The lookup_accounts_for_ou function yields accounts in two branches. Branch 1
handles uncached accounts and branch 2 handles cached accounts.
PR #81 added a check to exclude inactive accounts in branch 1 without adding
the same check to branch 2.
In that way it solved #80 but only when the OU containing a suspended account
doesn't repeat.
This PR copies the check from branch 1 to branch 2 for consistent behavior in a
template with many assgnment groups to the same target OU.
The second assignment group no longer generates an assignment for a suspended
account, which causes CloudFormation to fail with an error like this:
Resource handler returned message: "Error occurred during operation 'Request REDACTED failed due to:
AWS SSO is unable to complete your request at this time.
Obtaining permissions to manage your AWS account 'REDACTED' is taking longer than usual.
Test the deployed macro with a template like this:
The group shows the following message for the second assignment group. It lists
the active and suspended accounts as targets. This is incorrect behavior and
later causes the CloudFormation error.
The
lookup_accounts_for_ou
function yields accounts in two branches. Branch 1 handles uncached accounts and branch 2 handles cached accounts.PR #81 added a check to exclude inactive accounts in branch 1 without adding the same check to branch 2.
In that way it solved #80 but only when the OU containing a suspended account doesn't repeat.
This PR copies the check from branch 1 to branch 2 for consistent behavior in a template with many assgnment groups to the same target OU.
The second assignment group no longer generates an assignment for a suspended account, which causes CloudFormation to fail with an error like this:
Test the deployed macro with a template like this:
Consider an organization with active member accounts
111111111111
and222222222222
and suspneded member account333333333333
.Before this change, the CloudWatch logs group shows the following message for the first assignment group. It lists just active accounts as targets.
The group shows the following message for the second assignment group. It lists the active and suspended accounts as targets. This is incorrect behavior and later causes the CloudFormation error.
After this change, each assignment group logs just the active accounts as targets.