feat: add permissions to close accounts in explicitly defined OUs

this change will support the upcoming automated tenant deletion feature of meshStack
meshcloud · Apr 22, 2024 · 34a7020 · 34a7020
1 parent 992d9f7
commit 34a7020
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/README.md b/modules/meshcloud-replicator/replicator-management-account-access/README.md
@@ -37,7 +37,8 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_enrollment_enabled"></a> [aws\_enrollment\_enabled](#input\_aws\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform | `bool` | `false` | no |
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | ARN of the AWS SSO instance to use | `string` | n/a | yes |
-| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | <pre>[<br>  "arn:aws:organizations::*:ou/o-*/ou-*"<br>]</pre> | no |
+| <a name="input_can_close_accounts_in_landing_zone_ou_arns"></a> [can\_close\_accounts\_in\_landing\_zone\_ou\_arns](#input\_can\_close\_accounts\_in\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones and where meshStack is allowed to close accounts. | `list(string)` | `[]` | no |
+| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | `[]` | no |
 | <a name="input_management_account_service_role_name"></a> [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no |
 | <a name="input_meshcloud_account_id"></a> [meshcloud\_account\_id](#input\_meshcloud\_account\_id) | The ID of the meshcloud AWS Account | `string` | n/a | yes |
 | <a name="input_meshcloud_account_service_user_name"></a> [meshcloud\_account\_service\_user\_name](#input\_meshcloud\_account\_service\_user\_name) | Name of the meshfed-service user. This user is responsible for replication. | `string` | `"meshfed-service-user"` | no |

diff --git a/modules/meshcloud-replicator/replicator-management-account-access/data.tf b/modules/meshcloud-replicator/replicator-management-account-access/data.tf
@@ -56,6 +56,15 @@ data "aws_iam_policy_document" "meshfed_service" {
     var.landing_zone_ou_arns)
   }
 
+  statement {
+    sid    = "OrgManagementAccessCloseAccount"
+    effect = "Allow"
+    actions = [
+      "organizations:CloseAccount"
+    ]
+    resources = var.can_close_accounts_in_landing_zone_ou_arns
+  }
+
   statement {
     sid    = "OrgManagementAccessNoResourceLevelRestrictions"
     effect = "Allow"

diff --git a/modules/meshcloud-replicator/replicator-management-account-access/variables.tf b/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
@@ -47,6 +47,12 @@ variable "landing_zone_ou_arns" {
   type        = list(string)
   description = "Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage."
   default = [
-    "arn:aws:organizations::*:ou/o-*/ou-*"
+  ]
+}
+
+variable "can_close_accounts_in_landing_zone_ou_arns" {
+  type        = list(string)
+  description = "Organizational Unit ARNs that are used in Landing Zones and where meshStack is allowed to close accounts."
+  default = [
   ]
 }