We can enable/disable regions at the account level by logging in as the AWS account administrator and going to My Account -> AWS Regions. Only "opt-in" regions can be enabled or disabled e.g."Asia Pacific (Hong Kong)". All other regions are "Enabled by default" on an AWS account and cannot be disabled. Challenge is, that this operation doesn't have API to manage this setting therefore no terraform either. We have written script (uses selenium), but it has to be executed manually by operator from Win and authenticate using ADFS.

We are looking to automate entire account provisioning workflow, but missing on #2 -

1. Using AWS Organizations create new child account (done - API available)
2. Enable e.g. Hong Kong region programmatically (from linux cmd / lambda) - Missing https://docs.aws.amazon.com/general/latest/gr/rande-manage.html
3. Enable Global STS (done - API available) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

thanks, D

Now it is possible to programmatically enable a non default region, e.g. Zurich (eu-central-2). See the Manage account regions documentation.

Via boto3 it is possible as well with the enable_region method. Keep in mind that it might take several hours until it's usable.
To check if the enabling succeeded use the get_region_opt_status method

This is not publicly available within the API as of the time of this answer.

From the AWS documentation it states the below

If a Region is disabled by default, you can use the AWS Management Console to enable and disable it.

There are actually permissions for enabling and disabling, but currently the verbs are not exposed programmatically.

As the AWS console is API driven this will be privately accessible, hopefully in the future it will be allowed in the public.