diff --git a/.changelog/35662.txt b/.changelog/35662.txt new file mode 100644 index 000000000000..29f7ee711551 --- /dev/null +++ b/.changelog/35662.txt @@ -0,0 +1,3 @@ +```release-note:bug +resource/aws_organizations_account: Allow import of accounts with IAM access to the AWS Billing and Cost Management console +``` \ No newline at end of file diff --git a/.ci/.golangci2.yml b/.ci/.golangci2.yml index 708a1d0fb05b..1531f01e4f20 100644 --- a/.ci/.golangci2.yml +++ b/.ci/.golangci2.yml @@ -212,7 +212,7 @@ linters-settings: require-explanation: true require-specific: true allow-no-explanation: - - gomnd + - mnd - paralleltest - tparallel - unparam diff --git a/internal/service/organizations/account.go b/internal/service/organizations/account.go index 85fdccc27cfe..172340a2edc2 100644 --- a/internal/service/organizations/account.go +++ b/internal/service/organizations/account.go @@ -6,7 +6,9 @@ package organizations import ( "context" "errors" + "fmt" "log" + "strings" "time" "github.com/YakDriver/regexache" @@ -34,7 +36,7 @@ func ResourceAccount() *schema.Resource { UpdateWithoutTimeout: resourceAccountUpdate, DeleteWithoutTimeout: resourceAccountDelete, Importer: &schema.ResourceImporter{ - StateContext: schema.ImportStatePassthroughContext, + StateContext: resourceAccountImportState, }, Schema: map[string]*schema.Schema{ @@ -261,6 +263,21 @@ func resourceAccountDelete(ctx context.Context, d *schema.ResourceData, meta int return diags } +func resourceAccountImportState(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + if strings.Contains(d.Id(), "_") { + parts := strings.Split(d.Id(), "_") + if len(parts) != 2 || parts[0] == "" || parts[1] == "" { + return nil, fmt.Errorf("unexpected format of ID (%q), expected _ or ", d.Id()) + } + d.SetId(parts[0]) + d.Set("iam_user_access_to_billing", parts[1]) + } else { + d.SetId(d.Id()) + } + + return []*schema.ResourceData{d}, nil +} + func createAccount(ctx context.Context, conn *organizations.Organizations, name, email string, iamUserAccessToBilling, roleName *string, tags []*organizations.Tag, govCloud bool) (*organizations.CreateAccountStatus, error) { if govCloud { input := &organizations.CreateGovCloudAccountInput{ diff --git a/website/docs/r/organizations_account.html.markdown b/website/docs/r/organizations_account.html.markdown index 0fe2067d24ea..0bf0dab6339b 100644 --- a/website/docs/r/organizations_account.html.markdown +++ b/website/docs/r/organizations_account.html.markdown @@ -66,6 +66,12 @@ Using `terraform import`, import the AWS member account using the `account_id`. % terraform import aws_organizations_account.my_account 111111111111 ``` +To import accounts that have set iam_user_access_to_billing, use the following: + +```console +% terraform import aws_organizations_account.my_account 111111111111_ALLOW +``` + Certain resource arguments, like `role_name`, do not have an Organizations API method for reading the information after account creation. If the argument is set in the Terraform configuration on an imported resource, Terraform will always show a difference. To workaround this behavior, either omit the argument from the Terraform configuration or use [`ignore_changes`](https://www.terraform.io/docs/configuration/meta-arguments/lifecycle.html#ignore_changes) to hide the difference. For example: ```terraform