FR: aws_organizations_account account closure with all SCP's detached causes error.

[susiesolis]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As a practice, upon account creation, all policies are attached through Terraform while removing FULLAWSAccess using a provisioner. When Terraform tries to destroy the account it first tries to destroy resource aws_organization_policy_attachment and hence tries to detach all SCPs one by one, but fails to detach the last SCP from account as AWS does not allow detaching the last SCP from account.

This results in the following error:

Error: ConstraintViolationException: You cannot remove the last policy attached to the specified target. You must have at least one attached at all times.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "cdb81a90-4a4d-45fc-bdab-d3408028d96b"
  },
  Message_: "You cannot remove the last policy attached to the specified target. You must have at least one attached at all times.",
  Reason: "MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED"
}

1. Is there a way or switch outside of manually manipulating the state that will not attempt to detach all SCP's prior to deleting the aws_organizations_account ?

2. Can there be a dependency such that resource "aws_organizations_policy_attachment" is destroyed after resource "aws_organizations_account" "account" is destroyed? At which point we do not care about deployment error given account is already closed.

References

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment

[YakDriver]

I don’t have the provider error so can’t see exactly where it’s happening. Assuming it’s coming from aws_organizations_policy_attachment when it attempts to detach the policy and it happens to be the last, we could decide that eating that specific error is an acceptable risk or add an argument (something like ignore_last_policy) that allows that error to be skipped.

[susiesolis]

I don’t have the provider error so can’t see exactly where it’s happening. Assuming it’s coming from aws_organizations_policy_attachment when it attempts to detach the policy and it happens to be the last, we could decide that eating that specific error is an acceptable risk or add an argument (something like ignore_last_policy) that allows that error to be skipped.

The error is in the initial request. Here is a snippet from the log.

module.create_account.null_resource.cleaup_scp[0]: Destroying... [id=]
module.create_account.null_resource.configuration_files[0]: Destroying... [id=]
module.create_account.null_resource.cleaup[0]: Destroying... [id=0]
module.create_account.null_resource.cleaup_scp[0]: Destruction complete after 0s
module.create_account.null_resource.configuration_files[0]: Destruction complete after 1s
module.create_account.null_resource.cleaup[0]: Destruction complete after 1s
module.create_account.aws_organizations_policy_attachment.account[0]: Destroying... [id=:]
module.create_account.aws_organizations_policy_attachment.account[2]: Destroying... [id=:]
module.create_account.aws_organizations_policy_attachment.account[1]: Destroying... [id=:]
module.create_account.aws_organizations_policy_attachment.account[0]: Destruction complete after 1s
module.create_account.aws_organizations_policy_attachment.account[1]: Destruction complete after 1s
module.create_account.null_resource.postdeco[0]: Destroying... [id=]
module.create_account.null_resource.postdeco[0]: Provisioning with 'local-exec'...
module.create_account.null_resource.postdeco[0] (local-exec): Executing: ["/bin/sh" "-c" "../../../modules/account/mod_account/moveAccountOUToPOSTDECO.ksh 138473186360"]
module.create_account.null_resource.postdeco[0]: Still destroying... [id=, 10s elapsed]
module.create_account.null_resource.postdeco[0]: Destruction complete after 13s

Error: ConstraintViolationException: You cannot remove the last policy attached to the specified target. You must have at least one attached at all times.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "cdb81a90-4a4d-45fc-bdab-d3408028d96b"
  },
  Message_: "You cannot remove the last policy attached to the specified target. You must have at least one attached at all times.",
  Reason: "MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED"
}


terraform apply

[github-actions]

This functionality has been released in v4.56.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.