Upon creating a new account, the OrganizationAccountAccessRole automatically has AdministratorAccess, I want to delete it in Terraform without needing to e.g. import and then delete, as that wouldn't make sense.
Describe Ideal Solution
Detaches the default AdministratorAccess policy that grants on . But before it does that, verifies that the ARN given by the user is attached already, so that users do not accidentally lock themselves out of an AWS subaccount after creation.
E.g. It can check that OrganizationAccountAccessRole has IAMFullAccess, and then detach the existing AdministratorAccess policy.
Use Case
Upon creating a new account, the
OrganizationAccountAccessRole
automatically hasAdministratorAccess
, I want to delete it in Terraform without needing to e.g. import and then delete, as that wouldn't make sense.Describe Ideal Solution
Detaches the default
AdministratorAccess
policy that grants on . But before it does that, verifies that the ARN given by the user is attached already, so that users do not accidentally lock themselves out of an AWS subaccount after creation.E.g. It can check that
OrganizationAccountAccessRole
hasIAMFullAccess
, and then detach the existingAdministratorAccess
policy.Alternatives Considered
Do it outside of Terraform.