We want to provision AWS accounts programmatically with terraform.
The documentation of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account clearly states that
Account management must be done from the organization's root account.
However, we want to limit permissions of account used by terraform to some organizational unit.
For example let's say there is a following organizational unit (OU) hierarchy:
root
└services < terraform must not change this
│└fixed-account
│
└customers < terraform can manage accounts in the 'customers' OU and nowhere else
└account-1
└account-2
Is it possible to limit permissions of account used by terraform to some organizational unit (OU)? Or maybe there is some trick which allows to use a different, non-root account?
Yes, it is possible to limit the permissions of the AWS account used by Terraform to a specific organizational unit (OU) within an AWS Organizations hierarchy. One approach to achieve this is by leveraging AWS IAM policies and roles to restrict the actions that the Terraform-managed account can perform within the specified OU. Additionally, you can use AWS Organizations SCPs (Service Control Policies) to define restrictions at the organizational unit level, controlling what actions can be taken by member accounts within that OU. By carefully crafting IAM policies, roles, and SCPs in combination, you can achieve the desired level of access restriction for Terraform-managed AWS accounts within the specified OU.