Track available accounts

[briankfitzwater]

Add the ability to track available AWS accounts. When an aws-account is requested, check the available pool first instead of creating a new account. When the service is deleted, return the account to the to the available pool.

[briankfitzwater]

As a DevSecOps team member, I would like the aws-account-broker to track available accounts.

[afeld]

The "pool" idea is also discussed in #3.

When the service is deleted, return the account to the to the available pool.

We would need to assume that tenants changed settings and left resources in there, so there would be some non-trivial cleanup involved.

[Vermyndax]

For that exact reason, I suspect there could be some security/SSP objections to that.

[briankfitzwater]

And you can't change the Account name, so if we implement a naming scheme, we wouldn't be able to apply it to re-used accounts. BTW, the Account Broker currently names the account with the GUID passed by the broker manager as the InstanceID...ab5b3936-0fcf-4e12-a3b3-acff95724e6f probably isn't an ideal account name.

[briankfitzwater]

Or we could indicate the account request is "unassigned" and once we have a method to ensure the account is available for re-use, change it to "available" (assuming we don't need to assign a name to the account).

[afeld]

you can't change the Account name

Really? You can change the alias, through the UI at least...

[briankfitzwater]

You can change the alias, but the alias and the name aren't the same thing. The name is set when you create the account, and I don't see any methods to modify the account name from the UI or CLI. The alias is set after the account has been created, but you have to be logged into the sub-account or switch to a delegated role in the sub-account with IAM.create-account-alias permissions to set and modify the alias. It can't be done from the master account directly.

[briankfitzwater]

After further discussion with @aidanfeldman we've decided not to do this. I'm cancelling the pull request. I'm keeping the branch because I need part of this functionality in order to demo/test the broker. Without the ability to delete services, I can't remove the service broker when I'm done testing.