This requires #12325 to be merged

12325 is merged now :)

@stack72 wouldn't this be a new-resource as opposed to an enhancement? I would expect that the outcome here would be that I'm able to write something like this:

resource "aws_organization" "org" {
  feature_set = "ALL"
}

data "aws_organizational_unit" "devs" {
  parent = "${aws_organization.org.root}"
}

data "aws_organizational_unit" "gophers" {
  parent = "${aws_organizational_unit.devs.id}"
}

resource "aws_organization_account" "mrg" {
  name  = "MrGossett"
  email = "[email protected]"
}

resource "aws_organizational_unit_attachment" "oua" {
  account = "${aws_organization_account.mrg.id}"
  parent  = "${aws_organizational_unit.gophers.id}"
}

And that involves a number of new resources.

Is the vendoring working OK?
Why does this: https://github.com/hashicorp/terraform/tree/master/vendor/github.com/aws/aws-sdk-go/service
Not contain the "organizations" directory found here:
https://github.com/aws/aws-sdk-go/tree/master/service/organizations

I must be missing something, yeah?

EDIT: I should probably have linked to the vendored ref instead of master: https://github.com/aws/aws-sdk-go/tree/v1.8.10/service/organizations

Ping @stack72

EDIT 2: I think I corrected my misunderstanding of how govendor works.

I'm working on a PR for aws_organization_account, but the AWS Organizations API does not support an action to delete an account. I'm not sure how to handle this or even if a good example exists to follow.

Anyone have any thoughts on how to best handle this?

Accounts created by AWS Organizations can only be deleted by a manual process. I think deleting the Terraform resource should be a no-op.

In case anyone's interested, here's the manual process to delete an account created from AWS Organizations:

1. Perform a root account password recovery for the email address that was specified for the account in Organizations
2. Login to the account as that root user
3. Navigate to "My Organization" in the account menu top-right
4. Leave the organization
5. Once the account has successfully left the organization, delete the account as usual

@MrGossett Thanks for the feedback! My delete function currently just returns nil so we're thinking along the same lines. I had previously considered having the delete call the LeaveOrganization action but decided against it since it doesn't seem very intuitive for the user.

Do you think that adding a blurb to the documentation page about the lack of delete is good enough? I was considering having the delete function print a warning too.

IMHO, both the blurb and the warning would be useful.

The LeaveOrganization call would have to be done from the child account, no? The other actions for managing an organization are done from the parent account; so that would require switching credentials.

After a quick read through the LeaveOrganization API docs and related RemoveAccountFromOrganization API docs, those actions basically only work if the account was not created from AWS Organizations. They work if it was a pre-existing account that was invited into the Organization.

Yeah, I did mean RemoveAccountFromOrganization. Also, somehow I missed the big Important note discussing the how it only works if the account was invited, not created. :sleeping: Thanks!

@MrGossett I included the steps you provided to delete a member account for the aws_organization_account documentation page. Thanks for all your help!

Would anyone mind reviewing #13831 and #14147? They've been sitting around for a while and I'm having trouble getting someone from Hashicorp to review them. Thanks.

Bump. Comments are closed on the PR for AWS Organizations, and that PR was assigned to an empty milestone. I want to make sure this doesn't get forgotten, this is a much needed feature. Any idea of when this'll get fixed and merged?

@AndrewFarley I would bet it's going to be a while because, as you noted, it's been added to an empty milestone that's quite a few versions from the current release. It's also been almost a year since the original PR was filed. Not sure what to tell you to do. You could try merging my branch into a fork of the new repo and build it yourself. You could click all the emojis you see in the issue and the PR and hope that means something. Failing those things, patience might be the only way forward. Good luck!

@AndrewFarley @asedge https://github.com/terraform-providers/terraform-provider-aws/issues/571#issuecomment-366094051

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.