Fix reading existing organizations accounts

[linkvt]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #24897

During every account read (also of existing accounts) the create account status is read here

terraform-provider-aws/internal/service/organizations/account.go

Line 199 in 5b2d3d9

s, err := findCreateAccountStatusByID(conn, d.Id())

which calls the following SDK function

terraform-provider-aws/internal/service/organizations/account.go

Line 390 in 5b2d3d9

output, err := conn.DescribeCreateAccountStatus(input)

As per the AWS docs, this DescribeCreateAccountStatus function can only be called with the ID of the account creation which looks like this ^car-[a-z0-9]{8,32}$.
For existing accounts d.Id() is the account id (12 digit number) which causes this function to fail with the following error

-----------------------------------------------------: timestamp=2022-05-20T11:45:21.246+0200
2022-05-20T11:45:21.246+0200 [DEBUG] provider.terraform-provider-aws_v4.15.0_x5: [aws-sdk-go] {"__type":"InvalidInputException","Message":"You provided a value that does not match the required pattern.","Reason":"INVALID_PATTERN:CREATE_ACCOUNT_REQUEST_ID"}: timestamp=2022-05-20T11:45:21.246+0200
2022-05-20T11:45:21.246+0200 [DEBUG] provider.terraform-provider-aws_v4.15.0_x5: [aws-sdk-go] DEBUG: Validate Response organizations/DescribeCreateAccountStatus failed, attempt 0/25, error InvalidInputException: You provided a value that does not match the required pattern.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "censored"
  },
  Message_: "You provided a value that does not match the required pattern.",
  Reason: "INVALID_PATTERN:CREATE_ACCOUNT_REQUEST_ID"
}: timestamp=2022-05-20T11:45:21.246+0200
2022-05-20T11:45:21.247+0200 [ERROR] vertex "censored" error: finding AWS Organizations Create Account Status (censored): InvalidInputException: You provided a value that does not match the required pattern.

Sorry I did not understand how to do the testing after reading the docs and also have no way of testing a govcloud account - Support is appreciated - or just go ahead and reuse this fix in a new PR.

TODOs

• Changelog
• Testing

[linkvt]

Hi @YakDriver could you as the last contributor for the govcloud change maybe take a look at the bug this caused, I guess you are already way more into the code than me, Thanks!

[ewbankkit]

It looks like this was caused by #24447.

[github-actions]

Welcome @linkvt 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[ewbankkit]

@linkvt Thanks for looking at this 👏 .
I don't think the original code was working in the new account creation case either as the ID passed here

s, err := findCreateAccountStatusByID(conn, d.Id()) 

is the account ID, not the CreateAccountRequestId.
We may need to do something with the ListCreateAccountStatus API to get that ID in resource Read.

[linkvt]

@ewbankkit thanks for the hint, I now understood a bit more of the code and think, that this would rather belong in the resourceAccountCreate function, which already contains some code that waits for the account to be created.

I now read in the docs (~line 1769), that there are two accounts created for govcloud, one in govcloud and one in the commercial region for billing

// When you call the CreateGovCloudAccount action, you create two accounts:
// a standalone account in the Amazon Web Services GovCloud (US) Region and
// an associated account in the commercial Region for billing and support purposes.
// The account in the commercial Region is automatically a member of the organization
// whose credentials made the request. Both accounts are associated with the
// same email address.

I don't know how the AWS API behaves; does the CreateAccountStatus field contain both account ids or possibly also only one (e.g. if govcloud is created first and commercial takes a few seconds longer).

I have updated my PR to set the govcloud ID in the same location as the account ID was set, but unfortunately can't test it... I guess this issue needs someone with access to GovCloud to test everything.

[YakDriver]

@linkvt Thank you for jumping right on this! I will help by taking a look at what you're working on. The priority now is to get this working for commercial accounts, regardless of the govcloud portion. In other words, we want this to not be a regression and then see if govcloud is behaving. I also cannot test on govcloud.

[ewbankkit]

@YakDriver I think I can test with a commercial account I have that is the main account of an organization (not able to test GovCloud though).

[ewbankkit]

% TEST_AWS_ORGANIZATION_ACCOUNT_EMAIL_DOMAIN=xxxxxxxx make testacc TESTS=TestAccOrganizations_serial/Account/GovCloud PKG=organizations
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/organizations/... -v -count 1 -parallel 20 -run='TestAccOrganizations_serial/Account/GovCloud'  -timeout 180m
=== RUN   TestAccOrganizations_serial
=== RUN   TestAccOrganizations_serial/Account
=== RUN   TestAccOrganizations_serial/Account/GovCloud
    acctest.go:1018: skipping test for aws/us-west-2: Error running apply: exit status 1
        
        Error: error creating AWS Organizations Account (tf_acctest_3683535191489411103): ConstraintViolationException: Only master accounts that are enabled for access to GovCloud can create accounts in GovCloud.
        {
          RespMetadata: {
            StatusCode: 400,
            RequestID: "dbeb1d92-5195-49b3-9d35-f94cd047bd04"
          },
          Message_: "Only master accounts that are enabled for access to GovCloud can create accounts in GovCloud.",
          Reason: "MASTER_ACCOUNT_NOT_GOVCLOUD_ENABLED"
        }
        
          with aws_organizations_account.test,
          on terraform_plugin_test.tf line 2, in resource "aws_organizations_account" "test":
           2: resource "aws_organizations_account" "test" {
        
--- PASS: TestAccOrganizations_serial (8.08s)
    --- PASS: TestAccOrganizations_serial/Account (8.08s)
        --- SKIP: TestAccOrganizations_serial/Account/GovCloud (8.08s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/organizations	11.968s

[ewbankkit]

% make providerlint
==> Checking source code with providerlint...

[ewbankkit]

LGTM 🚀.

% TEST_AWS_ORGANIZATION_ACCOUNT_EMAIL_DOMAIN=xxxxxxxx make testacc TESTS=TestAccOrganizations_serial/Account/CloseOnDeletion PKG=organizations
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/organizations/... -v -count 1 -parallel 20 -run='TestAccOrganizations_serial/Account/CloseOnDeletion'  -timeout 180m
=== RUN   TestAccOrganizations_serial
=== RUN   TestAccOrganizations_serial/Account
=== RUN   TestAccOrganizations_serial/Account/CloseOnDeletion
    testing_new.go:87: Error running post-test destroy, there may be dangling resources: exit status 1
        
        Error: error deleting AWS Organizations Account (123456789012): ConstraintViolationException: You have exceeded close account quota for the past 30 days.
        {
          RespMetadata: {
            StatusCode: 400,
            RequestID: "c59e13ef-e478-4dbe-bb1e-9c2647ff293c"
          },
          Message_: "You have exceeded close account quota for the past 30 days.",
          Reason: "CLOSE_ACCOUNT_QUOTA_EXCEEDED"
        }
        
--- FAIL: TestAccOrganizations_serial (28.65s)
    --- FAIL: TestAccOrganizations_serial/Account (28.65s)
        --- FAIL: TestAccOrganizations_serial/Account/CloseOnDeletion (28.65s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/organizations	32.896s
FAIL
make: *** [testacc] Error 1

The failure is unrelated to this change - the account was successfully created and read.

[ewbankkit]

@linkvt Thanks for the contribution 🎉 👏.

[ewbankkit]

We have started the release for this fix now. Should be available in a couple of hours.

[github-actions]

This functionality has been released in v4.15.1 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.