Importing existing account problem

[sukh-234]

Hi,

I'm having some problems with importing existing AWS accounts and then managing them through this provider. Despite importing them successfully the provider seems to

1. Update the existing account in-place, despite the fact that the state file already matches the changes from terraform apply
2. Running a terraform apply fails with a strange error

Terraform Version

Terraform v1.8.5
on linux_amd64
+ provider registry.terraform.io/idealo/controltower v1.3.0

Affected Resource(s)

• controltower_aws_account

Terraform Configuration Files

resource "controltower_aws_account" "account" {
  name                = "<name>"
  email               = "<email>" 
  organizational_unit = var.organizational_unit

  sso {
    first_name = var.sso_first_name
    last_name  = var.sso_last_name
    email      = var.sso_email
  }
  lifecycle {
    ignore_changes = [
      organizational_unit,
      email
    ]
  }
}

Expected Behavior

All the configuration matches that of the state file, so there should be no resource updated in place. Then when hitting terraform apply all should run with no updates or errors

Actual Behavior

Firstly, getting configuration changes in the following, despite it matching the state file:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # controltower_aws_account.account will be updated in-place
  ~ resource "controltower_aws_account" "account" {
        id                       = "<already existing id>"
        name                     = "<already existing name>"
        tags                     = {}
        # (6 unchanged attributes hidden)

      ~ sso {
          ~ email      = "<wrong email>" -> "<correct, already existing email>"
            # (2 unchanged attributes hidden)
        }
    }

Then applying the changes results in:

│ Error: provisioning account <name> failed: InvalidParametersException  The parent organizational unit '<OU>' is not enrolled in AWS Control Tower.
│
│   with controltower_aws_account.account,
│   on main.tf line 1, in resource "controltower_aws_account" "account":
│    1: resource "controltower_aws_account" "account" {

despite the fact that the the parent OU is enrolled correctly. Please also note that the status of the given provisioned product in AWS is "tainted". But I am able to update it through management console. Then applying another terraform apply gives the same error and "re-taints" the provisioned product.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform import controltower_aws_account.compliance_account pp-*******
2. terraform apply

[sukh-234]

I actually managed to find the solution to this. It took me updating the provisioned product in the AWS console on service catalogue. I had to reaffirm that it matched that of the terraform script, despite the fact the state file and the terraform variables were completely congruent. It actually had nothing to do with the parental organization; that was all a red-herring.

Still might be an issue because the state file seemingly didn't match that of the actual configuration of the resource. So maybe it's not importing things correctly?