OPS-6301: refactor

README.md

@@ -40,30 +40,22 @@ The following input variables are required:
 
 ### <a name="input_policies"></a> [policies](#input\_policies)
 
-Description: List of policy configurations
+Description: List of policies with their details
 
 Type:
 
 ```hcl
 list(object({
     name        = string
-    description = string
-    statements  = string       # Path to the JSON file containing policy statements
-    target_ids  = list(string) # List of target account IDs or OU IDs
+    file        = string
+    target_ids  = list(string)
+    description = string # Ensure this is included
   }))
 ```
 
 ## Optional Inputs
 
-The following input variables are optional (have default values):
-
-### <a name="input_tags"></a> [tags](#input\_tags)
-
-Description: Tags to apply to all resources created in this module
-
-Type: `map(string)`
-
-Default: `{}`
+No optional inputs.
 
 <!-- TFDOCS_INPUTS_END -->
 

main.tf

@@ -1,40 +1,17 @@
-# Loop over each policy to create policy documents dynamically
-data "aws_iam_policy_document" "scp_policies" {
-  for_each = { for p in var.policies : p.name => p }
-
-  dynamic "statement" {
-    for_each = jsondecode(file(each.value.statements))
-    content {
-      sid       = lookup(statement.value, "Sid", null)
-      effect    = lookup(statement.value, "Effect", "Deny")
-      actions   = statement.value.Action
-      resources = [lookup(statement.value, "Resource", "*")]
-
-      dynamic "condition" {
-        for_each = lookup(statement.value, "Condition", {})
-        content {
-          test     = condition.key
-          variable = condition.value[0]
-          values   = condition.value[1]
-        }
-      }
-    }
-  }
-}
-
-# Create policies with tags
+# Create an AWS Organization policy for each policy template
 resource "aws_organizations_policy" "scp" {
-  for_each    = data.aws_iam_policy_document.scp_policies
-  name        = each.value.name
+  for_each = { for policy in var.policies : policy.name => policy }
+
+  name        = each.key
   description = each.value.description
-  content     = each.value.json
-  tags        = var.tags
+  content     = templatefile(lookup(each.value, "file"), {})
 }
 
-# Attach policies to targets with tags
 resource "aws_organizations_policy_attachment" "attach_scp" {
-  for_each  = { for p in var.policies : p.name => p }
-  count     = length(each.value.target_ids)
-  policy_id = aws_organizations_policy.scp[each.key].id
-  target_id = each.value.target_ids[count.index]
-}
+  for_each = {
+    for policy in aws_organizations_policy.scp :
+    policy.name => policy
+  }
+  policy_id = each.value.id
+  target_id = flatten([for p in var.policies : p.target_ids if p.name == each.key])[0]
+}

variables.tf

@@ -1,15 +1,9 @@
 variable "policies" {
-  description = "List of policy configurations"
+  description = "List of policies with their details"
   type = list(object({
     name        = string
+    file        = string
+    target_ids  = list(string)
     description = string
-    statements  = string       # Path to the JSON file containing policy statements
-    target_ids  = list(string) # List of target account IDs or OU IDs
   }))
 }
-
-variable "tags" {
-  description = "Tags to apply to all resources created in this module"
-  type        = map(string)
-  default     = {}
-}