Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix/partial: destroy Sandbox OU #213

Merged
merged 2 commits into from
Nov 17, 2023
Merged

fix/partial: destroy Sandbox OU #213

merged 2 commits into from
Nov 17, 2023

Conversation

gcharest
Copy link
Contributor

Summary | Résumé

Destroy the Sandbox OU before creating a new one.

@gcharest gcharest self-assigned this Nov 17, 2023
@github-actions GitHub Actions
Copy link

Plan for org_account/organization

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 0 to add, 0 to change, 15 to destroy
Show summary
CHANGE NAME
delete aws_organizations_organizational_unit.Sandbox
aws_organizations_policy_attachment.Sandbox-cds_snc_universal_guardrails
module.DISALLOW_CFN_EXTENSIONS.aws_controltower_control.this["arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl"]
module.REQUIRE_CLOUDTRAIL_LOG_FILE_VALIDATION.aws_controltower_control.this["arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl"]
module.Sandbox_SRC.aws_controltower_control.AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS
module.Sandbox_SRC.aws_controltower_control.DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
module.Sandbox_SRC.aws_controltower_control.ENCRYPTED_VOLUMES
module.Sandbox_SRC.aws_controltower_control.RDS_INSTANCE_PUBLIC_ACCESS_CHECK
module.Sandbox_SRC.aws_controltower_control.RDS_SNAPSHOTS_PUBLIC_PROHIBITED
module.Sandbox_SRC.aws_controltower_control.RDS_STORAGE_ENCRYPTED
module.Sandbox_SRC.aws_controltower_control.RESTRICTED_COMMON_PORTS
module.Sandbox_SRC.aws_controltower_control.RESTRICTED_SSH
module.Sandbox_SRC.aws_controltower_control.ROOT_ACCOUNT_MFA_ENABLED
module.Sandbox_SRC.aws_controltower_control.S3_BUCKET_PUBLIC_READ_PROHIBITED
module.Sandbox_SRC.aws_controltower_control.S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Show plan 
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_organizations_organizational_unit.Sandbox will be destroyed
  # (because aws_organizations_organizational_unit.Sandbox is not in configuration)
  - resource "aws_organizations_organizational_unit" "Sandbox" {
      - accounts  = [] -> null
      - arn       = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null
      - id        = "ou-5gsq-qhvjdryl" -> null
      - name      = "Sandbox" -> null
      - parent_id = "r-5gsq" -> null
      - tags      = {} -> null
      - tags_all  = {} -> null
    }

  # aws_organizations_policy_attachment.Sandbox-cds_snc_universal_guardrails will be destroyed
  # (because aws_organizations_policy_attachment.Sandbox-cds_snc_universal_guardrails is not in configuration)
  - resource "aws_organizations_policy_attachment" "Sandbox-cds_snc_universal_guardrails" {
      - id        = "ou-5gsq-qhvjdryl:p-uiyy34bp" -> null
      - policy_id = "p-uiyy34bp" -> null
      - target_id = "ou-5gsq-qhvjdryl" -> null
    }

  # module.DISALLOW_CFN_EXTENSIONS.aws_controltower_control.this["arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl"] will be destroyed
  # (because key ["arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl"] is not in for_each map)
  - resource "aws_controltower_control" "this" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/OMCTIJOASMIZ" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/OMCTIJOASMIZ" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null
    }

  # module.REQUIRE_CLOUDTRAIL_LOG_FILE_VALIDATION.aws_controltower_control.this["arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl"] will be destroyed
  # (because key ["arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl"] is not in for_each map)
  - resource "aws_controltower_control" "this" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/KAEEWMVGTQBG" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/KAEEWMVGTQBG" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null
    }

  # module.Sandbox_SRC.aws_controltower_control.AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS will be destroyed
  # (because aws_controltower_control.AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS is not in configuration)
  - resource "aws_controltower_control" "AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null
    }

