使用Terraform的`aws_organizations_organizational_units`数据源来自AWS子帐户。

huangapple go评论104阅读模式
英文:

Use terraform aws_organizations_organizational_units data sources from a AWS sub account

问题

目前,我可以使用以下来自AWS组织根帐户的Terraform数据源。我们可以从组织成员帐户中使用相同的数据源吗?或者是否有其他数据源可用?

data "aws_organizations_organization" "org" {}

data "aws_organizations_organizational_units" "root" {
  parent_id = data.aws_organizations_organization.org.roots[0].id
}

data "aws_organizations_organizational_units" "sub_ous" {
  parent_id = data.aws_organizations_organizational_units.root.children[0].id
}

output "root_ou" {
  value = data.aws_organizations_organizational_units.root
}

output "sub_ous" {
  value = data.aws_organizations_organizational_units.sub_ous
}

输出:

root_ou = {
  "children" = tolist([
    {
      "arn" = "arn:aws:organizations::xxxxxxxxxx:ou/o-xxxxxxxx/ou-xxxx-xxxxxxxx"
      "id" = "ou-xxxx-xxxxxxx"
      "name" = "org-root"
    },
  ])
  "id" = "r-xxxx"
  "parent_id" = "r-xxxx"
}

sub_ous = {
  "children" = tolist([
    {
      "arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
      "id" = "ou-xxxx-xxxx"
      "name" = "OU1"
    },
    {
      "arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
      "id" = "ou-xxxx-xxxx"
      "name" = "OU2"
    },
    {
      "arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
      "id" = "ou-xxxx-xxxx"
      "name" = "OU3"
    },
    {
      "arn" = "arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx"
      "id" = "ou-xxxx-xxxx"
      "name" = "OU4"
    },
  ])
  "id" = "ou-xxxx-xxxx"
  "parent_id" = "ou-xxxx-xxxxxxx"
}

我尝试从成员帐户运行相同的代码,但似乎不起作用,返回错误:

Error: Attempt to index null value

on main.tf line 6, in data "aws_organizations_organizational_units" "root":
6:   parent_id = data.aws_organizations_organization.org.roots[0].id

This value is null, so it does not have any indices.

为了进一步调查,我从子帐户运行了以下代码:

data "aws_organizations_organization" "org" {}

output "root_info" {
  value = data.aws_organizations_organization.org
}

输出:

root_info = {
  "accounts" = tolist(null) /* of object */
  "arn" = "arn:aws:organizations::xxxxxxxxxxx:organization/o-xxxxxxxxx"
  "aws_service_access_principals" = toset([])
  "enabled_policy_types" = toset([])
  "feature_set" = "ALL"
  "id" = "o-xxxxxxxx"
  "master_account_arn" = "arn:aws:organizations::xxxxxxxxxxxx:account/o-xxxxxxxxx/xxxxxxxxxxxx"
  "master_account_email" = "xxxx@xxxxx.com"
  "master_account_id" = "xxxxxxxxxxxxxx"
  "non_master_accounts" = tolist(null) /* of object */
  "roots" = tolist(null) /* of object */
}

根据上述输出,在成员帐户中运行时,roots 返回 null。如果我从主帐户运行它,它包含所有所需的信息。

是否有人知道解决方法?我只需获取我的AWS组织OU ID,以在AWS组织中的一个成员帐户中创建一些资源。请注意,对我来说,使用模块输出不是一个选项,因为创建AWS组织资源/帐户的Terraform代码位于不同的存储库和状态中,我无法访问它。

英文:

Right now I can use below terraform data source from AWS organization root account. Can we use the same from Organization member account? or is there any other data source for this?

