feat: Add support for AWS Organizations access in GitHub OIDC module, enabling dynamic IAM policy statements based on configuration

Arnel Jan Sarmiento · ArJSarmiento · commit 637a6715eb3c · 2026-04-11T23:30:44.000+08:00
diff --git a/modules/aws/github-oidc/main.tf b/modules/aws/github-oidc/main.tf
@@ -14,6 +14,20 @@ resource "aws_iam_openid_connect_provider" "github" {
   client_id_list = ["sts.amazonaws.com"]
 }
 
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
+
+locals {
+  organizations_account_resources = [
+    "arn:${data.aws_partition.current.partition}:organizations::${data.aws_caller_identity.current.account_id}:account/*/*",
+  ]
+
+  organizations_root_resources = [
+    "arn:${data.aws_partition.current.partition}:organizations::${data.aws_caller_identity.current.account_id}:root/*/*",
+  ]
+}
+
 data "aws_iam_policy_document" "oidc" {
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -130,33 +144,91 @@ data "aws_iam_policy_document" "iam_and_terraform" {
     }
   }
 
-  # PowerUserAccess denies organizations:* — re-grant for managing
-  # AWS Organizations resources in the root workspace.
-  statement {
-    sid    = "OrganizationsAccess"
-    effect = "Allow"
-    actions = [
-      "organizations:DescribeOrganization",
-      "organizations:ListAccounts",
-      "organizations:DescribeAccount",
-      "organizations:ListRoots",
-      "organizations:ListAWSServiceAccessForOrganization",
-      "organizations:ListDelegatedAdministrators",
-      "organizations:EnableAWSServiceAccess",
-      "organizations:DisableAWSServiceAccess",
-      "organizations:ListPolicies",
-      "organizations:DescribePolicy",
-      "organizations:ListTargetsForPolicy",
-      "organizations:EnablePolicyType",
-      "organizations:DisablePolicyType",
-      "organizations:CreateAccount",
-      "organizations:DescribeCreateAccountStatus",
-      "organizations:CloseAccount",
-      "organizations:TagResource",
-      "organizations:UntagResource",
-      "organizations:ListTagsForResource",
-    ]
-    resources = ["*"]
+  dynamic "statement" {
+    for_each = var.enable_organizations_access ? [1] : []
+
+    content {
+      sid    = "OrganizationsGlobalRead"
+      effect = "Allow"
+      actions = [
+        "organizations:DescribeOrganization",
+        "organizations:ListAccounts",
+        "organizations:ListRoots",
+        "organizations:ListAWSServiceAccessForOrganization",
+      ]
+      resources = ["*"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_organizations_access ? [1] : []
+
+    content {
+      sid    = "OrganizationsManagedAccounts"
+      effect = "Allow"
+      actions = [
+        "organizations:DescribeAccount",
+        "organizations:ListParents",
+        "organizations:ListTagsForResource",
+        "organizations:TagResource",
+        "organizations:UntagResource",
+      ]
+      resources = local.organizations_account_resources
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_organizations_access ? [1] : []
+
+    content {
+      sid    = "OrganizationsAccountProvisioning"
+      effect = "Allow"
+      actions = [
+        "organizations:CreateAccount",
+        "organizations:DescribeCreateAccountStatus",
+      ]
+      resources = ["*"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_organizations_access ? [1] : []
+
+    content {
+      sid    = "OrganizationsServiceAccess"
+      effect = "Allow"
+      actions = [
+        "organizations:EnableAWSServiceAccess",
+        "organizations:DisableAWSServiceAccess",
+      ]
+      resources = ["*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "organizations:ServicePrincipal"
+        values   = ["sso.amazonaws.com"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_organizations_access ? [1] : []
+
+    content {
+      sid    = "OrganizationsPolicyTypes"
+      effect = "Allow"
+      actions = [
+        "organizations:EnablePolicyType",
+        "organizations:DisablePolicyType",
+      ]
+      resources = local.organizations_root_resources
+
+      condition {
+        test     = "StringEquals"
+        variable = "organizations:PolicyType"
+        values   = ["SERVICE_CONTROL_POLICY"]
+      }
+    }
   }
 
   statement {
diff --git a/modules/aws/github-oidc/variables.tf b/modules/aws/github-oidc/variables.tf
@@ -15,3 +15,9 @@ variable "terraform_state_bucket_arn" {
   default     = null
   nullable    = true
 }
+
+variable "enable_organizations_access" {
+  description = "Whether to grant AWS Organizations permissions for the root workspace."
+  type        = bool
+  default     = false
+}
diff --git a/workspaces/root/main.tf b/workspaces/root/main.tf
@@ -21,9 +21,10 @@ module "connections" {
 module "github_oidc" {
   source = "../../modules/aws/github-oidc"
 
-  role_name                  = "github_oidc_role"
-  allowed_repos              = var.allowed_github_repos
-  terraform_state_bucket_arn = module.terraform_state.bucket_arn
+  role_name                   = "github_oidc_role"
+  allowed_repos               = var.allowed_github_repos
+  enable_organizations_access = true
+  terraform_state_bucket_arn  = module.terraform_state.bucket_arn
 }
 
 module "cdn" {
