From 73c42e2892ffa12b9bc13dc567b6b6cbce39992a Mon Sep 17 00:00:00 2001
From: cob16 <public+github@cormacbrady.info>
Date: Thu, 2 Sep 2021 09:44:31 +0100
Subject: [PATCH] fix issue #18590 | Allow ListAccountsPages call when not root
 account

This call is allowed in sub-accounts if that account is made delegated administrator for an AWS service
---
 ...a_source_aws_organizations_organization.go | 106 +++++++++---------
 1 file changed, 52 insertions(+), 54 deletions(-)

diff --git a/aws/data_source_aws_organizations_organization.go b/aws/data_source_aws_organizations_organization.go
index efd990e0ddc3..b08eadb215c6 100644
--- a/aws/data_source_aws_organizations_organization.go
+++ b/aws/data_source_aws_organizations_organization.go
@@ -156,75 +156,73 @@ func dataSourceAwsOrganizationsOrganizationRead(d *schema.ResourceData, meta int
 	d.Set("master_account_email", org.Organization.MasterAccountEmail)
 	d.Set("master_account_id", org.Organization.MasterAccountId)
 
-	if aws.StringValue(org.Organization.MasterAccountId) == meta.(*AWSClient).accountid {
-		var accounts []*organizations.Account
-		var nonMasterAccounts []*organizations.Account
-		err = conn.ListAccountsPages(&organizations.ListAccountsInput{}, func(page *organizations.ListAccountsOutput, lastPage bool) bool {
-			for _, account := range page.Accounts {
-				if aws.StringValue(account.Id) != aws.StringValue(org.Organization.MasterAccountId) {
-					nonMasterAccounts = append(nonMasterAccounts, account)
-				}
-
-				accounts = append(accounts, account)
+	var accounts []*organizations.Account
+	var nonMasterAccounts []*organizations.Account
+	err = conn.ListAccountsPages(&organizations.ListAccountsInput{}, func(page *organizations.ListAccountsOutput, lastPage bool) bool {
+		for _, account := range page.Accounts {
+			if aws.StringValue(account.Id) != aws.StringValue(org.Organization.MasterAccountId) {
+				nonMasterAccounts = append(nonMasterAccounts, account)
 			}
 
-			return !lastPage
-		})
-		if err != nil {
-			return fmt.Errorf("error listing AWS Organization (%s) accounts: %w", d.Id(), err)
+			accounts = append(accounts, account)
 		}
 
-		var roots []*organizations.Root
-		err = conn.ListRootsPages(&organizations.ListRootsInput{}, func(page *organizations.ListRootsOutput, lastPage bool) bool {
-			roots = append(roots, page.Roots...)
-			return !lastPage
-		})
-		if err != nil {
-			return fmt.Errorf("error listing AWS Organization (%s) roots: %w", d.Id(), err)
-		}
+		return !lastPage
+	})
+	if err != nil {
+		return fmt.Errorf("error listing AWS Organization (%s) accounts: %w", d.Id(), err)
+	}
 
-		awsServiceAccessPrincipals := make([]string, 0)
-		// ConstraintViolationException: The request failed because the organization does not have all features enabled. Please enable all features in your organization and then retry.
-		if aws.StringValue(org.Organization.FeatureSet) == organizations.OrganizationFeatureSetAll {
-			err = conn.ListAWSServiceAccessForOrganizationPages(&organizations.ListAWSServiceAccessForOrganizationInput{}, func(page *organizations.ListAWSServiceAccessForOrganizationOutput, lastPage bool) bool {
-				for _, enabledServicePrincipal := range page.EnabledServicePrincipals {
-					awsServiceAccessPrincipals = append(awsServiceAccessPrincipals, aws.StringValue(enabledServicePrincipal.ServicePrincipal))
-				}
-				return !lastPage
-			})
-
-			if err != nil {
-				return fmt.Errorf("error listing AWS Service Access for Organization (%s): %w", d.Id(), err)
-			}
-		}
+	var roots []*organizations.Root
+	err = conn.ListRootsPages(&organizations.ListRootsInput{}, func(page *organizations.ListRootsOutput, lastPage bool) bool {
+		roots = append(roots, page.Roots...)
+		return !lastPage
+	})
+	if err != nil {
+		return fmt.Errorf("error listing AWS Organization (%s) roots: %w", d.Id(), err)
+	}
 
