This is the terraform I use to configure my main AWS account
Some parts of the process are still manual, unfortunately
My Account -> IAM User and Role Access to Billing Information -> enable
Must be done via root account
IAM -> Account Settings -> "Security Token Service Regions" -> Disable all regions except us-east-1