  # module.Sandbox_SRC.aws_controltower_control.DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS will be destroyed
  # (because aws_controltower_control.DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS is not in configuration)
  - resource "aws_controltower_control" "DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.ENCRYPTED_VOLUMES will be destroyed
  # (because aws_controltower_control.ENCRYPTED_VOLUMES is not in configuration)
  - resource "aws_controltower_control" "ENCRYPTED_VOLUMES" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_ENCRYPTED_VOLUMES" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_ENCRYPTED_VOLUMES" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.RDS_INSTANCE_PUBLIC_ACCESS_CHECK will be destroyed
  # (because aws_controltower_control.RDS_INSTANCE_PUBLIC_ACCESS_CHECK is not in configuration)
  - resource "aws_controltower_control" "RDS_INSTANCE_PUBLIC_ACCESS_CHECK" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.RDS_SNAPSHOTS_PUBLIC_PROHIBITED will be destroyed
  # (because aws_controltower_control.RDS_SNAPSHOTS_PUBLIC_PROHIBITED is not in configuration)
  - resource "aws_controltower_control" "RDS_SNAPSHOTS_PUBLIC_PROHIBITED" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.RDS_STORAGE_ENCRYPTED will be destroyed
  # (because aws_controltower_control.RDS_STORAGE_ENCRYPTED is not in configuration)
  - resource "aws_controltower_control" "RDS_STORAGE_ENCRYPTED" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null
    }

  # module.Sandbox_SRC.aws_controltower_control.RESTRICTED_COMMON_PORTS will be destroyed
  # (because aws_controltower_control.RESTRICTED_COMMON_PORTS is not in configuration)
  - resource "aws_controltower_control" "RESTRICTED_COMMON_PORTS" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_RESTRICTED_COMMON_PORTS" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_RESTRICTED_COMMON_PORTS" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.RESTRICTED_SSH will be destroyed
  # (because aws_controltower_control.RESTRICTED_SSH is not in configuration)
  - resource "aws_controltower_control" "RESTRICTED_SSH" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_RESTRICTED_SSH" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_RESTRICTED_SSH" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.ROOT_ACCOUNT_MFA_ENABLED will be destroyed
  # (because aws_controltower_control.ROOT_ACCOUNT_MFA_ENABLED is not in configuration)
  - resource "aws_controltower_control" "ROOT_ACCOUNT_MFA_ENABLED" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.S3_BUCKET_PUBLIC_READ_PROHIBITED will be destroyed
  # (because aws_controltower_control.S3_BUCKET_PUBLIC_READ_PROHIBITED is not in configuration)
  - resource "aws_controltower_control" "S3_BUCKET_PUBLIC_READ_PROHIBITED" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

  # module.Sandbox_SRC.aws_controltower_control.S3_BUCKET_PUBLIC_WRITE_PROHIBITED will be destroyed
  # (because aws_controltower_control.S3_BUCKET_PUBLIC_WRITE_PROHIBITED is not in configuration)
  - resource "aws_controltower_control" "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" {
      - control_identifier = "arn:aws:controltower:ca-central-1::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED" -> null
      - id                 = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl,arn:aws:controltower:ca-central-1::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED" -> null
      - target_identifier  = "arn:aws:organizations::659087519042:ou/o-625no8z3dd/ou-5gsq-qhvjdryl" -> null

      - timeouts {}
    }

Plan: 0 to add, 0 to change, 15 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...
Show Conftest results 
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.AFT"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.DumpsterFire"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.Production"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.SRETools"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.SandboxMigration"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.Security"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.Staging"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_organizational_unit.Test"]
WARN - plan.json - main - Missing Common Tags: ["aws_organizations_policy.cds_snc_universal_guardrails"]

28 tests, 19 passed, 9 warnings, 0 failures, 0 exceptions

@gcharest gcharest merged commit b029a52 into main Nov 17, 2023
13 checks passed
@gcharest gcharest deleted the fix/destroy_sandbox_ou branch November 17, 2023 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sylviamclaughlin sylviamclaughlin sylviamclaughlin approved these changes

Assignees

@gcharest gcharest

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gcharest @sylviamclaughlin