I'm trying to make a lambda that upon the input of account details, creates an account within an AWS Organisation. What I want to do is create the account, then move it to a specific OU. The account is created fine, but I can't move it to the OU as I'm not getting the AccountId returned in the response.
import json
import boto3
import string
import random
def lambda_handler(event, context):
client = boto3.client('organizations')
root_ou_id = "..."
quarantine_ou_id = "..."
random_string = get_random_string(5)
user_name = random_string
user_email = random_string + "@nctest.com"
print("user_name: " + user_name)
print("user_email: " + user_email)
response = client.create_account(
Email=user_email,
AccountName=user_name,
Tags=[
{
'Key': 'account',
'Value': user_name
},
{
'Key': 'email',
'Value': user_email
},
{
'Key': 'sandbox',
'Value': ''
},
{
'Key': 'created_by',
'Value': 'lambda'
}
])
print("RESPONSE RECEIVED: " + json.dumps(response, indent=4, sort_keys=True, default=str))
if 'FailureReason' in response['CreateAccountStatus']:
return {
'statusCode': 500,
'body': json.dumps(response)
}
else:
account_id = response['CreateAccountStatus']['AccountId']
print(account_id)
# Returns nothing at this time. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/organizations/client/move_account.html
client.move_account(
AccountId=account_id,
SourceParentId=root_ou_id,
DestinationParentId=quarantine_ou_id
)
return {
'statusCode': 200,
'body': {
'id': account_id,
'account_name': user_name,
'account_email': user_email,
'status': "Account Created"
}
}
The function fails as the AccountId key isn't present:
[ERROR] KeyError: 'AccountId'
The response I get is this:
{
"CreateAccountStatus":{
"AccountName":"dnpms",
"Id":"car-xxxx",
"RequestedTimestamp":"2023-06-30 09:58:24.686000+00:00",
"State":"IN_PROGRESS"
},
"ResponseMetadata":{
"HTTPHeaders":{
"content-length":"151",
"content-type":"application/x-amz-json-1.1",
"date":"Fri, 30 Jun 2023 09:58:23 GMT",
"x-amzn-requestid":"xxxx"
},
"HTTPStatusCode":200,
"RequestId":"xxxx",
"RetryAttempts":0
}
}
Boto3 docs for create accounts say this should be returned. I need this for the move account call.
Any ideas?
Reading the docs on boto3 it says it only provides the account id if the account is created successfully. Making a account request you get an id of the request. This id can be used to do the describe_create_account_status api call. And as soon the account is created successfully this will return the account id.