Skip to content

feat(accounts): wire AWS Organizations discovery endpoint to existing DiscoverOrgAccounts #208

Open
Open
feat(accounts): wire AWS Organizations discovery endpoint to existing DiscoverOrgAccounts#208
Labels
effort/mDaysimpact/manyAffects most userspriority/p1Next up; this sprintseverity/highSignificant harmtriagedItem has been triagedtype/featNew capabilityurgency/this-sprintWithin the current sprint
@cristim

Description

@cristim
cristim
opened on Apr 30, 2026

Gap

The AWS Organizations discovery endpoint (POST /api/accounts/discover-org) has the discovery logic implemented at internal/accounts/org_discovery.go:26-62 but the HTTP handler (internal/api/handler_accounts.go:1077-1084) returns a stub "org discovery not yet implemented" instead of calling the discovery function and persisting results.

When triggered by an admin user on an aws_is_org_root=true account with valid credentials, the endpoint must:

  1. Resolve the management account's credentials via the resolver
  2. Call DiscoverOrgAccounts(ctx, cfg) to list all member accounts from the Organizations API
  3. Deduplicate by (provider, external_id) — skip member accounts that already exist in cloud_accounts
  4. Create new rows in cloud_accounts for each new member, with enabled=false and aws_auth_mode=bastion (defaulting to bastion-chain from org root)
  5. Return a summary response: { "discovered": count, "created": count, "skipped": count }

Spec sections: specs/multi-account-execution/acceptance.md F-1, F-2, F-3; specs/multi-account-execution/api.md "POST /api/accounts/discover-org".

Acceptance criteria

  • Admin-only: returns 403 if user lacks admin role (already validated by requirePermission)
  • Org-root validation: returns 400 if aws_is_org_root=false
  • Successful discovery: returns 200 with discovered/created/skipped counts; new member accounts appear in GET /api/accounts with enabled=false
  • Credential resolution: uses the org-root account's stored credentials; returns 400 if credentials missing or invalid
  • Deduplication: member accounts that already exist by (provider, external_id) are skipped and counted separately
  • Error resilience: transient Organizations API failures return 5xx with retry-friendly message; invalid management account returns clear error

Out of scope

  • Azure / GCP tenant/project enumeration (AWS Organizations only for MVP)
  • Auto-enabling discovered accounts (operator must review and enable manually)
  • Bulk credential assignment to discovered accounts

References

  • Spec: specs/multi-account-execution/acceptance.md scenarios F-1 → F-3
  • Discovery code (already implemented + tested): internal/accounts/org_discovery.go:26-62 + internal/accounts/org_discovery_test.go
  • Stub handler: internal/api/handler_accounts.go:1077-1084
  • Surfaced via the gap analysis on PR docs(specs): multi-account execution draft spec #89.

Metadata

Metadata

Assignees

No one assigned

    Labels

    effort/mDaysimpact/manyAffects most userspriority/p1Next up; this sprintseverity/highSignificant harmtriagedItem has been triagedtype/featNew capabilityurgency/this-sprintWithin the current sprint

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions