feat: add permissions to close accounts in explicitly defined OUs

this change will support the upcoming automated tenant deletion feature of meshStack
meshcloud · Apr 22, 2024 · 1f57617 · 1f57617
1 parent ee49a4a
commit 1f57617
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -165,9 +165,9 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.automation"></a> [aws.automation](#provider\_aws.automation) | 5.41.0 |
-| <a name="provider_aws.management"></a> [aws.management](#provider\_aws.management) | 5.41.0 |
-| <a name="provider_aws.meshcloud"></a> [aws.meshcloud](#provider\_aws.meshcloud) | 5.41.0 |
+| <a name="provider_aws.automation"></a> [aws.automation](#provider\_aws.automation) | >= 2.7.0 |
+| <a name="provider_aws.management"></a> [aws.management](#provider\_aws.management) | >= 2.7.0 |
+| <a name="provider_aws.meshcloud"></a> [aws.meshcloud](#provider\_aws.meshcloud) | >= 2.7.0 |
 
 ## Modules
 
@@ -194,6 +194,7 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 |------|-------------|------|---------|:--------:|
 | <a name="input_automation_account_service_role_name"></a> [automation\_account\_service\_role\_name](#input\_automation\_account\_service\_role\_name) | Name of the custom role in the automation account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-3-automation | `string` | `"MeshfedAutomationRole"` | no |
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | AWS SSO Instance ARN. Needs to be of the form arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxx. Setup instructions https://docs.meshcloud.io/docs/meshstack.aws.sso-setup.html. | `string` | n/a | yes |
+| <a name="input_can_close_accounts_in_resource_org_paths"></a> [can\_close\_accounts\_in\_resource\_org\_paths](#input\_can\_close\_accounts\_in\_resource\_org\_paths) | AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts. | `list(string)` | `[]` | no |
 | <a name="input_control_tower_enrollment_enabled"></a> [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform. | `bool` | `false` | no |
 | <a name="input_control_tower_portfolio_id"></a> [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
 | <a name="input_cost_explorer_management_account_service_role_name"></a> [cost\_explorer\_management\_account\_service\_role\_name](#input\_cost\_explorer\_management\_account\_service\_role\_name) | Name of the custom role in the management account used by the cost explorer user. | `string` | `"MeshCostExplorerServiceRole"` | no |
@@ -212,6 +213,7 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 | Name | Description |
 |------|-------------|
 | <a name="output_automation_account_id"></a> [automation\_account\_id](#output\_automation\_account\_id) | Automation Account ID |
+| <a name="output_cost_explorer_identity_federation_role"></a> [cost\_explorer\_identity\_federation\_role](#output\_cost\_explorer\_identity\_federation\_role) | n/a |
 | <a name="output_cost_explorer_management_account_role_arn"></a> [cost\_explorer\_management\_account\_role\_arn](#output\_cost\_explorer\_management\_account\_role\_arn) | Amazon Resource Name (ARN) of Management Account Role for replicator |
 | <a name="output_cost_explorer_privileged_external_id"></a> [cost\_explorer\_privileged\_external\_id](#output\_cost\_explorer\_privileged\_external\_id) | Cost explorer privileged\_external\_id |
 | <a name="output_management_account_id"></a> [management\_account\_id](#output\_management\_account\_id) | Management Account ID |

diff --git a/main.tf b/main.tf
@@ -68,15 +68,16 @@ module "management_account_replicator_access" {
   providers = {
     aws = aws.management
   }
-  meshcloud_account_id                 = data.aws_caller_identity.meshcloud.account_id
-  privileged_external_id               = var.replicator_privileged_external_id
-  support_root_account_via_aws_sso     = var.support_root_account_via_aws_sso
-  aws_sso_instance_arn                 = var.aws_sso_instance_arn
-  control_tower_enrollment_enabled     = var.control_tower_enrollment_enabled
-  control_tower_portfolio_id           = var.control_tower_portfolio_id
-  meshcloud_account_service_user_name  = var.meshcloud_account_service_user_name
-  management_account_service_role_name = var.management_account_service_role_name
-  landing_zone_ou_arns                 = var.landing_zone_ou_arns
+  meshcloud_account_id                     = data.aws_caller_identity.meshcloud.account_id
+  privileged_external_id                   = var.replicator_privileged_external_id
+  support_root_account_via_aws_sso         = var.support_root_account_via_aws_sso
+  aws_sso_instance_arn                     = var.aws_sso_instance_arn
+  control_tower_enrollment_enabled         = var.control_tower_enrollment_enabled
+  control_tower_portfolio_id               = var.control_tower_portfolio_id
+  meshcloud_account_service_user_name      = var.meshcloud_account_service_user_name
+  management_account_service_role_name     = var.management_account_service_role_name
+  landing_zone_ou_arns                     = var.landing_zone_ou_arns
+  can_close_accounts_in_resource_org_paths = var.can_close_accounts_in_resource_org_paths
 
   allow_federated_role = var.workload_identity_federation != null
 

diff --git a/modules/meshcloud-cost-explorer/ce-management-account-access/README.md b/modules/meshcloud-cost-explorer/ce-management-account-access/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.7.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
 
