Cold start root account was created with aws organizations enabled

[jaguer0]

starting quick start and hit a snag with aws organizations

we ran the following command per this step https://docs.cloudposse.com/layers/accounts/deploy-accounts/?workflows=atmos#-deploy-the-aws-organization

 atmos workflow deploy/organization -f quickstart/foundation/accounts
ℹ Executing command:  atmos terraform deploy account -target="aws_organizations_organization.this[0]" -s core-gbl-root

plan went through but got this error due to pre-existing aws organization , I'm assuming it was created during the root account creation accidentally on our end.

╷
│ Error: creating Organizations Organization: operation error Organizations: CreateOrganization, https response error StatusCode: 400, RequestID: e605cda7-7b56-4291-9cbc-dc98d608fe01, AlreadyInOrganizationException: The AWS account is already a member of an organization.
│
│   with aws_organizations_organization.this[0],
│   on main.tf line 107, in resource "aws_organizations_organization" "this":
│  107: resource "aws_organizations_organization" "this" {
│
╵

Would you recommend we delete the aws organization and retry or import it & how if so? Its all greenfield so figure deleting the organization would be fine & then the command should work but figured I'd ask for recommendation

[Benbentwo]

Both Destroy & Recreate or Import are valid options. The only decision the factor in my head is: if you know where the state lives that currently manages that organization. Hopefully it lives in your Terraform state bucket that's created and managed by the TFState backend component. But if it isn't, if it was on someone else's local or something, then it's probably easiest to just import.

Option 1: Destroy and recreate

Destroy with:
atmos terraform destroy account -s core-gbl-root optionally add -auto-approve

then you should be able to rerun the workflow or individually run atmos terraform deploy account -target="aws_organizations_organization.this[0]" -s core-gbl-root

Option 2: Import

Import via:
atmos terraform import account -s core-gbl-root 'aws_organizations_organization.this[0]' 'O-1234567890' or whatever your organization ID is.

Personally I think import is easy enough, but you don't want states stored somewhere else that might eventually try to destroy it or something.

Let me know which one you picked and how it goes.

[milldr]

+1 to the import option

We've actually just updated the documentation to recommend this workflow going forward. The guidance now is to create the AWS Organization via ClickOps first so you can submit the account quota increase request before starting an engagement and move as quickly as possible. Because of this, the organization will already exist by the time you get to the deployment step, and you'll need to import it.

See the updated docs here (note: deployment is in progress and should be live shortly):

1. Creating the AWS Organization: https://docs.cloudposse.com/layers/accounts/prepare-aws-organization/
2. Deploying Accounts: https://docs.cloudposse.com/layers/accounts/deploy-accounts/

[jaguer0]

@milldr @Benbentwo Thanks for the update! I'll dive into those docs. I have a few follow-up questions regarding the updated docs but original issue was answered .

1. UI Feedback

"Locate the management account (marked with a star)"

I don't actually see a star icon in the current UI. I do see a text label that says "Management account."

2. Naming Convention Verification

• Verify the root account name matches your expected naming convention (typically core-root or similar). This is important for consistency across your infrastructure.

Location: Am I correct in assuming this verification happens in stacks/orgs/acme/_defaults.yaml? Are there other files where this needs to be consistent? Can those be noted if so?

Key vs. Value Mapping:
In my generated files, root_account_account_name is set to xyz-acme-xyz which matches aws and what I provided in quickstart config. However, in the full_account_map, the key is still core-root.

Should the key in full_account_map be updated to match the account name, or is core-root a reserved internal key?

Current Generated Config:

terraform:
  vars:
    account_map:
      root_account_account_name: xyz-acme-xyz
      audit_account_account_name: core-audit
      full_account_map:
        core-root: "123456789012" # Should this key be 'xyz-acme-xyz'?
        core-artifacts: "234567890123"
        core-audit: "345678901234"

[jaguer0]

also the updated docs calls out the import

This workflow runs terraform import to bring the existing AWS Organization under Terraform management. After this step, all organization-level changes will be managed through Atmos and Terraform.

but the commands and workflows are still deploy which is the same command I hit an issue with. Seems it's missing the updated commands that ben noted?

atmos terraform import account -s core-gbl-root 'aws_organizations_organization.this[0]' 'O-1234567890'

[milldr]

Thanks for the feedback!

Import issue: Yes, thanks for pointing that out. I'll update the documentation in just a moment.

Star icon: Nice catch. AWS changed the UI. We’re updating the docs.

Root account naming: The key thing here is that core-root is expected by the reference architecture internally. Your full_account_map key and root_account_account_name should both be core-root, regardless of what your actual AWS account is named in the console.

Docs PR for reference: cloudposse/docs#862