feat: add permissions to close accounts in explicitly defined OUs

this change will support the upcoming automated tenant deletion
feature of meshStack

Author: JohannesRudolph

Diff for: modules/meshcloud-replicator/replicator-management-account-access/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.7.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
 
 ## Modules
 
@@ -39,9 +39,10 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allow_federated_role"></a> [allow\_federated\_role](#input\_allow\_federated\_role) | n/a | `bool` | `false` | no |
 | <a name="input_aws_sso_instance_arn"></a> [aws\_sso\_instance\_arn](#input\_aws\_sso\_instance\_arn) | ARN of the AWS SSO instance to use | `string` | n/a | yes |
+| <a name="input_can_close_accounts_in_resource_org_paths"></a> [can\_close\_accounts\_in\_resource\_org\_paths](#input\_can\_close\_accounts\_in\_resource\_org\_paths) | AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts. | `list(string)` | `[]` | no |
 | <a name="input_control_tower_enrollment_enabled"></a> [control\_tower\_enrollment\_enabled](#input\_control\_tower\_enrollment\_enabled) | Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform | `bool` | `false` | no |
 | <a name="input_control_tower_portfolio_id"></a> [control\_tower\_portfolio\_id](#input\_control\_tower\_portfolio\_id) | Must be set for AWS Control Tower | `string` | `""` | no |
-| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | <pre>[<br>  "arn:aws:organizations::*:ou/o-*/ou-*"<br>]</pre> | no |
+| <a name="input_landing_zone_ou_arns"></a> [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | `[]` | no |
 | <a name="input_management_account_service_role_name"></a> [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no |
 | <a name="input_meshcloud_account_id"></a> [meshcloud\_account\_id](#input\_meshcloud\_account\_id) | The ID of the meshcloud AWS Account | `string` | n/a | yes |
 | <a name="input_meshcloud_account_service_user_name"></a> [meshcloud\_account\_service\_user\_name](#input\_meshcloud\_account\_service\_user\_name) | Name of the meshfed-service user. This user is responsible for replication. | `string` | `"meshfed-service-user"` | no |
@@ -55,4 +56,4 @@ No modules.
 |------|-------------|
 | <a name="output_management_account_role_arn"></a> [management\_account\_role\_arn](#output\_management\_account\_role\_arn) | Amazon Resource Name (ARN) of Management Account Role |
 | <a name="output_meshstack_access_role_name"></a> [meshstack\_access\_role\_name](#output\_meshstack\_access\_role\_name) | The name for the Account Access Role that will be rolled out to all managed accounts. |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

Diff for: modules/meshcloud-replicator/replicator-management-account-access/data.tf

@@ -50,14 +50,31 @@ data "aws_iam_policy_document" "meshfed_service" {
       [
         # The actions organizations:TagResource and organizations:UntagResource act on accounts.
         # The actions can not be restricted to a subtree of the OU hierarchy. This is a limitation in the permission model of AWS Organization Service.
-        # To supprt tagging for this meshPlatform we need to allow both actions on all accounts.
+        # To support tagging for this meshPlatform we need to allow both actions on all accounts.
         "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
         # New accounts need to be moved from root to the target OU.
         "arn:${data.aws_partition.current.partition}:organizations::${local.account_id}:root/o-*/r-*"
       ],
     var.landing_zone_ou_arns)
   }
 
+  statement {
+    sid    = "OrgManagementAccessCloseAccount"
+    effect = "Allow"
+    actions = [
+      "organizations:CloseAccount"
+    ]
+    resources = [
+      // allow acting on any account owned by this org
+      "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
+    ]
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:ResourceOrgPaths"
+      values   = var.can_close_accounts_in_resource_org_paths
+    }
+  }
+
   statement {
     sid    = "OrgManagementAccessNoResourceLevelRestrictions"
     effect = "Allow"

Diff for: modules/meshcloud-replicator/replicator-management-account-access/variables.tf

@@ -52,9 +52,14 @@ variable "support_root_account_via_aws_sso" {
 variable "landing_zone_ou_arns" {
   type        = list(string)
   description = "Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage."
-  default = [
-    "arn:aws:organizations::*:ou/o-*/ou-*"
-  ]
+  default     = []
+}
+
+variable "can_close_accounts_in_resource_org_paths" {
+  type = list(string)
+  // see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths
+  description = "AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts."
+  default     = [] // example: o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/
 }
 
 variable "allow_federated_role" {