aws_organizations_organization feature_set change should not force new resource

[ryandeivert]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform version: 0.13.1
AWS Provider version: 3.9.0

Affected Resource(s)

• aws_organizations_organization

Terraform Configuration Files

When updating the following resource from the "before" to "after", terraform the following org resource from:

Before

resource "aws_organizations_organization" "org" {
  feature_set = "CONSOLIDATED_BILLING"
}

After

resource "aws_organizations_organization" "org" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
  ]

  feature_set = "ALL"
}

Debug Output

-/+ aws_organizations_organization.org (new resource required)
      id:                                       "o-example" => <computed> (forces new resource)
      accounts.#:                               "2" => <computed>
      arn:                                      "arn:aws:organizations::123456789012:organization/o-example" => <computed>
      aws_service_access_principals.#:          "0" => "1"
      aws_service_access_principals.123456789: "" => "cloudtrail.amazonaws.com"
      feature_set:                              "CONSOLIDATED_BILLING" => "ALL" (forces new resource)
      master_account_arn:                       "arn:aws:organizations::123456789012:account/o-example/123456789012" => <computed>
      master_account_email:                     "email@foobar.com" => <computed>
      master_account_id:                        "123456789012" => <computed>
      non_master_accounts.#:                    "1" => <computed>
      roots.#:                                  "1" => <computed>

Panic Output

Expected Behavior

The change to feature_set does not force a new resource, which would generate a new Org ID. The feature set can be changed in Console without creating a new org ID, and I was informed by AWS that this should not need to generate a new org ID.

Actual Behavior

A new resource if forced when feature_set is changed from CONSOLIDATED_BILLING to ALL. This should only force a new resource if going from ALL to CONSOLIDATED_BILLING, according to this note on this page:

The migration from consolidated billing features to all features is one-way. You can't switch an organization with all features enabled back to consolidated billing features only.

Steps to Reproduce

1. terraform apply using the config above

Important Factoids

References

N/A

[philnichol]

Looks like it's possible to do this, although once you enable All Features it can't be reverted. I'd be interested in attempting to solve this if that's alright?

[ryandeivert]

@philnichol yep I believe that is the case. I just put a PR up for the fix here if you'd like to comment: #15473

[philnichol]

@ryandeivert your solution is 1000x more elegant than what I was thinking :) didn’t even know about ForceNewIfChange, nice one!

[anGie44]

The proposed fix has been merged and will release with version 3.16.0 of the Terraform AWS Provider, expected out next Thursday.

[ghost]

This has been released in version 3.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!