Multiple OUs with same names support

[kuznetsov17]

Hi there,

I have a trouble in using the provider.

Terraform Version

Terraform v1.1.7
on linux_amd64

Affected Resource(s)

controltower_aws_account

Expected Behavior

We are running the provider in multi-account organization with complex OU structure. As a fact, we have the OIUs with same names on different levels. e.g:
root / Branch-Berlin / Production and root / Branch-Tel-Aviv / Production

In this configuration, I have to provide to Service Catalog the OU parameter in form of: "OU_NAME (ou_Id)":

resource "controltower_aws_account" "controltower_accounts" {
  name                              = "AccountName"
  email                              = "[email protected]"
  organizational_unit       = "Base OU (ou-8hjd-rhwenkci)"

  sso {
    first_name                      = "FirstName"
    last_name                       = "LastName"
    email                                = "[email protected]"
  }

  tags = {
  }
}

The expected behavior:
Resource created, next time I run terraform apply it is unchanged.

Actual Behavior

Once I run terraform apply, the terraform intends to update the created object:

# module.servicecatalog_provision_account.controltower_aws_account.controltower_account will be updated in-place
  ~ resource "controltower_aws_account" "controltower_account" {
        id                               = "pp-xdyibhigckmd2"
        name                             = "Networking"
      ~ organizational_unit              = "Base OU" -> "Base OU (ou-8hjd-rhwenkci)"
        tags                             = {
            "is_hub"             = "true"
            "is_isolated"        = "false"
            "is_shared_services" = "false"
            "ou_id"              = "ou-8hjd-rhwenkci"
            "subnets_bits"       = "4"
            "vpc_cidr"           = "10.65.28.0/22"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

[nijdarshan]

Hi @kuznetsov17

The issue still persists, I did a workaround using ignore_changes. But I'm happy to know about your solution if you found any.

[kuznetsov17]

Hi @kuznetsov17

The issue still persists, I did a workaround using ignore_changes. But I'm happy to know about your solution if you found any.

Hi, I forked the provider and fixed it by myself:
https://registry.terraform.io/providers/CLDZE/controltower/latest

[alexanderphoenix]

Hi, is there a solution to this?
I'm keen to be able to target OUs more specifically than just by their name.
Thank you!

[TravRan]

I'm also interested in this enhancement. @nijdarshan the workaround you presented is ok if you don't plan on using this module for migrating the account to new OU's after the account is created.

[mKeRix]

@kuznetsov17 would you be up for contributing your changes back in the form of a pull request?

[mbevc1]

Based on the API doc, this probably needs to use OU ID instead of the name, as this is also not unique.

https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganizationalUnit.html

[nijdarshan]

I'm also interested in this enhancement. @nijdarshan the workaround you presented is ok if you don't plan on using this module for migrating the account to new OU's after the account is created.

I got away from using this provider and resource for account factory but started using the service catalogue instead. I would suggest everyone to use the same at least for prod.

There also is a an official AFT module by terraform as well.

[mbevc1]

Note, this provider is using AWS Catalog under the hood and it's trying to abstract some of the complexity. AFT might be a total different beast and bring more complexity to the table, but could be a good fit for large Orgs. I quite like this provider and it's easy to use approach.