generated from appvia/terraform-aws-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpolicies.tf
103 lines (84 loc) · 3.6 KB
/
policies.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
## Provision any service control policies
resource "aws_organizations_policy" "service_control_policy" {
for_each = var.service_control_policies
name = each.key
content = each.value.content
description = each.value.description
tags = var.tags
type = "SERVICE_CONTROL_POLICY"
}
## Attach any service control policies to the organizational root
resource "aws_organizations_policy_attachment" "service_control_policy_attachment_root" {
for_each = { for k, v in var.service_control_policies : k => v if v.key == "root" }
policy_id = aws_organizations_policy.service_control_policy[each.key].id
target_id = local.root_ou
}
## Attach any service control policies to the organization unit
resource "aws_organizations_policy_attachment" "service_control_policy_attachment" {
for_each = { for k, v in var.service_control_policies : k => v if v.key != "root" }
policy_id = aws_organizations_policy.service_control_policy[each.key].id
target_id = coalesce(
try(each.value.target_id, null),
try(local.all_ou_attributes[each.value.key].id, null),
try(local.current_units[each.value.key], null),
)
}
#
## Provision any tagging policies
#
resource "aws_organizations_policy" "tagging_policy" {
for_each = var.tagging_policies
name = each.key
content = each.value.content
description = each.value.description
tags = var.tags
type = "TAG_POLICY"
}
## Attach any tagging policies to the organizational units
resource "aws_organizations_policy_attachment" "tagging_policy_attachment_root" {
for_each = { for k, v in var.tagging_policies : k => v if v.key == "root" }
policy_id = aws_organizations_policy.tagging_policy[each.key].id
target_id = local.root_ou
}
resource "aws_organizations_policy_attachment" "tagging_policy_attachment" {
for_each = { for k, v in var.tagging_policies : k => v if v.key != "root" }
policy_id = aws_organizations_policy.tagging_policy[each.key].id
target_id = coalesce(each.value.target_id, try(local.all_ou_attributes[each.value.key].id, null))
depends_on = [
aws_organizations_organizational_unit.level_1_ous,
aws_organizations_organizational_unit.level_2_ous,
aws_organizations_organizational_unit.level_3_ous,
aws_organizations_organizational_unit.level_4_ous,
aws_organizations_organizational_unit.level_5_ous
]
}
#
## Provision any backup policies
#
resource "aws_organizations_policy" "backup_policy" {
for_each = { for x in var.backup_policies : x.name => x }
name = each.key
content = each.value.content
description = each.value.description
tags = var.tags
type = "BACKUP_POLICY"
}
## Attach any backup policies to the organizational root
resource "aws_organizations_policy_attachment" "backup_policy_attachment_root" {
for_each = { for x in var.backup_policies : x.name => x if x.key == "root" }
policy_id = aws_organizations_policy.backup_policy[each.key].id
target_id = local.root_ou
}
## Attach any backup policies to the organizational units
resource "aws_organizations_policy_attachment" "backup_policy_attachment" {
for_each = { for x in var.backup_policies : x.name => x if x.key != "root" }
policy_id = aws_organizations_policy.backup_policy[each.key].id
target_id = coalesce(each.value.target_id, try(local.all_ou_attributes[each.value.key].id, null))
depends_on = [
aws_organizations_organizational_unit.level_1_ous,
aws_organizations_organizational_unit.level_2_ous,
aws_organizations_organizational_unit.level_3_ous,
aws_organizations_organizational_unit.level_4_ous,
aws_organizations_organizational_unit.level_5_ous
]
}