[WIP] support setting the parent for organization accounts #4405
Conversation
|
Getting some errors I don't understand; could use another set of eyes on this.
Why would this be missing, of all things?
The error is what I would expect if Terraform were trying to delete the account, |
|
Correction: I am seeing those same errors on |
bflad
added
new-resource
|
@afeld This is the error: AWS Organization member accounts are a real pain to try to clean up. |
|
Here was the discussion around trying to do the delete: #3524 (comment). Prior, I just had printed a message that said you need to do the delete from the Web UI or something along those lines - which wasn't a great solution. |
|
This resource is a real pain to acceptance test due to how Organizations/AWS accounts in general work. Basically, its not really doable in an automated fashion since AWS requires converting accounts to standalone (requiring EULA agreement, credit card information, phone verification, etc.) and there is no simple I'm not sure we want to implement a flag attribute to leave the account dangling in the organization during resource deletion just for the acceptance testing either (also doesn't seem like a valid regular use case when there is We could switch this to In short, I'm not sure there is a good way to handle testing for this resource 😅 -- I wanted to get the resource merged as it worked as expected with manual testing. I would highly recommend opening an AWS support case if you have a support plan that asks for more automated ways to handle deleting an account (either the missing DeleteAccount API call or APIs for the billing/EULA pieces. Personally, I'd accept a PR with manual testing for now. 👍 |
|
I have Enterprise Support at work and I'm starting to use this stuff for work. So I'll start a discussion with them around this. |
|
@asedge Right, the error makes sense to me... Are you saying that the
Yep, I already have as well, but couldn't hurt for them to hear it again. They are understandably reluctant to make it possible to delete all of your infrastructure with one API call. |
|
@afeld They added us to the list of ~40 customers that have asked for this. |
|
Repeating my question from above: is the |
Yes, see my comment above about the various issues encountered trying to implement the automated testing. I would accept a manually tested PR in this rare scenario. Adding automated tests with |
This will be more future-proof, allowing support for non-root organizational units.
…ations_unit data source
afeld
force-pushed
the
account-parent
branch
from
3f94f3f
to
3b071fd
Compare
ghost
added
provider
|
Any new status on this pull request? |
See #4207. |
|
Go for it! |
…entation References: * #4405 * #8281 Please note that automated acceptance testing is not currently possible with this resource, due to manual steps required to remove an account from an organization: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html These changes were manually verified via the following. Given an existing configuration, previously applied with version 2.9.0 of the Terraform AWS Provider: ```hcl resource "aws_organizations_organization" "organization" { feature_set = "ALL" } resource "aws_organizations_account" "bflad-dev1" { name = "bflad-dev1" email = "--OMITTED--" } resource "aws_organizations_account" "bflad-dev2" { name = "bflad-dev2" email = "--OMITTED--" } ``` Overwrite Terraform AWS Provider binary including this changeset, ensure plan shows no changes, and ensure `parent_id` is properly written to Terraform state: ```console $ cp ~/go/bin/terraform-provider-aws .terraform/plugins/darwin_amd64/terraform-provider-aws_v2.9.0_x4 $ terraform init ... $ terraform plan ... aws_organizations_organization.organization: Refreshing state... (ID: o-p687o6l073) aws_organizations_account.bflad-dev2: Refreshing state... (ID: --OMITTED--) aws_organizations_account.bflad-dev1: Refreshing state... (ID: --OMITTED--) ------------------------------------------------------------------------ No changes. Infrastructure is up-to-date. $ terraform refresh ... $ terraform state show aws_organizations_account.bflad-dev1 | grep parent_id parent_id = r-cg2b ``` Add organizational unit to configuration and add `parent_id` to an existing account pointing to it: ```hcl resource "aws_organizations_organization" "organization" { feature_set = "ALL" } resource "aws_organizations_organizational_unit" "test1" { name = "test1" parent_id = "${aws_organizations_organization.organization.roots.0.id}" } resource "aws_organizations_account" "bflad-dev1" { name = "bflad-dev1" email = "--OMITTED--" parent_id = "${aws_organizations_organizational_unit.test1.id}" } resource "aws_organizations_account" "bflad-dev2" { name = "bflad-dev2" email = "--OMITTED--" } ``` Verifying `Update` functionality: ``` $ terraform apply ... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: ~ aws_organizations_account.bflad-dev1 parent_id: "r-cg2b" => "${aws_organizations_organizational_unit.test1.id}" + aws_organizations_organizational_unit.test1 id: <computed> arn: <computed> name: "test1" parent_id: "r-cg2b" Plan: 1 to add, 1 to change, 0 to destroy. ... aws_organizations_organizational_unit.test1: Creating... arn: "" => "<computed>" name: "" => "test1" parent_id: "" => "r-cg2b" aws_organizations_organizational_unit.test1: Creation complete after 0s (ID: ou-cg2b-7aa8b56k) aws_organizations_account.bflad-dev1: Modifying... (ID: --OMITTED--) parent_id: "r-cg2b" => "ou-cg2b-7aa8b56k" aws_organizations_account.bflad-dev1: Modifications complete after 1s (ID: --OMITTED--) $ terraform state show aws_organizations_account.bflad-dev1 | grep parent_id parent_id = ou-cg2b-7aa8b56k ``` Add account with `parent_id` to configuration: ```hcl resource "aws_organizations_organization" "organization" { feature_set = "ALL" } resource "aws_organizations_organizational_unit" "test1" { name = "test1" parent_id = "${aws_organizations_organization.organization.roots.0.id}" } resource "aws_organizations_account" "bflad-dev1" { name = "bflad-dev1" email = "--OMITTED--" parent_id = "${aws_organizations_organizational_unit.test1.id}" } resource "aws_organizations_account" "bflad-dev2" { name = "bflad-dev2" email = "--OMITTED--" } resource "aws_organizations_account" "bflad-dev3" { name = "bflad-dev3" email = "--OMITTED--" parent_id = "${aws_organizations_organizational_unit.test1.id}" } ``` Verifying `Create` functionality: ``` $ terraform apply ... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: + aws_organizations_account.bflad-dev3 id: <computed> arn: <computed> email: "--OMITTED--" joined_method: <computed> joined_timestamp: <computed> name: "bflad-dev3" parent_id: "ou-cg2b-7aa8b56k" status: <computed> Plan: 1 to add, 0 to change, 0 to destroy. ... aws_organizations_account.bflad-dev3: Creating... arn: "" => "<computed>" email: "" => "--OMITTED--" joined_method: "" => "<computed>" joined_timestamp: "" => "<computed>" name: "" => "bflad-dev3" parent_id: "" => "ou-cg2b-7aa8b56k" status: "" => "<computed>" aws_organizations_account.bflad-dev3: Still creating... (10s elapsed) aws_organizations_account.bflad-dev3: Creation complete after 12s (ID: --OMITTED--) $ terraform state show aws_organizations_account.bflad-dev3 | grep parent_id parent_id = ou-cg2b-7aa8b56k ```
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Part of #571. Builds on #4207 - diff.