The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
In manifest_parser.py, the get_final_account_list() method has a logic error. the statement below is checking for name.lower() in the string key.lower(). the problem arises when you have an account name that is a subset of another account name. I have one account named "aws-ct" and one account named "aws-ct-master". when I specify "aws-ct" as a deploy_to_account, the logic in the statement below matches both "aws-ct" and "aws-ct-master" which is deploying the resource to both accounts, even though only the "aws-ct" account is listed in manifest.yaml. see the snipped below from my cloudtrail logs that show the name_to_account_map object.
if name_list:
# convert OU Name to OU IDs
for name in name_list:
name_account = [value for key, value in
name_to_account_map.items()
if name.lower() in key.lower()]
self.logger.info("%%%%%%% Name {} - Account {}"
.format(name, name_account))
new_account_list.extend(name_account)
In manifest_parser.py, the get_final_account_list() method has a logic error. the statement below is checking for name.lower() in the string key.lower(). the problem arises when you have an account name that is a subset of another account name. I have one account named "aws-ct" and one account named "aws-ct-master". when I specify "aws-ct" as a deploy_to_account, the logic in the statement below matches both "aws-ct" and "aws-ct-master" which is deploying the resource to both accounts, even though only the "aws-ct" account is listed in manifest.yaml. see the snipped below from my cloudtrail logs that show the name_to_account_map object.