What is the proper pattern for AWS Account management with AWS Organizations?

I have shifted to attempting to use Terraform for AWS Account creation and management in conjunction with AWS Organizations. The creation part of this works well enough and is straight forward on how to make this all work. My confusion comes when I try to handle the delete part of this flow.

What happens:

  • This Terraform is in a pipeline that gets run regularly to keep things in sync and create new accounts as needed and various sanity/change drift catching.
  • Since Terraform can’t delete the AWS Account, I go into the root of the account and hit “Delete Account” so it’ll close it out and 90 days later it’ll get actually removed from the org etc.
  • Terraform handles this fine and just happily says “status == suspended”
  • 90 days later, the account goes away finally.

(This is where the issue hits)

  • Next deploy of the terraform through the pipeline, it’ll suddenly go and say “Oh, this account is missing, so I’ll go create it” and create a new AWS account, named the same thing again where I really wanted it to go away.

I can’t remove this account from the Terraform setup as it requires me to setup this deleting account to be setup as a standalone account with credit card etc, which I don’t want or have to deal with since we utilize AWS Organizations.

What is the expected workflow for this management?