aws_macie2_member: Error on delete when member is from AWS Organization

[posquit0]

trafficstars

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

> terraform version
Terraform v1.2.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.25.0

Your version of Terraform is out of date! The latest version
is 1.2.6. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• aws_macie2_member

Debug Output

Panic Output

Expected Behavior

Remove aws_macie2_member resource which is AWS Organization member.

Actual Behavior

• Cannot remove aws_macie2_member resource which is AWS Organization member.
• I can remove the resource after disassociating member account from admin account on AWS Web console.
  • However, there is no method to disassociate member account with Terraform resources.

Steps to Reproduce

• Execute terraform apply with following HCL code.

resource "aws_macie2_account" "admin" {
  provider = aws.admin
}

resource "aws_macie2_organization_admin_account" "master" {
  provider = aws.master

  admin_account_id = "${admin-id}"
  depends_on       = [aws_macie2_account.admin]
}

resource "aws_macie2_member" "org_member" {
  provider = aws.org-member
  account_id                            = "${org-member-id}"
  email                                 = "${org-member-email}"
  depends_on                            = [aws_macie2_account.admin]
}

• Update code.

resource "aws_macie2_account" "admin" {
  provider = aws.admin
}

resource "aws_macie2_organization_admin_account" "master" {
  provider = aws.master

  admin_account_id = "${admin-id}"
  depends_on       = [aws_macie2_account.admin]
}

• Re-execute terraform apply and you can see following error message.

module.account.aws_macie2_member.this["xxxxxxxxxx"]: Destroying... [id=xxxxxxxxxx]
╷
│ Error: error deleting Macie Member (xxxxxxxxxxx): ValidationException: The request is rejected because the current account cannot delete the given member account ID since it is still associated to it.
│