CP-42815 Revert CP-42080: remove ConnectorsAccountId / connectors_account_id second trust principal

[qiuz-cz]

Description of the change

Reverts #107 (commit 3b8b70e, CP-42080), which added a second CloudZero AWS account (931830253929 prod / 618300337335 dev) as a trust principal on every CloudZero-provisioned IAM role and the CloudTrail-owner SQS queue policy.

This restores the single reactor principal across all four CloudFormation account-type templates, both parent templates, and all three Terraform modules. The ConnectorsAccountId parameters, connectors_account_id variable/locals, and CallbackConfiguration mapping entries are removed; each Principal.AWS collapses back to a scalar. The docs/releases/1.0.98.md release note describing the reverted feature is also removed.

The existing reactor principal (061190967865 prod / 998146006915 dev) is untouched.

Clean, single-feature revert: 11 files changed, 9 insertions / 87 deletions. No version bump or unrelated files involved.

Operational note

This reverts the code only. Already-deployed customer stacks retain the second trust principal until they re-deploy (CloudFormation stack update) or re-apply Terraform against a newly published template version. Please confirm nothing in the connectors service currently depends on 931830253929 being able to assume these roles before merging.

Type of change

• Bug fix
• New feature

PR Generated with AI

Co-Authored-By: AI

[greptile-apps]

Greptile Summary

This PR reverts CP-42080 (#107), which had added a second CloudZero AWS account (931830253929 prod / 618300337335 dev) as a trust principal on every customer-provisioned IAM role and the CloudTrail SQS queue policy. The revert is consistent and complete across all affected surfaces.

• CloudFormation: ConnectorsAccountId parameter removed from all four account-type templates and from both parent templates' CallbackConfiguration mappings; each Principal.AWS collapses from a two-element list back to the single reactor ARN.
• Terraform: connectors_account_id variable/local removed from all three modules (cloudzero-aws, cloudzero-payer, cloudzero-resource); identifiers/"AWS" values collapse to the single reactor ARN.
• Docs: 1.0.98.md deleted; 1.0.99.md added with accurate file list and a deployment note about already-deployed stacks retaining the second principal until they re-apply.

Confidence Score: 5/5

The code changes are a clean, symmetric revert with no missed references or residual call-sites; the only risk is operational (already-deployed stacks), which is documented in the release notes and PR description.

Every location that referenced ConnectorsAccountId / connectors_account_id in both CloudFormation and Terraform is removed consistently. The reactor principal is untouched throughout. No new logic is introduced — this is a pure deletion revert. The release note accurately reflects what changed and explicitly calls out the partial-rollout deployment caveat for existing stacks.

No files require special attention — all changes are symmetric across the four account-type templates, two parent templates, and three Terraform modules.

Important Files Changed

Filename	Overview
services/account_type/audit.yaml	Removes ConnectorsAccountId parameter and collapses Principal.AWS from a two-element list back to a scalar; clean revert of 1.0.98
services/account_type/cloudtrail_owner.yaml	Removes ConnectorsAccountId parameter and collapses SQS queue policy Principal.AWS back to a scalar; mirrors audit.yaml change
services/account_type/master_payer.yaml	Removes ConnectorsAccountId parameter and collapses Principal.AWS to a scalar; clean revert
services/account_type/resource_owner.yaml	Removes ConnectorsAccountId parameter and collapses Principal.AWS to a scalar; clean revert
services/connected_account.yaml	Removes ConnectorsAccountId from the prod CallbackConfiguration mapping and stops forwarding it to all four nested account-type stacks
services/connected_account_dev.yaml	Same as connected_account.yaml but for the dev mapping (ConnectorsAccountId 618300337335 removed) and all four nested stack pass-throughs
terraform/cloudzero-aws/main.tf	Collapses the identifiers list from two ARNs to the single reactor ARN; consistent with variable removal in variables.tf
terraform/cloudzero-aws/variables.tf	Removes the connectors_account_id variable; no remaining references in the module
terraform/cloudzero-payer/main.tf	Removes connectors_account_id local and collapses Principal.AWS to the single cz_account_id ARN
terraform/cloudzero-resource/main.tf	Same pattern as cloudzero-payer: removes connectors_account_id local and collapses Principal.AWS
docs/releases/1.0.99.md	New release note documenting the revert; accurately names all modified files and includes a deployment caveat about already-deployed stacks
docs/releases/1.0.98.md	Deleted — removes the release note that described the reverted 1.0.98 feature

_{Reviews (2): Last reviewed commit: "Add 1.0.99 release notes for the CP-4208..." | Re-trigger Greptile}

[greptile-apps]

Confirm connectors-service dependency before merging

The PR removes 931830253929 as a trust principal from every IAM role and the CloudTrail SQS queue across both prod and dev templates. If any workload running under that account currently calls sts:AssumeRole against a customer-provisioned role (e.g. the connectors service fetching CUR or CloudTrail data), those calls will start failing for customers who redeploy after this merges. The PR description explicitly asks for this confirmation but does not show it was obtained. Please post a clear sign-off (e.g. from the connectors-service owner) that account 931830253929 is not currently assuming any of these roles before this PR is merged to develop.