No way to import an alternate contact detail of a member account

[gtmtech]

Provider version 3.70.0
Terraform version any (tested on 0.13.7)

I manage an organisation with hundreds of member accounts, and I wish to make use of the new alternate contacts API . Before the API existed I managed all contact details using the root account so they are already set (so I dont have the problem in #22186). I obviously want to import them and start using the new resource.

The resource allows you tp specify an account_id optional parameter to support setting contacts on member accounts, however according to the docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact it is only possible to import the current account contact details, not a target account_id contact details.

This makes it totally unsuitable for trying to import all the existing contact details.

I suggest that instead of passing OPERATIONS or BILLING, you should be able to pass 123456789012:OPERATIONS as using a colon to separate multiple parameters required in the import has precedent with a lot of other importable resources.

[gtmtech]

To be a bit clearer, this should not happen:

With resource:

resource "aws_account_alternate_contact" "billing" {
  account_id             = aws_organizations_account.this.id
  alternate_contact_type = "BILLING"
  name                   = var.contacts_billing_name
  title                  = var.contacts_billing_title
  email_address          = var.contacts_billing_email
  phone_number           = var.contacts_billing_phone
}

importing:

terraform-0.13.7 import 'module.aws_account["foo"].aws_account_alternate_contact.security' SECURITY

module.aws_account["foo"].aws_account_alternate_contact.security: Importing from ID "SECURITY"...
module.aws_account["foo"].aws_account_alternate_contact.security: Import prepared!
  Prepared aws_account_alternate_contact for import
module.aws_account["foo"].aws_account_alternate_contact.security: Refreshing state... [id=SECURITY]

Import successful!

But now planning immediately wants to destroy it, because the account_id is not set, and all the details are wrong as they are not read from the account_id specified in the resource, but from the org master account (or delegated iam account if you're delegating the accounts api to another account).

terraform-0.13.7 plan

module.aws_account["foo"].aws_account_alternate_contact.security must be replaced
-/+ resource "aws_account_alternate_contact" "security" {
      + account_id             = "xxxxxxxxxxxx" # forces replacement
        alternate_contact_type = "SECURITY"
      ~ email_address          = "me@me.com" -> "me2@me.com"
      ~ id                     = "SECURITY" -> (known after apply)
      ~ name                   = "Cloud Security" -> "Cloud Security2"
        phone_number           = "+xxxxxxxxxxx"
      ~ title                  = "Cloud Security" -> "Cloud Security2"
    }

So the import is not capable of importing a member account, doesn't set the account_id attribute anyway, and further terraforms will want to destructively remove the contact details you do have set up in the org master account or the delegated account, so its even worse than just not being able to do it- its actually destructve, and should not be used at all for member accounts in its current implementation.

[ewbankkit]

@gtmtech Thanks for raising this issue.

#21888, released in v3.68.0 of the Terraform AWS Provider, added the ability to import a member account's details using the syntax:

terraform import aws_account_alternate_contact.example <AccountID>/<ContactType>

The resource's documentation needs updating.

[github-actions]

This functionality has been released in v3.72.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.