Merge pull request #35662 from Alex-Waring/AWar/org_account/import_ia…

…m_billing r/aws_organizations_account: Allow Import when IAM Billing is set
hashicorp · May 14, 2024 · 0026ba7 · 0026ba7
2 parents ee77de7 + 8c4471e
commit 0026ba7
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/.changelog/35662.txt b/.changelog/35662.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_organizations_account: Allow import of accounts with IAM access to the AWS Billing and Cost Management console
+```
diff --git a/.ci/.golangci2.yml b/.ci/.golangci2.yml
@@ -212,7 +212,7 @@ linters-settings:
     require-explanation: true
     require-specific: true
     allow-no-explanation:
-      - gomnd
+      - mnd
       - paralleltest
       - tparallel
       - unparam

diff --git a/internal/service/organizations/account.go b/internal/service/organizations/account.go
@@ -6,7 +6,9 @@ package organizations
 import (
 	"context"
 	"errors"
+	"fmt"
 	"log"
+	"strings"
 	"time"
 
 	"github.com/YakDriver/regexache"
@@ -34,7 +36,7 @@ func ResourceAccount() *schema.Resource {
 		UpdateWithoutTimeout: resourceAccountUpdate,
 		DeleteWithoutTimeout: resourceAccountDelete,
 		Importer: &schema.ResourceImporter{
-			StateContext: schema.ImportStatePassthroughContext,
+			StateContext: resourceAccountImportState,
 		},
 
 		Schema: map[string]*schema.Schema{
@@ -261,6 +263,21 @@ func resourceAccountDelete(ctx context.Context, d *schema.ResourceData, meta int
 	return diags
 }
 
+func resourceAccountImportState(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	if strings.Contains(d.Id(), "_") {
+		parts := strings.Split(d.Id(), "_")
+		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+			return nil, fmt.Errorf("unexpected format of ID (%q), expected <account_id>_<IAM User Access Status> or <account_id>", d.Id())
+		}
+		d.SetId(parts[0])
+		d.Set("iam_user_access_to_billing", parts[1])
+	} else {
+		d.SetId(d.Id())
+	}
+
+	return []*schema.ResourceData{d}, nil
+}
+
 func createAccount(ctx context.Context, conn *organizations.Organizations, name, email string, iamUserAccessToBilling, roleName *string, tags []*organizations.Tag, govCloud bool) (*organizations.CreateAccountStatus, error) {
 	if govCloud {
 		input := &organizations.CreateGovCloudAccountInput{

diff --git a/website/docs/r/organizations_account.html.markdown b/website/docs/r/organizations_account.html.markdown
@@ -66,6 +66,12 @@ Using `terraform import`, import the AWS member account using the `account_id`.
 % terraform import aws_organizations_account.my_account 111111111111
 ```
 
+To import accounts that have set iam_user_access_to_billing, use the following:
+
+```console
+% terraform import aws_organizations_account.my_account 111111111111_ALLOW
+```
+
 Certain resource arguments, like `role_name`, do not have an Organizations API method for reading the information after account creation. If the argument is set in the Terraform configuration on an imported resource, Terraform will always show a difference. To workaround this behavior, either omit the argument from the Terraform configuration or use [`ignore_changes`](https://www.terraform.io/docs/configuration/meta-arguments/lifecycle.html#ignore_changes) to hide the difference. For example:
 
 ```terraform