Avoid Destroying AWS Organization Account

cromwellryan · August 5, 2021, 5:44pm

We use the following to manage and create Sandbox Accounts in our AWS organization. We’re really happy with the process, but we also know that we cannot destroy member accounts when team members are removed.

Is there a nice way to leave the account in place while removing the user? Should we consider disabling the user instead of deleting them?

resource "aws_organizations_account" "account" {
  for_each  = aws_iam_user.user

  name      = "Sandbox ${each.value.name}"
  email     = "${each.value.name}+aws@ourdomain.com"
  role_name = "Administrator"
  parent_id = aws_organizations_organizational_unit.dev_team_ou.id
}

You’ll note that this is a for_each situation so our state looks something like:

module.development-team.aws_organizations_account.account["username"]

cromwellryan · August 6, 2021, 7:39pm

I believe I’ve found a solution for the situation we need which is off-boarding team members and removing access to their member accounts.

I wrote up what we do and included a link to the repository for our Terraform modules.

Topic		Replies	Views
What is the proper pattern for AWS Account management with AWS Organizations? AWS	0	268	November 8, 2021
For_each aws account creation Terraform	0	277	January 19, 2021
Creating aws organizations account with for_each loop, not able to reference the OU Terraform	0	608	March 26, 2021
Behaviour changing Account Name in AWS Organization AWS	6	2874	January 15, 2023
Adding AWS Accounts to AWS Organization OU Terraform	0	254	June 22, 2020

Avoid Destroying AWS Organization Account

Related topics