Upon creating a new account, the OrganizationAccountAccessRole automatically has AdministratorAccess, I want to delete it in Terraform without needing to e.g. import and then delete, as that wouldn't make sense.
Describe Ideal Solution
Detaches the default AdministratorAccess policy that grants on . But before it does that, verifies that the ARN given by the user is attached already, so that users do not accidentally lock themselves out of an AWS subaccount after creation.
E.g. It can check that OrganizationAccountAccessRole has IAMFullAccess, and then detach the existing AdministratorAccess policy.
Use Case
Upon creating a new account, the
OrganizationAccountAccessRoleautomatically hasAdministratorAccess, I want to delete it in Terraform without needing to e.g. import and then delete, as that wouldn't make sense.Describe Ideal Solution
Detaches the default
AdministratorAccesspolicy that grants on . But before it does that, verifies that the ARN given by the user is attached already, so that users do not accidentally lock themselves out of an AWS subaccount after creation.E.g. It can check that
OrganizationAccountAccessRolehasIAMFullAccess, and then detach the existingAdministratorAccesspolicy.Alternatives Considered
Do it outside of Terraform.