TME-2398:stackset OUs (#48)

expel-io · Sep 18, 2023 · 8f0e40e · 8f0e40e
1 parent d3270e1
commit 8f0e40e
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -76,6 +76,7 @@ Please contact your Engagement Manager if you have an existing CloudTrail with a
 | <a name="input_queue_message_retention_days"></a> [queue\_message\_retention\_days](#input\_queue\_message\_retention\_days) | The visibility timeout for the queue. See: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html | `number` | `7` | no |
 | <a name="input_stackset_fault_tolerance_count"></a> [stackset\_fault\_tolerance\_count](#input\_stackset\_fault\_tolerance\_count) | The number of accounts, per Region, for which stackset deployment operation can fail before AWS CloudFormation stops the operation in that Region. | `number` | `null` | no |
 | <a name="input_stackset_max_concurrent_count"></a> [stackset\_max\_concurrent\_count](#input\_stackset\_max\_concurrent\_count) | The maximum number of accounts in which to perform this operation at one time. At most, this should be set to one more than `stackset_fault_tolerance_count` | `number` | `1` | no |
+| <a name="input_stackset_target_organizational_units"></a> [stackset\_target\_organizational\_units](#input\_stackset\_target\_organizational\_units) | If the stackset is desired to be deployed to targeted OUs only, provide a list of OU ids. Please note that the OU that the trail log bucket account belongs to, must be included. | `list(string)` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A set of tags to group resources. | `map(string)` | `{}` | no |
 ## Outputs
 

diff --git a/examples/existing-cloudtrail/cross-account/terraform.tfvars b/examples/existing-cloudtrail/cross-account/terraform.tfvars
@@ -1,7 +1,7 @@
 region                                    = "Replace with the AWS region in which you want the notification queue for CloudTrail to be set up"
 expel_customer_organization_guid          = "Replace with your organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench"
 existing_cloudtrail_bucket_name           = "Replace with your AWS S3 Bucket name"
-aws_mgmt_account_id                       = "Replace with your AWS Management account id"
+aws_management_account_id                 = "Replace with your AWS Management account id"
 existing_cloudtrail_log_bucket_account_id = "Replace with your AWS Cloudtrail log bucket account id"
 existing_cloudtrail_kms_key_arn           = "Replace with the KMS Key ARN used for your CloudTrail S3 Bucket"
 existing_sns_topic_arn                    = "Replace with your AWS SNS Topic ARN"
diff --git a/locals.tf b/locals.tf
@@ -14,9 +14,9 @@ locals {
     local.default_tags,
   )
 
-  customer_aws_account_id      = coalesce(var.expel_customer_aws_account_id, data.aws_caller_identity.current.account_id)
-  region                       = data.aws_region.current.name
-  customer_aws_organization_id = try(data.aws_organizations_organization.current[0].roots[0].id, "")
+  customer_aws_account_id     = coalesce(var.expel_customer_aws_account_id, data.aws_caller_identity.current.account_id)
+  region                      = data.aws_region.current.name
+  stackset_organization_units = var.stackset_target_organizational_units != null ? var.stackset_target_organizational_units : [try(data.aws_organizations_organization.current[0].roots[0].id, "")]
 
   cloudtrail_bucket_arn                = var.existing_cloudtrail_bucket_name != null ? "arn:aws:s3:::${var.existing_cloudtrail_bucket_name}" : "arn:aws:s3:::${var.prefix}-${random_uuid.cloudtrail_bucket_name[0].result}"
   cloudtrail_bucket_name               = var.existing_cloudtrail_bucket_name != null ? var.existing_cloudtrail_bucket_name : "${var.prefix}-${random_uuid.cloudtrail_bucket_name[0].result}"

diff --git a/stackset.tf b/stackset.tf
@@ -26,7 +26,7 @@ resource "aws_cloudformation_stack_set_instance" "permeate_account_policy" {
   count = local.create_stackset ? 1 : 0
 
   deployment_targets {
-    organizational_unit_ids = [local.customer_aws_organization_id]
+    organizational_unit_ids = local.stackset_organization_units
   }
 
   operation_preferences {

diff --git a/variables.tf b/variables.tf
@@ -155,3 +155,9 @@ variable "stackset_max_concurrent_count" {
   type        = number
   default     = 1
 }
+
+variable "stackset_target_organizational_units" {
+  description = "If the stackset is desired to be deployed to targeted OUs only, provide a list of OU ids. Please note that the OU that the trail log bucket account belongs to, must be included."
+  type        = list(string)
+  default     = null
+}