[BUG] [SM] Nested-OUs-Failure to create IAM Users and roles in sub-accounts

[jblaplace]

Bug reports which fail to provide the required information will be closed without action.

Required Basic Info

• Accelerator Version: (eg. v1.1.6) v1.5.0 (standard, not CT)
• Install Type: (Clean or Upgrade) Upgrade
• Upgrade from version: (N/A or v1.x.y) 1.2.x -> 1.3.x -> 1.5.0
• Which State did the Main State Machine Fail in: Deploy Phase 1

Describe the bug
We are trying to create an IAM User in a sub-account using the config.json file.
We specified the new IAM User to be created in account: MyDev3FromTf-B9E593.
We can see the secret for that new IAM User and account in the main account secret manager but the SM also tries to fetch the secret for other accounts (for which we did NOT ask to create the user) and fails with because no resource-based policy allows the secretsmanager:GetSecretValue which is normal because for example it tries to retrieve PBMMAccel/mydevacct1/user/password/gitLabUser because no resource-based policy allows the secretsmanager:GetSecretValue action which is for account mydevacct1 nd for which NO secret was created an NO user creation was request.

Failure Info

• What error messages have you identified, if any: PBMMAccel/mydevacct1/user/password/gitLabUser because no resource-based policy allows the secretsmanager:GetSecretValue action
• What symptoms have you identified, if any:

Required files

• Please provide a copy of your config.json file (sanitize if required)
• If a CodeBuild step failed- please provide the full CodeBuild Log
• If a Lambda step failed - please provide the full Lambda CloudWatch Log
• In many cases it would be helpful if you went into the failed sub-account and region, CloudFormation, and provided a screenshot of the Events section of the failed, deleted, or rolled back stack including the last successful item, including the first couple of error messages (bottom up)

Steps To Reproduce

1. Go to '...'
2. Click on '....'
3. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
config-adding-gitlab-use-sani.zip

[Brian969]

Likely related to issue #938

[Brian969]

Issue relevant both for certain roles and config rules - "On further investigation they have recognized that certain IAM roles and config rules have not been applied at this level."

• config rules will need to be opened as a different issue, this ticket is focused on IAM users and roles.