Avoid Destroying AWS Organization Account

We use the following to manage and create Sandbox Accounts in our AWS organization. We’re really happy with the process, but we also know that we cannot destroy member accounts when team members are removed.

Is there a nice way to leave the account in place while removing the user? Should we consider disabling the user instead of deleting them?

resource "aws_organizations_account" "account" {
  for_each  = aws_iam_user.user

  name      = "Sandbox ${each.value.name}"
  email     = "${each.value.name}+aws@ourdomain.com"
  role_name = "Administrator"
  parent_id = aws_organizations_organizational_unit.dev_team_ou.id

You’ll note that this is a for_each situation so our state looks something like:


I believe I’ve found a solution for the situation we need which is off-boarding team members and removing access to their member accounts.

I wrote up what we do and included a link to the repository for our Terraform modules.