aws_organizations_account does not enroll the account with the OU provided in parent ID

[karivera2]

When I run aws_organizations_account it provisions the account, but when I go into the AWS console it shows the organizational unit the account should be in, however, it shows a State of Not enrolled with the following warning:

"This account belongs to an organizational unit (OU) that is registered with AWS Control Tower, but the account is not enrolled in that OU. AWS Control Tower recommends that you enroll this account by choosing Re-Register OU on the OU page."

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.3

• provider registry.terraform.io/hashicorp/aws v3.71.0

Affected Resource(s)

aws_organizations_account

Terraform Configuration Files

resource "aws_organizations_organization" "current_organization" {
  aws_service_access_principals = [
      "config-multiaccountsetup.amazonaws.com",
      "config.amazonaws.com",
      "controltower.amazonaws.com",
      "guardduty.amazonaws.com",
      "sso.amazonaws.com"
  ]
  enabled_policy_types          = [
      "SERVICE_CONTROL_POLICY",
  ]

}

resource "aws_organizations_organizational_unit" "sandbox" {
  name      = "Sandbox"
  parent_id = aws_organizations_organization.current_organization.roots.0.id
}

# Create Security Tools Account in the Sandbox OU
resource "aws_organizations_account" "test-1" {
  name  = "${var.base_name}-security-tools-2"
  email = var.cloudteam_sandbox1_account_email
  parent_id = aws_organizations_organizational_unit.sandbox.id 
  iam_user_access_to_billing = "ALLOW"
  role_name = "AWSControlTowerExecution"

  # There is no AWS Organizations API for reading role_name
  lifecycle {
    ignore_changes = [role_name]
  }
}

Debug Output

Panic Output

N/A

Expected Behavior

Account should have been created AND enrolled in the OU

Actual Behavior

Account was created but not enrolled in the OU

Steps to Reproduce

1. terraform apply
2. Check the console to see if the new account appears in control tower and what the state is

Important Factoids

None

References

None

• 0000

[sjonpaulbrown]

I do not believe the enrollment process is related to the AWS Organizations API. The enrollment process seems to be something that is strictly within AWS Control Tower, and as-is, according to the AWS documentation, there is no API for Control Tower. Unless I am missing something, the enrollment process seems to be a manual process that must be initiated within the AWS console.

AWS Control Tower has no APIs or programmatic access. To configure and launch your landing zone, perform the following series of steps.

Using terraform, you could configure your accounts with the necessary per-requisites so that you can manually enroll the account. This would allow you to manually enroll it after creation.

All that to say, I do not think the enrollment process has an API available for use. Thus, the aws_organizations_account resource cannot be modified to support this.

[sblask]

Well, there is this: https://aws.amazon.com/blogs/architecture/field-notes-enroll-existing-aws-accounts-into-aws-control-tower/ and in particular this: https://raw.githubusercontent.com/aws-samples/aws-control-tower-reference-architectures/master/customizations/AccountFactory/EnrollAccount/enroll_account.py But it takes 30 minutes to enrol an account and you can only enrol one account at a time (as you can update which is a big pain by the way). So until AWS fixes these fundamental problems I don't think it makes sense to have enrolment as part of terraform.

[sblask]

Related: https://github.com/hashicorp/terraform-provider-aws/issues/21674