fix: #242 ensuring alias is set or raise error. (#465)

* fix: #242 ensuring alias is set or raise error. * Ensuring the readme.md file clearly states that a non-unique alias will raise an error * Adding final new line to satisfy pylint * Adding changing to multiline string to satisfy pylint * Adding tests for account_alias * fix: removing hard-coded account alias in error message and updating test Authored-by: Javy de Koning <[email protected]>
awslabs · Aug 12, 2022 · 063bd19 · 063bd19
1 parent 0f97138
commit 063bd19
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 15 deletions.
diff --git a/src/lambda_codebase/account_processing/configure_account_alias.py b/src/lambda_codebase/account_processing/configure_account_alias.py
@@ -22,8 +22,13 @@ def create_account_alias(account, iam_client):
     )
     try:
         iam_client.create_account_alias(AccountAlias=account.get("alias"))
-    except iam_client.exceptions.EntityAlreadyExistsException:
-        pass
+    except iam_client.exceptions.EntityAlreadyExistsException as error:
+        LOGGER.error(
+            f"The account alias {account.get('alias')} already exists."
+            "The account alias must be unique across all Amazon Web Services products."
+            "Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#AboutAccountAlias"
+        )
+        raise error
     return account
 
 

diff --git a/src/lambda_codebase/account_processing/tests/test_account_alias.py b/src/lambda_codebase/account_processing/tests/test_account_alias.py
@@ -2,24 +2,47 @@
 Tests the account alias configuration lambda
 """
 
+import unittest
 import boto3
 from botocore.stub import Stubber
+from botocore.exceptions import ClientError
 from aws_xray_sdk import global_sdk_config
 from ..configure_account_alias import create_account_alias
 
 global_sdk_config.set_sdk_enabled(False)
 
-# pylint: disable=W0106
-def test_account_alias():
-    test_account = {"account_id": 123456789012, "alias": "MyCoolAlias"}
-    iam_client = boto3.client("iam")
-    stubber = Stubber(iam_client)
-    create_alias_response = {}
-    stubber.add_response(
-        "create_account_alias", create_alias_response, {"AccountAlias": "MyCoolAlias"}
-    ),
-    stubber.activate()
+class SuccessTestCase(unittest.TestCase):
+    # pylint: disable=W0106
+    def test_account_alias(self):
+        test_account = {"account_id": 123456789012, "alias": "MyCoolAlias"}
+        iam_client = boto3.client("iam")
+        stubber = Stubber(iam_client)
+        create_alias_response = {}
+        stubber.add_response(
+            "create_account_alias", create_alias_response, {"AccountAlias": "MyCoolAlias"}
+        ),
+        stubber.activate()
 
-    response = create_account_alias(test_account, iam_client)
+        response = create_account_alias(test_account, iam_client)
 
-    assert response == test_account
+        self.assertEqual(response, test_account)
+
+class FailureTestCase(unittest.TestCase):
+    # pylint: disable=W0106
+    def test_account_alias_when_nonunique(self):
+        test_account = {"account_id": 123456789012, "alias": "nonunique"}
+        iam_client = boto3.client("iam")
+        stubber = Stubber(iam_client)
+        stubber.add_client_error(
+            'create_account_alias',
+            'EntityAlreadyExistsException',
+            f"An error occurred (EntityAlreadyExists) when calling the CreateAccountAlias operation: The account alias {test_account.get('alias')} already exists."
+        )
+        stubber.activate()
+
+        with self.assertRaises(ClientError) as _error:
+            create_account_alias(test_account, iam_client)
+        self.assertRegex(
+            str(_error.exception),
+            r'.*The account alias nonunique already exists.*'
+        )
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md
@@ -38,7 +38,7 @@ The OU name is the name of the direct parent of the account. If you want to move
 - `support_level`: `basic|enterprise` ADF will raise a ticket to add the account to an existing AWS support subscription when an account is created. Currently only supports basic or enterprise.
  **NB: This is for activating enterprise support on account creation only. As a prerequisite your organization master account must already have enterprise support activated**
 
-- `alias`: AWS account alias. Must be unique globally otherwise cannot be created. Check [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) for further details. If the account alias is not created or already exists, in the Federation login page, no alias will be presented
+- `alias`: AWS account alias. Must be unique globally otherwise cannot be created. Check [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) for further details. If the account alias is not created or already exists, in the Federation login page, no alias will be presented. This needs to be unique across all customers, if the alias is already taken the AccountManagementStateMachine will stop and raise an error.
 - `tags`: list of tags associate to the account.
 
 ### Examples