dylanratcliffe
commented
1 month ago I've done some research on this and there is an organisations API that would allow us to discover the accounts underneath a given parent account. The problem with this though is that each of these child accounts needs to define its own IAM role that we can assume. This would mean that the user would still need to create something in cloud formation and apply that cloud formation thing to all of their child accounts. I think that probably the best way to deal with this is to try it ourselves and document how to do it and then see if anyone wants to use it.
It would be possible to do a more involved integration where we may just get access to the parent account and then we use that access to determine what the child accounts are then we tell the user what they need to do to get access to those child accounts and we also show them what ones we do and don't have access to that would be quite helpful. But the owner is still very much on the user to do the work. So in the beginning, I think just making it support assuming a role twice would be the most logical place to start as in assume a role to the parent account and then assume another role into the child account. And from there we would consider improving the UI.
In theory is should be possible to either integrate higher up in the hierarchy and therefore integrate with a single account, but then cascade down. Or potentially have Control Tower create the integrations for us. Not sure which is possible