 ## Modules
 

diff --git a/modules/meshcloud-replicator/replicator-management-account-access/README.md b/modules/meshcloud-replicator/replicator-management-account-access/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.7.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
 
 ## Modules
 
@@ -39,9 +39,10 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allow_federated_role"></a> [allow\_federated\_role](#input\_allow\_federated\_role) | n/a | `bool` | `false` | no |
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | ARN of the AWS SSO instance to use | `string` | n/a | yes |
+| <a name="input_can_close_accounts_in_resource_org_paths"></a> [can\_close\_accounts\_in\_resource\_org\_paths](#input\_can\_close\_accounts\_in\_resource\_org\_paths) | AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts. | `list(string)` | `[]` | no |
 | <a name="input_control_tower_enrollment_enabled"></a> [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform | `bool` | `false` | no |
 | <a name="input_control_tower_portfolio_id"></a> [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
-| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | <pre>[<br>  "arn:aws:organizations::*:ou/o-*/ou-*"<br>]</pre> | no |
+| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | `[]` | no |
 | <a name="input_management_account_service_role_name"></a> [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no |
 | <a name="input_meshcloud_account_id"></a> [meshcloud\_account\_id](#input\_meshcloud\_account\_id) | The ID of the meshcloud AWS Account | `string` | n/a | yes |
 | <a name="input_meshcloud_account_service_user_name"></a> [meshcloud\_account\_service\_user\_name](#input\_meshcloud\_account\_service\_user\_name) | Name of the meshfed-service user. This user is responsible for replication. | `string` | `"meshfed-service-user"` | no |
@@ -55,4 +56,4 @@ No modules.
 |------|-------------|
 | <a name="output_management_account_role_arn"></a> [management\_account\_role\_arn](#output\_management\_account\_role\_arn) | Amazon Resource Name (ARN) of Management Account Role |
 | <a name="output_meshstack_access_role_name"></a> [meshstack\_access\_role\_name](#output\_meshstack\_access\_role\_name) | The name for the Account Access Role that will be rolled out to all managed accounts. |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/data.tf b/modules/meshcloud-replicator/replicator-management-account-access/data.tf
@@ -50,14 +50,31 @@ data "aws_iam_policy_document" "meshfed_service" {
       [
         # The actions organizations:TagResource and organizations:UntagResource act on accounts.
         # The actions can not be restricted to a subtree of the OU hierarchy. This is a limitation in the permission model of AWS Organization Service.
-        # To supprt tagging for this meshPlatform we need to allow both actions on all accounts.
+        # To support tagging for this meshPlatform we need to allow both actions on all accounts.
         "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
         # New accounts need to be moved from root to the target OU.
         "arn:${data.aws_partition.current.partition}:organizations::${local.account_id}:root/o-*/r-*"
       ],
     var.landing_zone_ou_arns)
   }
 
+  statement {
+    sid    = "OrgManagementAccessCloseAccount"
+    effect = "Allow"
+    actions = [
+      "organizations:CloseAccount"
+    ]
+    resources = [
+      // allow acting on any account owned by this org
+      "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
+    ]
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:ResourceOrgPaths"
+      values   = var.can_close_accounts_in_resource_org_paths
+    }
+  }
+
   statement {
     sid    = "OrgManagementAccessNoResourceLevelRestrictions"
     effect = "Allow"

diff --git a/modules/meshcloud-replicator/replicator-management-account-access/variables.tf b/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
@@ -52,9 +52,14 @@ variable "support_root_account_via_aws_sso" {
 variable "landing_zone_ou_arns" {
   type        = list(string)
   description = "Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage."
-  default = [
-    "arn:aws:organizations::*:ou/o-*/ou-*"
-  ]
+  default     = []
+}
+
+variable "can_close_accounts_in_resource_org_paths" {
+  type = list(string)
+  // see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths
+  description = "AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts."
+  default     = [] // example: o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/
 }
 
 variable "allow_federated_role" {

diff --git a/variables.tf b/variables.tf
@@ -39,6 +39,13 @@ variable "landing_zone_ou_arns" {
   default     = ["arn:aws:organizations::*:ou/o-*/ou-*"]
 }
 
+variable "can_close_accounts_in_resource_org_paths" {
+  type = list(string)
+  // see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths
+  description = "AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts."
+  default     = [] // example: o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # OPTIONAL PARAMETERS
 # These parameters have reasonable defaults.