Adding accounts to an enterprise

You can build out your enterprise by adding more IBM Cloud® accounts to it. To add accounts, you can import existing accounts that aren't in another enterprise, or you can create new accounts within your enterprise.

After your enterprise has multiple accounts, you can organize related accounts by using account groups. For more information, see in Organizing accounts in an enterprise.

You can have up to 1000 accounts in an enterprise. For more information, see Enterprise limits.

Importing existing accounts

You can import existing accounts into an enterprise. After you import an account, it can't be removed, and each account can be a part of only one enterprise. If you import a Lite or trial account, it's automatically upgraded to a Pay-As-You-Go account.

Importing an account to the enterprise has the following impacts:

Billing for the account transitions to being managed by the enterprise. After the transition, users in the account can't access billing and payment information, such as invoices, payments, or subscriptions, for future billing periods. To view or manage billing, users need to be invited to the enterprise account and be given access to the Billing service in that account. See Centrally manage billing and usage with enterprises for more information.
Users and access permissions within the account are not changed. Access within the account is separate from the enterprise, and users don't automatically get access within the enterprise when the account is imported.
Resources within the account are not changed. Users with the correct access permissions can continue to view usage information for resources in the account.

To import existing accounts into an enterprise, the following access is required:

Within the account to be imported, you must be the account owner or have the Administrator role on the Billing service within the account.
Within the enterprise account, you need the Editor or Administrator role on the Enterprise service and the Administrator role on the Billing service.

Importing an account in the console

To import an existing account, complete the following steps:

Log in to your enterprise account, and go to Manage > Enterprise in the IBM Cloud console.
Click Accounts to view the accounts and account groups in the enterprise. In the Accounts section, select Add > Import account.
Select the account that you want to import.

If no accounts are displayed, you likely don't have the correct access in any existing accounts.
If you want to add the account to an account group, select the account group to be its parent. The parent that you select determines where in the enterprise hierarchy the account exists.
Review the information about impacts to your account, and select I understand the impact to my account. Then, click Import.

After the account is imported to the enterprise, it can't be removed. Be sure you want to permanently move the account to the enterprise.

Importing accounts by using the CLI

Find the ID of the account that you want to import to the enterprise.
```
ibmcloud account list
```
If you want to add the account to an account group, find the names and IDs of existing account groups in the enterprise.
```
ibmcloud enterprise account-groups --recursive
```
Import the account into the enterprise, specifying the account ID for the --account ID parameter. If you don't specify a parent account group, the account is added directly under the enterprise.
```
ibmcloud enterprise account-import --account-id ID
[--parent-account-group ACCOUNT_GROUP_NAME | --parent-account-group-id ACCOUNT_GROUP_ID]
```

Importing accounts by using the API

To import an existing account to the enterprise, call the Enterprise Management API as shown in the following sample request. Replace the IBM Cloud Identity and Access Management (IAM) token and ID variables with the values from your enterprise.

curl -X PUT "https://enterprise.cloud.ibm.com/v1/enterprises/$ENTERPRISE_ID/import/accounts/$ACCOUNT_ID" -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json' -d '{
   "parent": "crn:v1:bluemix:public:enterprise::a/$ENTERPRISE_ACCOUNT_ID::enterprise:$ENTERPRISE_ID",
   "billing_unit_id": "$BILLING_UNIT_ID"
}'

ImportAccountToEnterpriseOptions importAccountToEnterpriseOptions = new ImportAccountToEnterpriseOptions.Builder()
    .enterpriseId(enterpriseId)
    .accountId(importAccountId)
    .build();

Response<Void> response = service.importAccountToEnterprise(importAccountToEnterpriseOptions).execute();

const params = {
   enterpriseId: enterpriseId,
   accountId: importAccountId,
};

enterpriseManagementService.importAccountToEnterprise(params)
   .then(res => {
    done();
   })
   .catch(err => {
    console.warn(err)
   });

response = enterprise_management_service.import_account_to_enterprise(
   enterprise_id=enterprise_id,
   account_id=import_account_id,
)

print(json.dumps(response, indent=2))

importAccountToEnterpriseOptions := enterpriseManagementService.NewImportAccountToEnterpriseOptions(
   enterpriseID,
   importAccountID,
)

response, err := enterpriseManagementService.ImportAccountToEnterprise(importAccountToEnterpriseOptions)
if err != nil {
   panic(err)
}

Before you begin

Before you can add accounts to an enterprise by using Terraform, make sure that you have completed the following:

Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Importing accounts by using Terraform

Use the following steps to import an existing account in an enterprise resource by using Terraform.

