Reputation: 765
Create / Destroy AWS account using Terraform?
I am trying to create a tool to easily create and destroy AWS accounts in my AWS organization (or at least remove them from the organisation if they can not be deleted). Those accounts are going to be sandbox with a small budget and destroyed after a couple of weeks.
I found that Terraform has a specific resource for that called aws_organizations_account.
However, this is mentioned that deleting this Terraform resource will only remove an AWS account from an organization. Terraform will not close the account. The member account must be prepared to be a standalone account beforehand. See the AWS Organizations documentation for more information.
I deployed an aws_organizations_account resource using terraform, it worked. But when I am trying to delete that resource, I am a warning issue that The member account must be configured with a valid payment method, such as a credit card
main.tf
resource "aws_organizations_account" "account" {
name = "sandbox1"
email = "[email protected]"
role_name = "myOrganizationRole"
}
Is there any way to get around this issue?
Upvotes: 5
Views: 4452
Answers (3)
Reputation: 66
Deleting an account is now available with the close account api. This functionality is enabled on terraform via the close_on_deletion flag.
Upvotes: 5
Reputation: 2613
We have a very similar situation (sandbox accounts). We still need to be able to deprovision accounts as team members off-board. To account for consolidated billing and the inability to remove or delete member accounts, we are allowing those to remain while we remove IAM users and login profiles. The way we do this is to use one set of data for users and another for accounts. This leaves a different type of state that doesn’t fail during user removal.
I wrote about and shared our terraform setup: https://cromwellhaus.com/leaving-aws-subaccounts-behind
You could be more nuanced with the accounts side of you wanted.
Upvotes: 4
Reputation: 238299
Is there any way to get around this issue?
Sadly, no. When you remove AWS Account from AWS org, it becomes normal standalone account. You need custom solution for removing accounts from AWS Org, which would require you to full-fill all its prerequisites listed here. One of them is having valid contact and payment info associated with the account to be removed.
You can delete the account (its different them removing from AWS org), but this can't be done from AWS Org. Account has too be closed from inside, using root.
Upvotes: 6
Related Questions
- Is there a way to nuke all AWS resources in an AWS account?
- How to get the AWS Account Name using Terraform?
- Is it possible for Terraform to invite an existing aws account into an Organization?
- One terraform apply to multiple AWS accounts
- Get Organisation Unit from Account ID
- Terraform force delete IAM group on destroy
- Default password new AWS organization account
- multiple IAM user creation in terraform
- Remove enrolled account from AWS Control Tower
- How do I use Terraform to maintain/manage IAM users