We want to provision AWS accounts programmatically with terraform.
The documentation of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account clearly states that
Account management must be done from the organization's root account.
However, we want to limit permissions of account used by terraform to some organizational unit.
For example let's say there is a following organizational unit (OU) hierarchy:
root
└services < terraform must not change this
│└fixed-account
│
└customers < terraform can manage accounts in the 'customers' OU and nowhere else
└account-1
└account-2
Is it possible to limit permissions of account used by terraform to some organizational unit (OU)? Or maybe there is some trick which allows to use a different, non-root account?