Terraform help: The parent organizational unit '<OU>' is not enrolled in AWS Control Tower error

Question

I'm trying to import an account that already exists into terraform. I seem to have done so successfully and when I try to create the account it just wants to modify a few attributes in place. However, when I run an apply it errors out with the following:

│ Error: provisioning account failed: InvalidParametersException The parent organizational unit '' is not enrolled in AWS Control Tower.

I'm not sure what this means. Does anyone have any suggestions?

I've checked the parent OU and it's all completely find and enrolled. I went to AWS service catalogue, saw the the account was tainted, so I updated the account manually. That seemed to work so I tried another terraform apply but I keep running into the same error. Really stuck with how to solve this. D

The code is relatively simple but I will display it below. All the variables are set normally and work:

terraform {
  required_providers {
    controltower = {
      source  = "idealo/controltower"
      version = "~> 1.0"
    }
  }
}

provider "controltower" {
  region  = "eu-west-2"
  profile = "root"
}

resource "controltower_aws_account" "account" {
  name                = "<name>"
  email               = "<email>" 
  organizational_unit = var.organizational_unit

  sso {
    first_name = var.sso_first_name
    last_name  = var.sso_last_name
    email      = var.sso_email
  }
  lifecycle {
    ignore_changes = [
      organizational_unit,
      email
    ]
  }
}

Answer 1

You are probably passing the OU id directly but this is expecting something like:

{   key: "ManagedOrganizationalUnit",   value: "Custom (ou-xfe5-a8hb8ml8)" },

Reference: https://docs.aws.amazon.com/controltower/latest/userguide/automated-provisioning-walkthrough.html