I’m trying to add a new AWS account using terraform but when I run terraform plan, it’s saying the existing aliases of existing accounts must be replaced and referencing our master account.
I’m trying to figure out if this would cause issues once deployed, I don’t want any account numbers to change.
Here’s the plan output:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
-/+ destroy and then create replacement
Terraform will perform the following actions:
# aws_iam_account_alias.project-dev must be replaced
-/+ resource "aws_iam_account_alias" "project-dev" {
~ account_alias = "project-master" -> "project-dev" # forces replacement
~ id = "project-master" -> (known after apply)
}
# aws_iam_account_alias.project-platform must be replaced
-/+ resource "aws_iam_account_alias" "project-platform" {
~ account_alias = "project-master" -> "project-platform" # forces replacement
~ id = "project-master" -> (known after apply)
}
# aws_iam_account_alias.project-prod must be replaced
-/+ resource "aws_iam_account_alias" "project-prod" {
~ account_alias = "project-master" -> "project-prod" # forces replacement
~ id = "project-master" -> (known after apply)
}
# aws_iam_account_alias.project-new will be created
+ resource "aws_iam_account_alias" "project-new" {
+ account_alias = "project-new"
+ id = (known after apply)
}
# aws_iam_account_alias.project-stage must be replaced
-/+ resource "aws_iam_account_alias" "project-stage" {
~ account_alias = "project-master" -> "project-stage" # forces replacement
~ id = "project-master" -> (known after apply)
}
# aws_organizations_account.project-new will be created
+ resource "aws_organizations_account" "project-new" {
+ arn = (known after apply)
+ email = "aws-admins+project-new@project.io"
+ id = (known after apply)
+ joined_method = (known after apply)
+ joined_timestamp = (known after apply)
+ name = "PROJECT-NEW"
+ parent_id = (known after apply)
+ status = (known after apply)
+ tags = {
+ "env" = "new"
}
}
Plan: 6 to add, 0 to change, 4 to destroy.
Here’s the terraform code:
# ./providers.tf
terraform {
required_version = "0.12.12"
backend "s3" {
bucket = "{redacted-acc-no}-tfstate"
key = "core/accounts"
region = "eu-west-1"
profile = "PROJECT-MASTER"
}
}
provider aws {
region = "eu-west-1"
profile = "PROJECT-MASTER"
}
# ./accounts.tf
#dev
resource "aws_organizations_account" "project-dev" {
name = "PROJECT-DEV"
email = "aws-admins+project-dev@project.io"
tags = {
env = "dev"
}
}
resource "aws_iam_account_alias" "project-dev" {
account_alias = "project-dev"
}
#stage
resource "aws_organizations_account" "project-stage" {
name = "PROJECT-STAGE"
email = "aws-admins+project-stage@project.io"
tags = {
env = "stage"
}
}
resource "aws_iam_account_alias" "project-stage" {
account_alias = "project-stage"
}
#project-prod
resource "aws_organizations_account" "project-prod" {
name = "PROJECT-PROD"
email = "aws-admins+project-prod@project.io"
tags = {
env = "prod"
}
}
resource "aws_iam_account_alias" "project-prod" {
account_alias = "project-prod"
}
#project-new
resource "aws_organizations_account" "project-new" {
name = "PROJECT-NEW"
email = "aws-admins+project-new@project.io"
tags = {
env = "new"
}
}
resource "aws_iam_account_alias" "project-pepelatz" {
account_alias = "project-new"
}
#project-platform
resource "aws_organizations_account" "project-platform" {
name = "PROJECT-PLATFORM"
email = "aws-admins+project-platform@project.io"
tags = {
env = "shared"
}
}
resource "aws_iam_account_alias" "project-platform" {
account_alias = "project-platform"
}