bug(CT Security OU ): modify exclusion logic for CT Security OU #1008
Description
Describe the bug
LZA currently excludes CT Security OU from registration by looking up the Log Archive account OU.
This causes an issue if the Log Archive account has been moved to a different OU - CT v4.0 no longer requires the Log Archive account to be in the Security OU.
If Log Archive account has been moved to a different OU, LZA now thinks this new OU is the Security OU and tries to register the actual Security OU, which causes the error:
| error | toolkit | The ‘AWSControlTowerBaseline’ cannot be enabled on the Security OU.
/codebuild/output/src81/src/s3/00/source/packages/@aws-lza/executors/accelerator-control-tower.ts:40
throw err;
^
Error: Runtime Error
at process. (/codebuild/output/src81/src/s3/00/source/packages/@aws-accelerator/accelerator/dist/packages/@aws-accelerator/accelerator/lib/toolkit.js:51:9)
at process.emit (node:events:536:35)
at process.emit (node:domain:489:12)
at process.emit.sharedData.processEmitHook.installedValue [as emit] (/codebuild/output/src81/src/s3/00/source/node_modules/@cspotcode/source-map-support/source-map-support.js:745:40)
at emitUnhandledRejection (node:internal/process/promises:250:13)
at throwUnhandledRejectionsMode (node:internal/process/promises:385:19)
at processPromiseRejections (node:internal/process/promises:470:17)
at processTicksAndRejections (node:internal/process/task_queues:96:32)
Node.js v20.19.5
error Command failed with exit code 7
To Reproduce
Manage CT v4.0 via LZA; do not enable service integration for CTrail and move Log Archive account to a different.
Expected behavior
Prepare stage should succeed even with Log Archive account in different OU
- Version: [e.g. v1.14.2]
- Region: [e.g. eu-west-1]
- Was the solution modified from the version published on this repository? No