diff --git a/modules/meshcloud-replicator/replicator-management-account-access/README.md b/modules/meshcloud-replicator/replicator-management-account-access/README.md
index 49089e2..2923385 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/README.md
+++ b/modules/meshcloud-replicator/replicator-management-account-access/README.md
@@ -9,7 +9,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.7.0 |
+| [aws](#provider\_aws) | 4.21.0 |
## Modules
@@ -39,9 +39,10 @@ No modules.
|------|-------------|------|---------|:--------:|
| [allow\_federated\_role](#input\_allow\_federated\_role) | n/a | `bool` | `false` | no |
| [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | ARN of the AWS SSO instance to use | `string` | n/a | yes |
+| [can\_close\_accounts\_in\_resource\_org\_paths](#input\_can\_close\_accounts\_in\_resource\_org\_paths) | AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts. | `list(string)` | `[]` | no |
| [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform | `bool` | `false` | no |
| [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
-| [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | [
"arn:aws:organizations::*:ou/o-*/ou-*"
]
| no |
+| [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | `[]` | no |
| [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no |
| [meshcloud\_account\_id](#input\_meshcloud\_account\_id) | The ID of the meshcloud AWS Account | `string` | n/a | yes |
| [meshcloud\_account\_service\_user\_name](#input\_meshcloud\_account\_service\_user\_name) | Name of the meshfed-service user. This user is responsible for replication. | `string` | `"meshfed-service-user"` | no |
@@ -55,4 +56,4 @@ No modules.
|------|-------------|
| [management\_account\_role\_arn](#output\_management\_account\_role\_arn) | Amazon Resource Name (ARN) of Management Account Role |
| [meshstack\_access\_role\_name](#output\_meshstack\_access\_role\_name) | The name for the Account Access Role that will be rolled out to all managed accounts. |
-
\ No newline at end of file
+
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/data.tf b/modules/meshcloud-replicator/replicator-management-account-access/data.tf
index f7c0bc7..f834c6f 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/data.tf
+++ b/modules/meshcloud-replicator/replicator-management-account-access/data.tf
@@ -50,7 +50,7 @@ data "aws_iam_policy_document" "meshfed_service" {
[
# The actions organizations:TagResource and organizations:UntagResource act on accounts.
# The actions can not be restricted to a subtree of the OU hierarchy. This is a limitation in the permission model of AWS Organization Service.
- # To supprt tagging for this meshPlatform we need to allow both actions on all accounts.
+ # To support tagging for this meshPlatform we need to allow both actions on all accounts.
"arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
# New accounts need to be moved from root to the target OU.
"arn:${data.aws_partition.current.partition}:organizations::${local.account_id}:root/o-*/r-*"
@@ -58,6 +58,23 @@ data "aws_iam_policy_document" "meshfed_service" {
var.landing_zone_ou_arns)
}
+ statement {
+ sid = "OrgManagementAccessCloseAccount"
+ effect = "Allow"
+ actions = [
+ "organizations:CloseAccount"
+ ]
+ resources = [
+ // allow acting on any account owned by this org
+ "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
+ ]
+ condition {
+ test = "ForAnyValue:StringLike"
+ variable = "aws:ResourceOrgPaths"
+ values = var.can_close_accounts_in_resource_org_paths
+ }
+ }
+
statement {
sid = "OrgManagementAccessNoResourceLevelRestrictions"
effect = "Allow"
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/variables.tf b/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
index 17d3e53..6ff4f7e 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
+++ b/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
@@ -52,9 +52,13 @@ variable "support_root_account_via_aws_sso" {
variable "landing_zone_ou_arns" {
type = list(string)
description = "Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage."
- default = [
- "arn:aws:organizations::*:ou/o-*/ou-*"
- ]
+ default = []
+}
+
+variable "enable_close_accounts" {
+ type = bool
+ description = "Set to true to allow meshStack to close accounts in your organization. This permission can currently not be further restricted."
+ default = false
}
variable "allow_federated_role" {