Is it possible for Terraform to invite an existing aws account into an Organization?

Question

I have an existing aws account that I would like to invite into my organization using Terraform. I am able to do this using the console but have not figured out if it is possible as code.

Currently I created several organization accounts using the following code:

resource "aws_organizations_account" "prod_account" {
  name                       = "prod"
  email                      = "<new_email>"
  iam_user_access_to_billing = "DENY"
  parent_id                  = aws_organizations_organizational_unit.production.id
}

This works great when I am creating a new account, however, I am not able to use the same resource block by specify the email of my existing 'dev' account. I get an error saying the EMAIL_ALREADY_EXISTS, which makes sense because it is trying to create a new account using an existing email address.

So how do I invite my existing 'dev' account into my organization using Terraform? Is this even possible?

Answer 1

Very much possible, just use a null resource and a local exec with the CLI command to invite an existing account.Include other fields in the command section, refer to these fields in the docs.

resource "null_resource" "org_accounts" {
  provisioner "local-exec" {
    command = "aws organizations invite-account-to-organization --target   '{\"Type\": \"EMAIL\", \"Id\": \"abc@email.com\"}' --notes \" Production account\" --profile=\"admin_profile\""
  }
}

Answer 2

You should be able to import existing resource from AWS to Terraform via terraform import command.

In this case , you would need to do terraform import aws_organizations_account.prod_account AWSAccountID mentioned over here https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account#import