From ce0457dfab07317df99404def14d679d0240e788 Mon Sep 17 00:00:00 2001
From: Johannes Rudolph <jrudolph@meshcloud.io>
Date: Mon, 22 Apr 2024 21:36:23 +0200
Subject: [PATCH] feat: add permissions to close accounts in explicitly defined
 OUs

this change will support the upcoming automated tenant deletion
feature of meshStack
---
 .../replicator-management-account-access/README.md     |  7 ++++---
 .../replicator-management-account-access/data.tf       |  9 +++++++++
 .../replicator-management-account-access/variables.tf  | 10 +++++++---
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/modules/meshcloud-replicator/replicator-management-account-access/README.md b/modules/meshcloud-replicator/replicator-management-account-access/README.md
index 49089e2..805e9c2 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/README.md
+++ b/modules/meshcloud-replicator/replicator-management-account-access/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.7.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
 
 ## Modules
 
@@ -39,9 +39,10 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allow_federated_role"></a> [allow\_federated\_role](#input\_allow\_federated\_role) | n/a | `bool` | `false` | no |
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | ARN of the AWS SSO instance to use | `string` | n/a | yes |
+| <a name="input_can_close_accounts_in_landing_zone_ou_arns"></a> [can\_close\_accounts\_in\_landing\_zone\_ou\_arns](#input\_can\_close\_accounts\_in\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones and where meshStack is allowed to close accounts. | `list(string)` | `[]` | no |
 | <a name="input_control_tower_enrollment_enabled"></a> [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform | `bool` | `false` | no |
 | <a name="input_control_tower_portfolio_id"></a> [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
-| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | <pre>[<br>  "arn:aws:organizations::*:ou/o-*/ou-*"<br>]</pre> | no |
+| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | `[]` | no |
 | <a name="input_management_account_service_role_name"></a> [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no |
 | <a name="input_meshcloud_account_id"></a> [meshcloud\_account\_id](#input\_meshcloud\_account\_id) | The ID of the meshcloud AWS Account | `string` | n/a | yes |
 | <a name="input_meshcloud_account_service_user_name"></a> [meshcloud\_account\_service\_user\_name](#input\_meshcloud\_account\_service\_user\_name) | Name of the meshfed-service user. This user is responsible for replication. | `string` | `"meshfed-service-user"` | no |
@@ -55,4 +56,4 @@ No modules.
 |------|-------------|
 | <a name="output_management_account_role_arn"></a> [management\_account\_role\_arn](#output\_management\_account\_role\_arn) | Amazon Resource Name (ARN) of Management Account Role |
 | <a name="output_meshstack_access_role_name"></a> [meshstack\_access\_role\_name](#output\_meshstack\_access\_role\_name) | The name for the Account Access Role that will be rolled out to all managed accounts. |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/data.tf b/modules/meshcloud-replicator/replicator-management-account-access/data.tf
index f7c0bc7..967fc69 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/data.tf
+++ b/modules/meshcloud-replicator/replicator-management-account-access/data.tf
@@ -58,6 +58,15 @@ data "aws_iam_policy_document" "meshfed_service" {
     var.landing_zone_ou_arns)
   }
 
+  statement {
+    sid    = "OrgManagementAccessCloseAccount"
+    effect = "Allow"
+    actions = [
+      "organizations:CloseAccount"
+    ]
+    resources = var.can_close_accounts_in_landing_zone_ou_arns
+  }
+
   statement {
     sid    = "OrgManagementAccessNoResourceLevelRestrictions"
     effect = "Allow"
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/variables.tf b/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
index 17d3e53..66dd803 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
+++ b/modules/meshcloud-replicator/replicator-management-account-access/variables.tf
@@ -52,9 +52,13 @@ variable "support_root_account_via_aws_sso" {
 variable "landing_zone_ou_arns" {
   type        = list(string)
   description = "Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage."
-  default = [
-    "arn:aws:organizations::*:ou/o-*/ou-*"
-  ]
+  default     = []
+}
+
+variable "can_close_accounts_in_landing_zone_ou_arns" {
+  type        = list(string)
+  description = "Organizational Unit ARNs that are used in Landing Zones and where meshStack is allowed to close accounts."
+  default     = []
 }
 
 variable "allow_federated_role" {