Enumerate all local CUR buckets in the auto-generated payer policy

[silvexis]

Summary

• Discovery Lambda now emits MasterPayerBillingBucketArns — a comma-separated ARN list (both bucket and bucket/* forms) covering every locally-owned CUR bucket it found, not just the one chosen as primary.
• master_payer.yaml uses Fn::Split on that string directly as the CZTier0BillingBucket20260420 Resource: list, so a payer account with multiple CURs gets every CUR bucket granted to the CloudZero role.
• The create-new-CUR path is unchanged in shape (discovery is empty there by construction). MasterPayerBillingBucketName / Path keep their primary-bucket semantics for the notification flow.

Files touched

• services/discovery/src/app.py — new get_all_local_cur_bucket_names + format_bucket_arns; new output key in DEFAULT_OUTPUT and OUTPUT_SCHEMA.
• services/discovery/template.yaml — new output MasterPayerBillingBucketArns.
• services/connected_account.yaml, services/connected_account_dev.yaml — pass the new output as a parameter to the master-payer nested stack.
• services/account_type/master_payer.yaml — new MasterPayerBillingBucketArns parameter; CZTier0BillingBucket20260420 Resource: becomes !Split over the ARN list (or the single new-bucket pair when creating a CUR).
• services/discovery/tests/unit/test_app.py — updated full-output assertions + new multi-CUR enumeration test.

Test plan

• python -m pytest services/discovery/tests/unit/test_app.py — 13 passed (12 existing + 1 new).
• cfn-lint on all four touched templates — only the pre-existing IsOrganizationMasterAccount not used warning.
• Stack deploy in a payer account with one CUR — policy rendering identical to today.
• Stack deploy in a payer account with two CURs — policy includes both bucket-pair ARNs.
• Stack deploy in a payer account with no existing CUR — policy contains only the freshly created cz-cur-hourly-csv-${StackId} bucket pair.

https://claude.ai/code/session_01KRtx6n6mePz1Bi5N8Me1FM

---

Generated by Claude Code

[khill2018]

@greptile

[qiuz-cz]

LGTM

[khill2018]

@greptile

[greptile-apps]

Greptile Summary

This PR extends the Discovery Lambda to enumerate all locally-owned CUR buckets (not just the schema-valid primary) and threads that comma-separated ARN list through to the master-payer IAM policy, so a payer account with multiple CUR reports gets s3:Get*/s3:List* on every CUR bucket without a stack redeployment when the primary CUR changes.

• get_all_local_cur_bucket_names + format_bucket_arns — schema-agnostic enumeration in app.py produces a comma-joined ARN pair list (bucket and bucket/*) for every locally-owned CUR bucket; the choice to skip keep_valid filtering is explicitly documented and deliberate.
• HasMasterPayerBillingBucketArns guard in master_payer.yaml — the !Split over the ARN list is protected by a condition that falls back to the single-bucket !Sub pair when the parameter is empty, preventing the [""] invalid-IAM-resource failure that was flagged in the prior review round.
• Test coverage — two new integration-style unit tests cover the multi-CUR enumeration path and the remote-bucket exclusion path; all existing assertions were updated with the new output key.

Confidence Score: 5/5

The change is safe to merge — all three issues raised in the previous review round have been addressed, and the new code paths are covered by targeted unit tests.

The HasMasterPayerBillingBucketArns guard correctly prevents !Split from receiving an empty string. coeffects_buckets is a pure dict read, so calling it in both get_cur_bucket_if_local and get_all_local_cur_bucket_names adds no extra API calls. Bucket names cannot contain commas, making the comma-delimited ARN format safe. The schema-agnostic enumeration intent is clearly documented. No new defects found.

No files require special attention.

Important Files Changed

Filename	Overview
services/discovery/src/app.py	Adds get_all_local_cur_bucket_names (schema-agnostic bucket enumeration) and format_bucket_arns; emits MasterPayerBillingBucketArns from discover_master_payer_account. Logic is correct; coeffects_buckets is a pure dict read so the apparent double-call with get_cur_bucket_if_local incurs no extra API round-trips.
services/account_type/master_payer.yaml	Adds MasterPayerBillingBucketArns parameter and HasMasterPayerBillingBucketArns condition; rewrites CZTier0BillingBucket20260420 Resource: to use !Split over the ARN list with a safe fallback when the parameter is empty, addressing the empty-string !Split concern from the prior review.
services/discovery/tests/unit/test_app.py	Updates all full-output assertions to include MasterPayerBillingBucketArns; adds two new tests covering multi-CUR enumeration and remote-bucket exclusion. Coverage looks complete for the new code paths.
services/connected_account.yaml	Passes the new MasterPayerBillingBucketArns output from the Discovery stack into the master-payer nested stack; one-line wiring change, correct.
services/connected_account_dev.yaml	Same one-line wiring change as connected_account.yaml for the dev variant; correct and consistent.
services/discovery/template.yaml	Exposes the new MasterPayerBillingBucketArns output from the Lambda custom resource; straightforward addition.
docs/releases/1.0.95.md	New release notes accurately documenting multi-CUR enumeration, the HasMasterPayerBillingBucketArns guard, and AWS CUR-per-account limits.
README.md	Adds a brief note explaining multi-CUR bucket policy behaviour to the payer account section.
policies/README.md	Documents the runtime expansion of CZTier0BillingBucket20260420 Resource list at deploy time.

_{Reviews (3): Last reviewed commit: "codeql not working, github outage need t..." | Re-trigger Greptile}