diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e3a7fa..a4ae3cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -93,3 +93,8 @@
* 1.7.1 -- 2026-03-26
- updated policies/sc-developer
- add kms:UpdateKeyDescription
+
+* 1.8.0 -- 2026-05-27
+ - group-assignment
+ - add validation that the provided account_names actuall exist within the organization
+
diff --git a/common/version.tf b/common/version.tf
index 97aa706..c36b41b 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.7.1"
+ _module_version = "1.8.0"
}
diff --git a/group-assignment/README.md b/group-assignment/README.md
index 0685ed0..dbfdd99 100644
--- a/group-assignment/README.md
+++ b/group-assignment/README.md
@@ -12,6 +12,7 @@
|------|---------|
| [aws](#provider\_aws) | >= 5.0 |
| [ldap](#provider\_ldap) | >= 0.5.4 |
+| [terraform](#provider\_terraform) | n/a |
## Modules
@@ -27,6 +28,7 @@ No modules.
| [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource |
| [ldap_object_attributes.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
| [ldap_object_attributes.users](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
+| [terraform_data.check_account_names](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
diff --git a/group-assignment/accounts.tf b/group-assignment/accounts.tf
index a0de8c1..41fa443 100644
--- a/group-assignment/accounts.tf
+++ b/group-assignment/accounts.tf
@@ -9,14 +9,14 @@ locals {
active_accounts_map = { for account in data.aws_organizations_organizational_unit_descendant_accounts.accounts.accounts : account.name => account if account.status == "ACTIVE" }
active_accounts = { for k, v in local.active_accounts_map : k => v.id }
- _id_1 = !local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
- _id_2 = !local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
+ _id_1 = ! local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
+ _id_2 = ! local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
organizational_unit_hierarchy = length(var.organizational_unit_hierarchy) > 0 ? { for k, v in var.organizational_unit_hierarchy : k => v.self_id } : {}
# _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? [for k, v in local.organizational_unit_names : lookup(local.organizational_unit_hierarchy, k, null)] : []
- _ou_1 = !local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
- _ou_2 = !local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
+ _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
+ _ou_2 = ! local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
# organizational_units = distinct(compact(concat(local._ou_1, local._ou_2)))
organizational_units = merge(local._ou_1, local._ou_2)
@@ -32,3 +32,17 @@ data "aws_organizations_organizational_unit_descendant_accounts" "ou" {
for_each = { for k, v in local.organizational_units : k => v if v != null }
parent_id = each.value
}
+
+# map is name=>id
+resource "terraform_data" "check_account_names" {
+ for_each = toset(local.org_account_names)
+ input = each.key
+
+ lifecycle {
+ precondition {
+ condition = contains(keys(local.active_accounts), each.key)
+ error_message = "Provided account_name must exist within the organization."
+ }
+ }
+}
+
diff --git a/group-assignment/outputs.tf b/group-assignment/outputs.tf
index e0cb291..3cb0848 100644
--- a/group-assignment/outputs.tf
+++ b/group-assignment/outputs.tf
@@ -20,6 +20,6 @@ output "users" {
value = {
users = local.users
valid_ldap_users = { for k, v in local.ldap_user_attributes : k => v.mail if can(v.mail) }
- invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if !can(v.mail)]
+ invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if ! can(v.mail)]
}
}
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
index 2ce676a..cea9c08 100644
--- a/group-assignment/users.tf
+++ b/group-assignment/users.tf
@@ -32,7 +32,7 @@ data "aws_identitystore_user" "users" {
locals {
ldap_groups_base_dn = "o=U.S. Census Bureau,c=US"
- ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if !startswith(m, "p-") && (m != "[DynamicDN]")]]))
+ ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if ! startswith(m, "p-") && (m != "[DynamicDN]")]]))
}
data "ldap_object" "ldap_groups" {