicy(), | |||
| "aws_organizations_policy_attachment": resourceAwsOrganizationsPolicyAttachment(), | |||
| "aws_organizations_unit": resourceAwsOrganizationsUnit(), | |||
There was a problem hiding this comment.
We have been cautiously including full naming for AWS service "objects", even if the naming becomes a little redundant to prevent any future issues where other similarly named "objects" are added. In this case, we would prefer aws_organizations_organizational_unit to match the Organizations service and service API concept of "Organizational Unit", in case the Organizations service ever releases other types of "Unit".
| "aws_organizations_unit": resourceAwsOrganizationsUnit(), | |
| "aws_organizations_organizational_unit": resourceAwsOrganizationsOrganizationalUnit(), |
| Provides details about an organizational unit | ||
| --- | ||
|
|
||
| # Data Source: aws_organizations_unit |
There was a problem hiding this comment.
Leftover documentation from previous iteration of pull request. 👍
| resource "aws_organizations_policy_attachment" "root" { | ||
| policy_id = "${aws_organizations_policy.example.id}" | ||
| target_id = "r-12345678" | ||
| target_id = "${data.aws_organizations_unit.root.id}" |
There was a problem hiding this comment.
This change is unrelated to this pull request and probably a leftover from when it was initially implemented with the data source, but I believe our intention here will be to show the new aws_organizations_organization roots attribute 😄
| target_id = "${data.aws_organizations_unit.root.id}" | |
| target_id = "${aws_organizations_unit.example.roots.0.id}" |
| } | ||
|
|
||
| resource "aws_organizations_unit" "tenants" { | ||
| parent_id = "${aws_organizations_organization.roots.0.id}" |
There was a problem hiding this comment.
Missing resource name 😉
| parent_id = "${aws_organizations_organization.roots.0.id}" | |
| parent_id = "${aws_organizations_organization.org.roots.0.id}" |
|
|
||
| ## Import | ||
|
|
||
| The AWS organization can be imported by using the `id`, e.g. |
There was a problem hiding this comment.
| The AWS organization can be imported by using the `id`, e.g. | |
| AWS Organizations Organizational Units can be imported by using the `id`, e.g. |
Output from acceptance testing:
```
--- PASS: TestAccAWSOrganizations/OrganizationalUnit (41.90s)
--- PASS: TestAccAWSOrganizations/OrganizationalUnit/basic (17.42s)
--- PASS: TestAccAWSOrganizations/OrganizationalUnit/Name (24.48s)
```
|
This has been released in version 2.10.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Part of #571. Builds on #4229 - diff.
This pull request will add support for Organizational Units.
Still needs work - mostly wanted to submit to let folks know I'm working on it.