search

benkehoe / aws-sso-util

Smooth out the rough edges of AWS SSO (temporarily, until AWS makes it better).
Apache License 2.0
932 stars 70 forks source link

Exclude inactive accounts in lookup cache #114

Open iainelder opened 8 months ago

iainelder commented 8 months ago

The lookup_accounts_for_ou function yields accounts in two branches. Branch 1 handles uncached accounts and branch 2 handles cached accounts.

PR #81 added a check to exclude inactive accounts in branch 1 without adding the same check to branch 2.

In that way it solved #80 but only when the OU containing a suspended account doesn't repeat.

This PR copies the check from branch 1 to branch 2 for consistent behavior in a template with many assgnment groups to the same target OU.

The second assignment group no longer generates an assignment for a suspended account, which causes CloudFormation to fail with an error like this:

Resource handler returned message: "Error occurred during operation 'Request REDACTED failed due to:
AWS SSO is unable to complete your request at this time.
Obtaining permissions to manage your AWS account 'REDACTED' is taking longer than usual.

Test the deployed macro with a template like this:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS-SSO-Util-2020-11-08
Resources:
  Test:
    Type: SSOUtil::SSO::AssignmentGroup
    Properties:
      Name: MacroTest
      Principal:
        - Type: GROUP
          Id:
            - 11111111-1111-1111-1111-111111111111
      PermissionSet:
        - arn:aws:sso:::permissionSet/ssoins-2222222222222222/ps-3333333333333333
      Target:
        - { Type: AWS_OU, Id: r-4444 }
  Test2:
    Type: SSOUtil::SSO::AssignmentGroup
    Properties:
      Name: MacroTest2
      Principal:
        - Type: GROUP
          Id:
            - 55555555-5555-5555-5555-555555555555
      PermissionSet:
        - arn:aws:sso:::permissionSet/ssoins-2222222222222222/ps-3333333333333333
      Target:
        - { Type: AWS_OU, Id: r-4444 }

Consider an organization with active member accounts 111111111111 and 222222222222 and suspneded member account 333333333333.

Before this change, the CloudWatch logs group shows the following message for the first assignment group. It lists just active accounts as targets.

[DEBUG] 2023-10-17T13:13:49.592Z    eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee    Got targets:
[ACCOUNT:111111111111[r-4444], ACCOUNT:222222222222[r-4444]

The group shows the following message for the second assignment group. It lists the active and suspended accounts as targets. This is incorrect behavior and later causes the CloudFormation error.

[DEBUG] 2023-10-17T13:13:49.593Z    eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee    Got targets:
[ACCOUNT:111111111111[r-4444], ACCOUNT:222222222222[r-4444], ACCOUNT:333333333333[r-4444]]

After this change, each assignment group logs just the active accounts as targets.

iainelder commented 8 months ago

My skip-suspended branch includes extra changes that allow me to use this change before PyPI hosts a new version of the aws-sso-lib module.