resource/aws_organizations_organization: Add enabled_policy_types argument

[bflad]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #4545

Release note for CHANGELOG:

resource/aws_organizations_organization: Add enabled_policy_types argument

The aws_organizations_policy_attachment acceptance testing was previously written to assume that the account running it was already in an Organization, manually had enabled Service Control Policies in the Root, and did not check Root or Organizational Unit policy attachments as the appropriate attributes/resources did not previously exist. The updates to those tests now verify the SCP attachment workflow end-to-end with creating a new Organization, enabling SCPs, and SCP attachments to an account, Root, and OU.

Previous output from acceptance testing (before enabled_policy_types implementation):

    --- FAIL: TestAccAWSOrganizations/PolicyAttachment (37.12s)
        --- FAIL: TestAccAWSOrganizations/PolicyAttachment/Account (14.00s)
            testing.go:568: Step 0 error: errors during apply:

                Error: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
                  status code: 400, request id: 381509e0-7225-11e9-b974-09edfb312bea

                  on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test737240811/main.tf line 11:
                  (source code not available)

        --- FAIL: TestAccAWSOrganizations/PolicyAttachment/OrganizationalUnit (10.85s)
            testing.go:568: Step 0 error: errors during apply:

                Error: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
                  status code: 400, request id: 3f587964-7225-11e9-96c5-1d623fb91cbf

                  on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test570985045/main.tf line 16:
                  (source code not available)

        --- FAIL: TestAccAWSOrganizations/PolicyAttachment/Root (12.27s)
            testing.go:568: Step 0 error: errors during apply:

                Error: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
                  status code: 400, request id: 46589efd-7225-11e9-b974-09edfb312bea

                  on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test865604943/main.tf line 11:
                  (source code not available)

Output from acceptance testing:

    --- PASS: TestAccAWSOrganizations/Organization (79.29s)
        --- PASS: TestAccAWSOrganizations/Organization/basic (13.66s)
        --- PASS: TestAccAWSOrganizations/Organization/AwsServiceAccessPrincipals (24.59s)
        --- PASS: TestAccAWSOrganizations/Organization/EnabledPolicyTypes (30.29s)
        --- PASS: TestAccAWSOrganizations/Organization/FeatureSet (10.75s)
    --- PASS: TestAccAWSOrganizations/PolicyAttachment (58.58s)
        --- PASS: TestAccAWSOrganizations/PolicyAttachment/Account (21.28s)
        --- PASS: TestAccAWSOrganizations/PolicyAttachment/OrganizationalUnit (20.48s)
        --- PASS: TestAccAWSOrganizations/PolicyAttachment/Root (16.82s)

[tombuildsstuff]

A couple of minor things but this otherwise LGTM 👍

[tombuildsstuff]

should we be returning that it's active when it's still potentially Pending here?

[bflad]

A lot of the AWS resources currently treat pending statuses similar to their end state during read to account for scenarios where changes might have occurred outside Terraform or for eventual consistency reasons. This one was a holdout before I implemented the waiter functions as during my local testing of this it didn't appear to display any eventual consistency issues. I'll remove it and verify everything still looks okay. 👍

[tombuildsstuff]

minor we can use defaultRootID here?

[bflad]

Yes we can! Thanks!

[bflad]

Output from acceptance testing after above minor adjustments:

    --- PASS: TestAccAWSOrganizations/Organization (84.63s)
        --- PASS: TestAccAWSOrganizations/Organization/EnabledPolicyTypes (34.08s)
        --- PASS: TestAccAWSOrganizations/Organization/FeatureSet (11.33s)
        --- PASS: TestAccAWSOrganizations/Organization/basic (13.29s)
        --- PASS: TestAccAWSOrganizations/Organization/AwsServiceAccessPrincipals (25.93s)

Merging!

[bflad]

This has been released in version 2.10.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!