Community Note

• Please vote on this issue by adding a 👍reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Need a mechanism to enable Service control policies on the root. It looks like this needs to be done manually before you can successfully apply policies with Organizations (Organizations, Organize accounts, click the Root on the left pane, click Enable under ENABLE/DISABLE POLICY TYPES, Service control policies.

Attempting to add policies without toggling this setting results in this:

aws_organizations_policy_attachment.root_FullAccess: Creating...  policy_id: "" => "p-FullAWSAccess"  target_id: "" => "r-SECRET"Releasing state lock. This may take a few moments...Error: Error applying plan:1 error(s) occurred:* aws_organizations_policy_attachment.root_FullAccess: 1 error(s) occurred:* aws_organizations_policy_attachment.root_FullAccess: error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.        status code: 400, request id: 50573131-5866-11e8-a4c8-2f34931e1acc

References

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#enable_policies_on_root