-		enabledPolicyTypes := make([]string, 0)
-		for _, policyType := range roots[0].PolicyTypes {
-			if aws.StringValue(policyType.Status) == organizations.PolicyTypeStatusEnabled {
-				enabledPolicyTypes = append(enabledPolicyTypes, aws.StringValue(policyType.Type))
+	awsServiceAccessPrincipals := make([]string, 0)
+	// ConstraintViolationException: The request failed because the organization does not have all features enabled. Please enable all features in your organization and then retry.
+	if aws.StringValue(org.Organization.FeatureSet) == organizations.OrganizationFeatureSetAll {
+		err = conn.ListAWSServiceAccessForOrganizationPages(&organizations.ListAWSServiceAccessForOrganizationInput{}, func(page *organizations.ListAWSServiceAccessForOrganizationOutput, lastPage bool) bool {
+			for _, enabledServicePrincipal := range page.EnabledServicePrincipals {
+				awsServiceAccessPrincipals = append(awsServiceAccessPrincipals, aws.StringValue(enabledServicePrincipal.ServicePrincipal))
 			}
-		}
+			return !lastPage
+		})
 
-		if err := d.Set("accounts", flattenOrganizationsAccounts(accounts)); err != nil {
-			return fmt.Errorf("error setting accounts: %w", err)
+		if err != nil {
+			return fmt.Errorf("error listing AWS Service Access for Organization (%s): %w", d.Id(), err)
 		}
+	}
 
-		if err := d.Set("aws_service_access_principals", awsServiceAccessPrincipals); err != nil {
-			return fmt.Errorf("error setting aws_service_access_principals: %w", err)
+	enabledPolicyTypes := make([]string, 0)
+	for _, policyType := range roots[0].PolicyTypes {
+		if aws.StringValue(policyType.Status) == organizations.PolicyTypeStatusEnabled {
+			enabledPolicyTypes = append(enabledPolicyTypes, aws.StringValue(policyType.Type))
 		}
+	}
 
-		if err := d.Set("enabled_policy_types", enabledPolicyTypes); err != nil {
-			return fmt.Errorf("error setting enabled_policy_types: %w", err)
-		}
+	if err := d.Set("accounts", flattenOrganizationsAccounts(accounts)); err != nil {
+		return fmt.Errorf("error setting accounts: %w", err)
+	}
 
-		if err := d.Set("non_master_accounts", flattenOrganizationsAccounts(nonMasterAccounts)); err != nil {
-			return fmt.Errorf("error setting non_master_accounts: %w", err)
-		}
+	if err := d.Set("aws_service_access_principals", awsServiceAccessPrincipals); err != nil {
+		return fmt.Errorf("error setting aws_service_access_principals: %w", err)
+	}
 
-		if err := d.Set("roots", flattenOrganizationsRoots(roots)); err != nil {
-			return fmt.Errorf("error setting roots: %w", err)
-		}
+	if err := d.Set("enabled_policy_types", enabledPolicyTypes); err != nil {
+		return fmt.Errorf("error setting enabled_policy_types: %w", err)
+	}
 
+	if err := d.Set("non_master_accounts", flattenOrganizationsAccounts(nonMasterAccounts)); err != nil {
+		return fmt.Errorf("error setting non_master_accounts: %w", err)
 	}
+
+	if err := d.Set("roots", flattenOrganizationsRoots(roots)); err != nil {
+		return fmt.Errorf("error setting roots: %w", err)
+	}
+
 	return nil
 }