Resource: awsOrganizationsAccount
Provides a resource to create a member account in the current organization.
\~> Note: Account management must be done from the organization's root account.
\~> Note: By default, deleting this Terraform resource will only remove an AWS account from an organization. You must set the closeOnDeletion
flag to true to close the account. It is worth noting that quotas are enforced when using the closeOnDeletion
argument, which can produce a CLOSE_ACCOUNT_QUOTA_EXCEEDED error, and require you to close the account manually.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.organizationsAccount.OrganizationsAccount(this, "account", {
email: "john@doe.org",
name: "my_new_account",
});
Argument Reference
The following arguments are required:
email
- (Required) Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.name
- (Required) Friendly name for the member account.
The following arguments are optional:
closeOnDeletion
- (Optional) If true, a deletion event will close the account. Otherwise, it will only remove from the organization. This is not supported for GovCloud accounts.createGovcloud
- (Optional) Whether to also create a GovCloud account. The GovCloud account is tied to the main (commercial) account this resource creates. Iftrue
, the GovCloud account ID is available in thegovcloudId
attribute. The only way to manage the GovCloud account with Terraform is to subsequently import the account using this resource.iamUserAccessToBilling
- (Optional) If set toallow
, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set todeny
, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this toallow
. If the resource is created and this option is changed, it will try to recreate the account.parentId
- (Optional) Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.roleName
- (Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the root account, allowing users in the root account to assume the role, as permitted by the root account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so Terraform cannot perform drift detection on its value and will always show a difference for a configured value after import unlessignoreChanges
is used.tags
- (Optional) Key-value map of resource tags. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- The ARN for this account.govcloudId
- ID for a GovCloud account created with the account.id
- The AWS account idtagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
The AWS member account can be imported by using the accountId
, e.g.,
Certain resource arguments, like roleName
, do not have an Organizations API method for reading the information after account creation. If the argument is set in the Terraform configuration on an imported resource, Terraform will always show a difference. To workaround this behavior, either omit the argument from the Terraform configuration or use ignoreChanges
to hide the difference, e.g.,
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsOrganizationsAccountAccount =
new aws.organizationsAccount.OrganizationsAccount(this, "account", {
email: "john@doe.org",
name: "my_new_account",
roleName: "myOrganizationRole",
});
awsOrganizationsAccountAccount.addOverride("lifecycle", [
{
ignore_changes: ["${role_name}"],
},
]);