Shame Terraform doesn't do recursion nicely

README.md

@@ -8,7 +8,7 @@ Note that this module is subject to breaking change as the management_groups var
 
 ### Deploying the Definitions
 
-It is very simple to get the policies deployed:
+It is very simple to get the management groups deployed:
 
 ```terraform
 module "management_groups" {

main.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">= 0.13.0"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_management_group" "tenant_root_group" {
+  name = data.azurerm_subscription.current.tenant_id
+}
+
+module "mg1" {
+  source   = "./modules/mg1"
+  for_each = var.management_groups
+
+  level                      = 1
+  display_name               = each.key
+  parent_management_group_id = data.azurerm_management_group.tenant_root_group.id
+  children                   = each.value
+}

modules/mg1/main.tf

@@ -0,0 +1,61 @@
+variable "level" {
+  type = number
+}
+
+variable "display_name" {}
+
+variable "parent_management_group_id" {}
+
+variable "children" {
+  type = map
+}
+
+locals {
+  subscription_ids = flatten([
+    for key, value in var.children :
+    key == "subscription_ids" ? toset(value) : []
+  ])
+
+  children = {
+    for key, value in var.children :
+    key => value if key != "subscription_ids"
+  }
+
+  next_level = var.level + 1
+}
+
+resource "azurerm_management_group" "mg" {
+  display_name               = var.display_name
+  parent_management_group_id = var.parent_management_group_id
+  subscription_ids           = local.subscription_ids
+}
+
+module "mg2" {
+  source   = "../mg2"
+  for_each = local.children // var.level + 1 == 2 ? local.children : {}
+
+  level                      = local.next_level
+  display_name               = each.key
+  parent_management_group_id = azurerm_management_group.mg.id
+  children                   = each.value
+}
+
+output "management_groups" {
+  value = flatten([
+    merge(azurerm_management_group.mg, { level = var.level }),
+    [
+      for name in keys(local.children) :
+      module.mg2[name].management_groups
+    ]
+  ])
+}
+
+output "management_group_id" {
+  value = merge({
+    id = azurerm_management_group.mg.id
+    },
+    {
+      for name in keys(local.children) :
+      name => module.mg2[name].management_group_id
+  })
+}

modules/mg2/main.tf

@@ -0,0 +1,61 @@
+variable "level" {
+  type = number
+}
+
+variable "display_name" {}
+
+variable "parent_management_group_id" {}
+
+variable "children" {
+  type = map
+}
+
+locals {
+  subscription_ids = flatten([
+    for key, value in var.children :
+    key == "subscription_ids" ? toset(value) : []
+  ])
+
+  children = {
+    for key, value in var.children :
+    key => value if key != "subscription_ids"
+  }
+
+  next_level = var.level + 1
+}
+
+resource "azurerm_management_group" "mg" {
+  display_name               = var.display_name
+  parent_management_group_id = var.parent_management_group_id
+  subscription_ids           = local.subscription_ids
+}
+
+module "mg3" {
+  source   = "../mg3"
+  for_each = local.children // var.level + 1 == 2 ? local.children : {}
+
+  level                      = local.next_level
+  display_name               = each.key
+  parent_management_group_id = azurerm_management_group.mg.id
+  children                   = each.value
+}
+
+output "management_groups" {
+  value = flatten([
+    merge(azurerm_management_group.mg, { level = var.level }),
+    [
+      for name in keys(local.children) :
+      module.mg3[name].management_groups
+    ]
+  ])
+}
+
+output "management_group_id" {
+  value = merge({
+    id = azurerm_management_group.mg.id
+  },
+  {
+    for name in keys(local.children) :
+    name => module.mg3[name].management_group_id
+  })
+}

modules/mg3/main.tf

@@ -0,0 +1,61 @@
+variable "level" {
+  type = number
+}
+
+variable "display_name" {}
+
+variable "parent_management_group_id" {}
+
+variable "children" {
+  type = map
+}
+
+locals {
+  subscription_ids = flatten([
+    for key, value in var.children :
