Suspending AWS Account with `aws_organizations_account` failed

mettke commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

aws_organizations_account

Terraform Configuration Files

resource "aws_organizations_account" "accounts" {
  close_on_deletion          = true

  [...]
}

Panic Output

I'm using the new close_on_deletion flag on the aws_organizations_account resource. Normally it works very well but today I encountered two strange errors. On the first (destroy) run I encountered this error:

Error: error waiting for AWS Organizations Account delete: unexpected state 'ACTIVE', wanted target ''. last error: %!s(<nil>)

Even though this error appeared, the account was indeed suspended as expected. However, the state still included the account. Now I reran this to see what happens. The next error was this:

Error: error deleting AWS Organizations Account: AccountAlreadyClosedException: You attempted to close an account that is already closed.

Expected Behavior

I'm not sure whether we can fix the first error, as it seems to be an invalid result returned by AWS. But I do think that we should treat the second error as a success instead of a failure. If an account is already closed, the resource should get deleted.

Actual Behavior

When the account is already suspended but terraform still has an entry in the state, a destroy fails.

Steps to Reproduce

The first error is difficult to reproduce. For the second error, it should be enough to have the account in the terraform state, and then manually deleted it in the ui. A terraform destroy should fail with the error.

Important Factoids

b44rawat commented 2 years ago

I am getting same error while using close_on_deletion

Configuration -

resource "aws_organizations_account" "new_account" {
  close_on_deletion = true
  iam_user_access_to_billing = "DENY"
}

After running same command, it is giving me this error. As the account creating using organization is showing suspended but not removed.

Error after running again terraform destory:

│ Error: Error deleting Organization: OrganizationNotEmptyException: To delete an organization you must first remove all member accounts (except the master).

davejfranco commented 2 years ago

I'm also getting the same error

resource "aws_organizations_account" "ops_stg" {
  name              = "ops_stg"
  close_on_deletion = true
}

I've got this error during the attempt to destroy:

waiting for AWS Organizations Account (00000000000) delete: unexpected state 'ACTIVE', wanted target ''. last error: %!s(<nil>)

the account is now suspended and I've got an email saying the account is closed

httpdss commented 2 years ago

same here

b44rawat commented 2 years ago

HI @davejfranco @httpdss

When we create new account using AWS Organization [ Non-existing account ] using Terraform or Console, AWS Organization creates that account and from user end, we only need to accept the invitation and setup some basic information.

Once we try to remove account using Terraform, it actually Removed the account which has consolidated billing and close on deletion enabled but it doesn't fully removed the account from the AWS Organization. You can check using Console, it will show the account but in suspended state.

So, as per the AWS, if we want to remove account permanently from the AWS Organization, we need to remove the delegated administrator role from the Account where we setup AWS Organization. Use below link to remove suspended account.

Link: https://docs.aws.amazon.com/cli/latest/reference/organizations/deregister-delegated-administrator.html

NOTE: As per the AWS documentation, they mentioned that after 90 days, it will automatically remove but in my case, i waited for more than 90 days.

jonans commented 1 year ago

There does appear to be problems with close_on_deletion. My first attempts ran into the bug from #26999 with provider 4.34 where the account could not be closed from Terraform. Accounts were successfully closed from the AWS console so it was not an issue with the Org settings.

After upgrading to provider 4.56 I encountered the error here. As noted by OP the account does get closed. However in my case the second apply exits cleanly. Either way its a show stopper since accounts cant be closed or applied without error.

tmpm697 commented 1 year ago

for me, the account is closed as if you try to login to the account it states that it's closed. but from console, it's suspended. in my case due to i just create account and then delete it immediately by changing name/email --> terraform will replace resource that trigger destroy/re-create --> the accc is closed.

But i've never took a chance to login to the acc to update its credit cards, Aws decides to suspend from console and closed account when try to login to. So there's no way to remove the account from console --> you have to contact AWS support to re-open and re-enter credit cards for it and then try to remove again?? I don't know.

EDIT: but the credit cards should be on the 'management account' already? EDIT: this issue dues to i've set close_on_deletion = true that make me can't do a login and enter credit card to be able to remove the account, it's already closed.

mettke commented 1 year ago

@tmpm697 Not sure I understand what you mean, but a suspended Account will be removed after 90 days. So just wait 3 Month and it will be gone. No need to bother AWS Support

hashicorp / terraform-provider-aws