英文:
Use terraform aws_organizations_organizational_units data sources from a AWS sub account
问题
目前,我可以使用以下来自AWS组织根帐户的Terraform数据源。我们可以从组织成员帐户中使用相同的数据源吗?或者是否有其他数据源可用?
data "aws_organizations_organization" "org" {}
data "aws_organizations_organizational_units" "root" {
parent_id = data.aws_organizations_organization.org.roots[0].id
}
data "aws_organizations_organizational_units" "sub_ous" {
parent_id = data.aws_organizations_organizational_units.root.children[0].id
}
output "root_ou" {
value = data.aws_organizations_organizational_units.root
}
output "sub_ous" {
value = data.aws_organizations_organizational_units.sub_ous
}
输出:
root_ou = {
"children" = tolist([
{
"arn" = "arn:aws:organizations::xxxxxxxxxx:ou/o-xxxxxxxx/ou-xxxx-xxxxxxxx"
"id" = "ou-xxxx-xxxxxxx"
"name" = "org-root"
},
])
"id" = "r-xxxx"
"parent_id" = "r-xxxx"
}
sub_ous = {
"children" = tolist([
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU1"
},
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU2"
},
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU3"
},
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU4"
},
])
"id" = "ou-xxxx-xxxx"
"parent_id" = "ou-xxxx-xxxxxxx"
}
我尝试从成员帐户运行相同的代码,但似乎不起作用,返回错误:
Error: Attempt to index null value
on main.tf line 6, in data "aws_organizations_organizational_units" "root":
6: parent_id = data.aws_organizations_organization.org.roots[0].id
This value is null, so it does not have any indices.
为了进一步调查,我从子帐户运行了以下代码:
data "aws_organizations_organization" "org" {}
output "root_info" {
value = data.aws_organizations_organization.org
}
输出:
root_info = {
"accounts" = tolist(null) /* of object */
"arn" = "arn:aws:organizations::xxxxxxxxxxx:organization/o-xxxxxxxxx"
"aws_service_access_principals" = toset([])
"enabled_policy_types" = toset([])
"feature_set" = "ALL"
"id" = "o-xxxxxxxx"
"master_account_arn" = "arn:aws:organizations::xxxxxxxxxxxx:account/o-xxxxxxxxx/xxxxxxxxxxxx"
"master_account_email" = "xxxx@xxxxx.com"
"master_account_id" = "xxxxxxxxxxxxxx"
"non_master_accounts" = tolist(null) /* of object */
"roots" = tolist(null) /* of object */
}
根据上述输出,在成员帐户中运行时,roots
返回 null。如果我从主帐户运行它,它包含所有所需的信息。
是否有人知道解决方法?我只需获取我的AWS组织OU ID,以在AWS组织中的一个成员帐户中创建一些资源。请注意,对我来说,使用模块输出不是一个选项,因为创建AWS组织资源/帐户的Terraform代码位于不同的存储库和状态中,我无法访问它。
英文:
Right now I can use below terraform data source from AWS organization root account. Can we use the same from Organization member account? or is there any other data source for this?
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-html -->
data "aws_organizations_organization" "org" {}
data "aws_organizations_organizational_units" "root" {
parent_id = data.aws_organizations_organization.org.roots[0].id
}
data "aws_organizations_organizational_units" "sub_ous" {
parent_id = data.aws_organizations_organizational_units.root.children[0].id
}
output "root_ou" {
value = data.aws_organizations_organizational_units.root
}
output "sub_ous" {
value = data.aws_organizations_organizational_units.sub_ous
}
Outout:
root_ou = {
"children" = tolist([
{
"arn" = "arn:aws:organizations::xxxxxxxxxx:ou/o-xxxxxxxx/ou-xxxx-xxxxxxxx"
"id" = "ou-xxxx-xxxxxxx"
"name" = "org-root"
},
])
"id" = "r-xxxx"
"parent_id" = "r-xxxx"
}
sub_ous = {
"children" = tolist([
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU1"
},
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU2"
},
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU3"
},
{
"arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
"id" = "ou-xxxx-xxxx"
"name" = "OU4"
},
])
"id" = "ou-xxxx-xxxx"
"parent_id" = "ou-xxxx-xxxxxxx"
}
<!-- end snippet -->
I tried to run the same from a member account. It seems not working. It returns:
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-html -->
╷
│ Error: Attempt to index null value
│
│ on main.tf line 6, in data "aws_organizations_organizational_units" "root":
│ 6: parent_id = data.aws_organizations_organization.org.roots[0].id
│ ├────────────────
│ │ data.aws_organizations_organization.org.roots is null
│
│ This value is null, so it does not have any indices.
<!-- end snippet -->
To investigate further I ran below from sub account
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-html -->
data "aws_organizations_organization" "org" {}
output "root_info" {
value = data.aws_organizations_organization.org
}
Output:
root_info = {
"accounts" = tolist(null) /* of object */
"arn" = "arn:aws:organizations::xxxxxxxxxxx:organization/o-xxxxxxxxx"
"aws_service_access_principals" = toset([])
"enabled_policy_types" = toset([])
"feature_set" = "ALL"
"id" = "o-xxxxxxxx"
"master_account_arn" = "arn:aws:organizations::xxxxxxxxxxxx:account/o-xxxxxxxxx/xxxxxxxxxxxx"
"master_account_email" = "xxxx@xxxxx.com"
"master_account_id" = "xxxxxxxxxxxxxx"
"non_master_accounts" = tolist(null) /* of object */
"roots" = tolist(null) /* of object */
}
<!-- end snippet -->
As per above output roots
returns null when running from member account. If I run it from master account, it contains all required information.
Anyone know workaround for this?. All I need is to fetch my AWS organization OU IDs to create some resources in one of a member account in AWS organization.
Please note, using module output is not an option for me as terraform code which creates the AWS organization resources/accounts is a different repository and state where I don't have access to.
答案1
得分: 1
没有绕过方法。根据定义,您只能在主/管理帐户或委托帐户中使用API,而不是普通成员帐户。来自AWS文档的说明:
> 仅可以从组织的管理帐户或作为AWS服务的委派管理员的成员帐户中调用此操作。
英文:
There is no workaround. By definition you can only use the API in master/management account, or delegated account, not a regular member account. From AWS docs:
> This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an AWS service.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论