When you setup an AWS consolidated billing, or what is now AWS Organisations, the aws tool uses an IAM user in the root account to assume a role in the subaccount. So you need to identify this int he ~/.aws/config file.
However terraform doesn't read the config, only the credentials file. So you have to tell terraform's aws provider to use the root account, but assume the role in the delegate account using it's account-id. so your aws provider block would look like:
modifying the init-variables script to use some env vars would solve this.
I will submit a PR and link it to this to explain and start an enhancement proposal
I've tested my branch and it works with an organisation account now.
I will still have to test it standalone account, and see if it handles normal operation.
When you setup an AWS consolidated billing, or what is now AWS Organisations, the aws tool uses an IAM user in the root account to assume a role in the subaccount. So you need to identify this int he ~/.aws/config file. However terraform doesn't read the config, only the credentials file. So you have to tell terraform's aws provider to use the root account, but assume the role in the delegate account using it's account-id. so your aws provider block would look like:
modifying the init-variables script to use some env vars would solve this. I will submit a PR and link it to this to explain and start an enhancement proposal