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-html -->

data &quot;aws_organizations_organization&quot; &quot;org&quot; {}

data &quot;aws_organizations_organizational_units&quot; &quot;root&quot; {
  parent_id = data.aws_organizations_organization.org.roots[0].id
}

data &quot;aws_organizations_organizational_units&quot; &quot;sub_ous&quot; {
  parent_id = data.aws_organizations_organizational_units.root.children[0].id
}


output &quot;root_ou&quot; {
  value = data.aws_organizations_organizational_units.root
}

output &quot;sub_ous&quot; {
  value = data.aws_organizations_organizational_units.sub_ous
}



Outout:

root_ou = {
  &quot;children&quot; = tolist([
    {
      &quot;arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxx:ou/o-xxxxxxxx/ou-xxxx-xxxxxxxx&quot;
      &quot;id&quot; = &quot;ou-xxxx-xxxxxxx&quot;
      &quot;name&quot; = &quot;org-root&quot;
    },
  ])
  &quot;id&quot; = &quot;r-xxxx&quot;
  &quot;parent_id&quot; = &quot;r-xxxx&quot;
}

sub_ous = {
  &quot;children&quot; = tolist([
    {
      &quot;arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx&quot;
      &quot;id&quot; = &quot;ou-xxxx-xxxx&quot;
      &quot;name&quot; = &quot;OU1&quot;
    },
    {
      &quot;arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx&quot;
      &quot;id&quot; = &quot;ou-xxxx-xxxx&quot;
      &quot;name&quot; = &quot;OU2&quot;
    },
    {
      &quot;arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx&quot;
      &quot;id&quot; = &quot;ou-xxxx-xxxx&quot;
      &quot;name&quot; = &quot;OU3&quot;
    },
    {
      &quot;arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxxxx:ou/o-xxxxxxxxxx/ou-xxxx-xxxxxxxxxx&quot;
      &quot;id&quot; = &quot;ou-xxxx-xxxx&quot;
      &quot;name&quot; = &quot;OU4&quot;
    },
  ])
  &quot;id&quot; = &quot;ou-xxxx-xxxx&quot;
  &quot;parent_id&quot; = &quot;ou-xxxx-xxxxxxx&quot;
}

<!-- end snippet -->

I tried to run the same from a member account. It seems not working. It returns:

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-html -->

╷
│ Error: Attempt to index null value
│
│   on main.tf line 6, in data &quot;aws_organizations_organizational_units&quot; &quot;root&quot;:
│    6:   parent_id = data.aws_organizations_organization.org.roots[0].id
│     ├────────────────
│     │ data.aws_organizations_organization.org.roots is null
│
│ This value is null, so it does not have any indices.

<!-- end snippet -->

To investigate further I ran below from sub account

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-html -->

data &quot;aws_organizations_organization&quot; &quot;org&quot; {}

output &quot;root_info&quot; {
  value = data.aws_organizations_organization.org
}


Output:

root_info = {
  &quot;accounts&quot; = tolist(null) /* of object */
  &quot;arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxxx:organization/o-xxxxxxxxx&quot;
  &quot;aws_service_access_principals&quot; = toset([])
  &quot;enabled_policy_types&quot; = toset([])
  &quot;feature_set&quot; = &quot;ALL&quot;
  &quot;id&quot; = &quot;o-xxxxxxxx&quot;
  &quot;master_account_arn&quot; = &quot;arn:aws:organizations::xxxxxxxxxxxx:account/o-xxxxxxxxx/xxxxxxxxxxxx&quot;
  &quot;master_account_email&quot; = &quot;xxxx@xxxxx.com&quot;
  &quot;master_account_id&quot; = &quot;xxxxxxxxxxxxxx&quot;
  &quot;non_master_accounts&quot; = tolist(null) /* of object */
  &quot;roots&quot; = tolist(null) /* of object */
}

<!-- end snippet -->

As per above output roots returns null when running from member account. If I run it from master account, it contains all required information.

Anyone know workaround for this?. All I need is to fetch my AWS organization OU IDs to create some resources in one of a member account in AWS organization.

Please note, using module output is not an option for me as terraform code which creates the AWS organization resources/accounts is a different repository and state where I don't have access to.

答案1

得分: 1

没有绕过方法。根据定义,您只能在主/管理帐户或委托帐户中使用API,而不是普通成员帐户。来自AWS文档的说明:

> 仅可以从组织的管理帐户或作为AWS服务的委派管理员的成员帐户中调用此操作。

英文:

There is no workaround. By definition you can only use the API in master/management account, or delegated account, not a regular member account. From AWS docs:

> This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an AWS service.

huangapple
  • 本文由 发表于 2023年7月27日 23:48:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76781465.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定