+    key == "subscription_ids" ? toset(value) : []
+  ])
+
+  children = {
+    for key, value in var.children :
+    key => value if key != "subscription_ids"
+  }
+
+  next_level = var.level + 1
+}
+
+resource "azurerm_management_group" "mg" {
+  display_name               = var.display_name
+  parent_management_group_id = var.parent_management_group_id
+  subscription_ids           = local.subscription_ids
+}
+
+module "mg4" {
+  source   = "../mg4"
+  for_each = local.children // var.level + 1 == 2 ? local.children : {}
+
+  level                      = local.next_level
+  display_name               = each.key
+  parent_management_group_id = azurerm_management_group.mg.id
+  children                   = each.value
+}
+
+output "management_groups" {
+  value = flatten([
+    merge(azurerm_management_group.mg, { level = var.level }),
+    [
+      for name in keys(local.children) :
+      module.mg4[name].management_groups
+    ]
+  ])
+}
+
+output "management_group_id" {
+  value = merge({
+    id = azurerm_management_group.mg.id
+  },
+  {
+    for name in keys(local.children) :
+    name => module.mg4[name].management_group_id
+  })
+}

modules/mg4/main.tf

@@ -0,0 +1,61 @@
+variable "level" {
+  type = number
+}
+
+variable "display_name" {}
+
+variable "parent_management_group_id" {}
+
+variable "children" {
+  type = map
+}
+
+locals {
+  subscription_ids = flatten([
+    for key, value in var.children :
+    key == "subscription_ids" ? toset(value) : []
+  ])
+
+  children = {
+    for key, value in var.children :
+    key => value if key != "subscription_ids"
+  }
+
+  next_level = var.level + 1
+}
+
+resource "azurerm_management_group" "mg" {
+  display_name               = var.display_name
+  parent_management_group_id = var.parent_management_group_id
+  subscription_ids           = local.subscription_ids
+}
+
+module "mg5" {
+  source   = "../mg5"
+  for_each = local.children // var.level + 1 == 2 ? local.children : {}
+
+  level                      = local.next_level
+  display_name               = each.key
+  parent_management_group_id = azurerm_management_group.mg.id
+  children                   = each.value
+}
+
+output "management_groups" {
+  value = flatten([
+    merge(azurerm_management_group.mg, { level = var.level }),
+    [
+      for name in keys(local.children) :
+      module.mg5[name].management_groups
+    ]
+  ])
+}
+
+output "management_group_id" {
+  value = merge({
+    id = azurerm_management_group.mg.id
+  },
+  {
+    for name in keys(local.children) :
+    name => module.mg5[name].management_group_id
+  })
+}

modules/mg5/main.tf

@@ -0,0 +1,61 @@
+variable "level" {
+  type = number
+}
+
+variable "display_name" {}
+
+variable "parent_management_group_id" {}
+
+variable "children" {
+  type = map
+}
+
+locals {
+  subscription_ids = flatten([
+    for key, value in var.children :
+    key == "subscription_ids" ? toset(value) : []
+  ])
+
+  children = {
+    for key, value in var.children :
+    key => value if key != "subscription_ids"
+  }
+
+  next_level = var.level + 1
+}
+
+resource "azurerm_management_group" "mg" {
+  display_name               = var.display_name
+  parent_management_group_id = var.parent_management_group_id
+  subscription_ids           = local.subscription_ids
+}
+
+module "mg6" {
+  source   = "../mg6"
+  for_each = local.children // var.level + 1 == 2 ? local.children : {}
+
+  level                      = local.next_level
+  display_name               = each.key
+  parent_management_group_id = azurerm_management_group.mg.id
+  children                   = each.value
+}
+
+output "management_groups" {
+  value = flatten([
+    merge(azurerm_management_group.mg, { level = var.level }),
+    [
+      for name in keys(local.children) :
+      module.mg6[name].management_groups
+    ]
+  ])
+}
+
+output "management_group_id" {
+  value = merge({
+    id = azurerm_management_group.mg.id
+  },
+  {
+    for name in keys(local.children) :
+    name => module.mg6[name].management_group_id
+  })
+}