[Bug]: adf-account-management fails with AccessDeniedException on account:ListRegion action

[igordust]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Starting from version 4.0.0, the "adf-account-management" State Machine has a new node called "ConfigureAccountRegions" that enables opt-in regions. The node calls the account:ListRegion action, that requires that the support for AWS Account Management in AWS Organization services is enabled.

Expected Behavior

The "adf-account-management" state machine runs correctly

Current Behavior

If the trusted access to "AWS Account Management" service isn't enabled, the state machine fails like this:

AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListRegions operation: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/serverlessrepo-aws-deplo-AccountRegionConfigFunctio-KUolRd9e1eAc/adf-account-management-config-region is not authorized to perform: account:ListRegions (Your organization must first enable trusted access with AWS Account Management.)

Steps To Reproduce

1. Upgrade or install from scratch ADF 4.0.0
2. Configure a new account in the bootstrap repository
3. Observe the failure in the AWS State Machine ""adf-account-management

Possible Solution

This requirement should be at least specified in the installation document, even better it should be enabled during the bootstrap pipeline, as it happens for other Organization features.

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

• Yes, I am working on a fix to resolve this issue