Create an argument in your main.tf file. The following example imports an account by using the ibm_enterprise_account resource, where enterprise_id is where the account is imported. You must have an existing IAM ID of an enterprise primary contact in order to complete the task.
```
resource "ibm_enterprise_account" "enterprise_import_account"{
 parent = "parent"
 enterprise_id = "enterprise_id"
 account_id = "account_id"
 }
```
You can specify the ID of an account that needs to be imported on the account_id option. For more information, see the argument reference details on the Terraform Enterprise Management page.
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

Creating new accounts

You can create new accounts within your enterprise. The accounts are created as Pay-As-You-Go accounts, and usage is billed to the enterprise. To create an account, you need an access policy with the Editor or Administrator role on the Enterprise service.

Creating accounts in the console

From the Enterprise dashboard, click Accounts to view accounts and account groups in the enterprise.
In the Accounts section, select Add > Create account.
Enter a name for the account that's unique within the enterprise. Because it's one of many accounts, a unique, descriptive name helps you understand the purpose of the account at a glance.
If you want to assign a different user as the account owner, enter their IBMid in the Owner field. The account owner has full access to manage the account.
If you want to add the account to an account group, select the account group to be its parent. The parent that you choose determines where in the enterprise hierarchy the account exists.
Turn on Enterprise-managed IAM to centrally manage access and security settings in the new account. For more information, see Opting in to enterprise-managed IAM.
Click Create.

After you create the account, the account owner can log in to the account to invite other users and manage their access.

Creating accounts by using the CLI

If you want to add the account to an account group, find the names and IDs of existing account groups.
```
ibmcloud enterprise account-groups --recursive
```
Create the account by running the following command. If you don't specify a parent account group, the account is added directly under the enterprise. To make a different user the account owner, specify their IBMid on the --owner option.
```
ibmcloud enterprise account-create NAME
[--parent-account-group ACCOUNT_GROUP_NAME] [--owner USER_ID]
```

Creating accounts by using the API

To create a new account in the enterprise, call the Enterprise Management API as shown in the following sample request, replacing the IAM token and ID variables with the values from your enterprise. For detailed information about the API, see Enterprise Management API.

curl -X POST "https://enterprise.cloud.ibm.com/v1/accounts
-H "Authorization: Bearer <IAM_Token>"
-H 'Content-Type: application/json'
-d '{
  "parent":
  "crn:v1:bluemix:public:enterprise::a/$ENTERPRISE_ACCOUNT_ID::account-group:$ACCOUNT_GROUP_ID",
  "name": "Example Account",
  "owner_iam_id": "$OWNER_IAM_ID"
  "traits": { "enterprise_iam_managed": true }
}'

CreateAccountOptions createAccountOptions = new CreateAccountOptions.Builder()
    .parent(parentCRN)
    .name("Example Account")
    .ownerIamId(enterpriseAccountIamId)
    .build();

Response<CreateAccountResponse> response = service.createAccount(createAccountOptions).execute();
CreateAccountResponse createAccountResponse = response.getResult();

System.out.println(createAccountResponse);();

const params = {
  parent: parentCrn,
  name: 'Example Account',
  ownerIamId: enterpriseAccountIamId,
};

enterpriseManagementService.createAccount(params)
  .then(res => {
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

create_account_response = enterprise_management_service.create_account(
  parent=parent_crn,
  name='Example Account',
  owner_iam_id=enterprise_account_iam_id,
).get_result()

print(json.dumps(create_account_response, indent=2))

createAccountOptions := enterpriseManagementService.NewCreateAccountOptions(
  parentCRN,
  "Example Account",
  enterpriseAccountIamID,
)

createAccountResponse, response, err := enterpriseManagementService.CreateAccount(createAccountOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(createAccountResponse, "", "  ")
fmt.Println(string(b))

For more information about the enterprise_iam_managed trait, see Opting in to enterprise-managed IAM.

Creating accounts by using Terraform

Use the following steps to create accounts by using Terraform:

Create an argument in your main.tf file. The following example creates an account by using the ibm_enterprise_account resource, where name is a unique name to identify the enterprise. You must have an existing IAM ID of an enterprise primary contact in order to complete the task.
```
resource "ibm_enterprise_account" "enterprise_account" {
 parent = "parent"
 name = "name"
 owner_iam_id = "owner_iam_id"
 traits {
     mfa = "NONE"
     enterprise_iam_managed = true
   }
 }
```
You can specify the ID of an account owner on the owner_iam_id option. You can also specify the multifactor authentication setting and turn on enterprise-managed IAM to centrally administer access in the account. For more information, see Opting in to enterprise-managed IAM and the argument reference details on the Terraform Enterprise Management page.
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```