CP-42872: trust the dedicated CloudZero connections account on provisioned roles

[khill2018]

What

Adds the ConnectorsAccountId / connectors_account_id trust principal (the dedicated CloudZero connections account) as a second principal — alongside the existing reactor principal — on the cross-account roles created by the account-onboarding templates. Mirrors the existing reactor principal one-for-one across CloudFormation and Terraform.

Prod uses 559846027439; the dev parent template (connected_account_dev.yaml) uses the dev connections account (483772923246).

Why

The dedicated connections account (where the AWS connector runs) needs to assume the customer cross-account role to read billing/CUR data. This wires that trust into the onboarding templates so new customer onboards pick it up automatically.

Scope / files

• CloudFormation account-type templates: master_payer.yaml, resource_owner.yaml
• CloudFormation parent templates: connected_account.yaml, connected_account_dev.yaml
• Terraform: cloudzero-aws (variable + role policy), cloudzero-payer, cloudzero-resource
• Release note: docs/releases/1.0.100.md

The deprecated audit.yaml and cloudtrail_owner.yaml account-type templates are intentionally left unchanged.

Notes

• Backward compatible: re-deploying with no parameter changes picks up the default automatically.
• Lineage: the second trust principal was added in 1.0.98 (CP-42080) and reverted in 1.0.99 (CP-42815); this re-introduces it pointing at the dedicated connections account.
• Existing customers trust only the reactor principal until their connected-account stacks are updated to the new ConnectorsAccountId — that StackSet rollout (and the latest/Discovery-Lambda refresh + BillingReportFormat consideration from CP-42796) is a separate effort, not this PR.

🤖 Generated with Claude Code

[silvexis]

Audit and cloud trail policies are depreciated and not used, no changes should be made to these policies

[khill2018]

@greptile

[greptile-apps]

Greptile Summary

This PR re-introduces the dedicated CloudZero connections account (559846027439) as a second trust principal on every cross-account IAM role created by the account-onboarding templates, mirroring the reactor principal one-for-one across all active CloudFormation and Terraform modules. All changes are backward compatible via defaults, and the sts:ExternalId condition is correctly preserved for both principals in every template.

• CloudFormation: ConnectorsAccountId added as a parameter (with default) in master_payer.yaml and resource_owner.yaml, mapped in both parent templates and passed through to the nested stacks; the dev parent uses the dev connections account (483772923246).
• Terraform: connectors_account_id added as a variable with default in cloudzero-aws, and as a local in cloudzero-payer / cloudzero-resource, inserted as a second principal in each module's trust policy.
• Deprecated audit.yaml and cloudtrail_owner.yaml templates are intentionally excluded from this change.

Confidence Score: 5/5

Safe to merge — the change is a narrow, well-scoped trust-principal addition that is backward compatible and does not alter any permission boundaries.

The new principal is added inside the existing trust-policy statement, so the sts:ExternalId condition guards it exactly as it guards the reactor principal. Defaults are set everywhere so re-deploying with no parameter changes produces no user-facing impact. The dev template correctly uses the dev connections account ID, the deprecated templates are explicitly left alone, and the Terraform and CloudFormation changes are consistent with each other. No logic paths were modified — only the list of trusted principals was extended.

No files require special attention.

Important Files Changed

Filename	Overview
services/account_type/master_payer.yaml	Adds ConnectorsAccountId parameter (default 559846027439) and includes it as a second trust principal alongside ReactorAccountId, with sts:ExternalId condition preserved for both.
services/account_type/resource_owner.yaml	Mirrors master_payer.yaml — adds ConnectorsAccountId parameter with default and wires it as a second trust principal; sts:ExternalId condition is correctly inherited by both principals.
services/connected_account.yaml	Adds ConnectorsAccountId: '559846027439' to the CallbackConfiguration.prod mapping and passes it to ResourceOwnerAccount and MasterPayerAccount nested stacks; deprecated stacks intentionally unchanged.
services/connected_account_dev.yaml	Same pattern as connected_account.yaml but uses the dev connections account ID (483772923246) in the CallbackConfiguration.dev mapping.
terraform/cloudzero-aws/main.tf	Adds connectors_account_id as a second principal in the aws_iam_policy_document.assume_role data source; uses the proper HCL data-source approach and preserves the sts:ExternalId condition.
terraform/cloudzero-aws/variables.tf	Declares connectors_account_id variable with type string, default 559846027439, and a clear description; consistent with the existing cloudzero_account_id variable style.
terraform/cloudzero-payer/main.tf	Adds connectors_account_id local (following the existing cz_account_id pattern) and inserts it as a second principal in the inline jsonencode trust policy; sts:ExternalId condition unchanged.
terraform/cloudzero-resource/main.tf	Identical change to cloudzero-payer/main.tf — adds connectors_account_id local and second principal; fully consistent with payer module.
docs/releases/1.0.100.md	New release note accurately describes the change, lists all modified files, and notes the intentional exclusion of deprecated templates.

_{Reviews (6): Last reviewed commit: "docs: drop "override only if directed" g..." | Re-trigger Greptile}

[silvexis]

Can we just remove this detail? We would never ask a customer to override this and the other new account

[khill2018]

should I remove this for all btw? happy to do it! But want to be consistent!