* 1.8.0 -- 2026-05-27

- group-assignment - add validation that the provided account_names actuall exist within the organization
terraform-modules · May 27, 2026 · 1c716bf · 1c716bf
1 parent 1c2cec3
commit 1c716bf
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -93,3 +93,8 @@
 * 1.7.1 -- 2026-03-26
    - updated policies/sc-developer
      - add kms:UpdateKeyDescription
+
+* 1.8.0 -- 2026-05-27
+  - group-assignment
+    - add validation that the provided account_names actuall exist within the organization
+
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.7.1"
+  _module_version = "1.8.0"
 }
diff --git a/group-assignment/README.md b/group-assignment/README.md
@@ -12,6 +12,7 @@
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
 | <a name="provider_ldap"></a> [ldap](#provider\_ldap) | >= 0.5.4 |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
 
@@ -27,6 +28,7 @@ No modules.
 | [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource |
 | [ldap_object_attributes.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
 | [ldap_object_attributes.users](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
+| [terraform_data.check_account_names](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |

diff --git a/group-assignment/accounts.tf b/group-assignment/accounts.tf
@@ -9,14 +9,14 @@ locals {
   active_accounts_map = { for account in data.aws_organizations_organizational_unit_descendant_accounts.accounts.accounts : account.name => account if account.status == "ACTIVE" }
   active_accounts     = { for k, v in local.active_accounts_map : k => v.id }
 
-  _id_1 = !local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
-  _id_2 = !local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
+  _id_1 = ! local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
+  _id_2 = ! local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
 
   organizational_unit_hierarchy = length(var.organizational_unit_hierarchy) > 0 ? { for k, v in var.organizational_unit_hierarchy : k => v.self_id } : {}
 
   #  _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? [for k, v in local.organizational_unit_names : lookup(local.organizational_unit_hierarchy, k, null)] : []
-  _ou_1 = !local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
-  _ou_2 = !local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
+  _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
+  _ou_2 = ! local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
 
   #  organizational_units = distinct(compact(concat(local._ou_1, local._ou_2)))
   organizational_units = merge(local._ou_1, local._ou_2)
@@ -32,3 +32,17 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou" {
   for_each  = { for k, v in local.organizational_units : k => v if v != null }
   parent_id = each.value
 }
+
+# map is name=>id
+resource "terraform_data" "check_account_names" {
+  for_each = toset(local.org_account_names)
+  input    = each.key
+
+  lifecycle {
+    precondition {
+      condition     = contains(keys(local.active_accounts), each.key)
+      error_message = "Provided account_name must exist within the organization."
+    }
+  }
+}
+
diff --git a/group-assignment/outputs.tf b/group-assignment/outputs.tf
@@ -20,6 +20,6 @@ output "users" {
   value = {
     users              = local.users
     valid_ldap_users   = { for k, v in local.ldap_user_attributes : k => v.mail if can(v.mail) }
-    invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if !can(v.mail)]
+    invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if ! can(v.mail)]
   }
 }
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
@@ -32,7 +32,7 @@ data "aws_identitystore_user" "users" {
 
 locals {
   ldap_groups_base_dn = "o=U.S. Census Bureau,c=US"
-  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if !startswith(m, "p-") && (m != "[DynamicDN]")]]))
+  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if ! startswith(m, "p-") && (m != "[DynamicDN]")]]))
 }
 
 data "ldap_object" "ldap_groups" {