Error with single value in organization binding

[eduardomourar]

Whenever you try to use Fn::EnumTargetAccounts with a single account in the binding, it translates into a string. For example:

tasks.yml

SsoReadonly:
  Type: update-stacks
  Template: ./sso.yml
  StackName: 'aws-sso-readonly'
  TerminationProtection: false
  DefaultOrganizationBindingRegion: us-east-1
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      Account: !Ref OrgBuildAccount
  Parameters:
    permissionName: 'ReadOnlyAccess'
    instaceArn: !Ref instaceArn
    principalId: !Ref adminGroup
    managedPolicies: [ 'arn:aws:iam::aws:policy/ReadOnlyAccess' ]
    sessionDuration: 'PT12H'

sso.yml

AWSTemplateFormatVersion: '2010-09-09-OC'

Parameters:

  instaceArn:
    Type: String

  principalId:
    Type: String

  permissionName:
    Type: String
    Default: AdministratorAccess

  managedPolicies:
    Type: CommaDelimitedList
    Default: arn:aws:iam::aws:policy/AdministratorAccess

  sessionDuration:
    Type: String
    Default: PT1H

Resources:

  PermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: !Ref permissionName
      InstanceArn: !Ref instaceArn
      ManagedPolicies: !Ref managedPolicies
      SessionDuration: !Ref sessionDuration

  AssignmentGroup:
    Type: Community::SSO::AssignmentGroup
    Properties:
      InstanceArn: !Ref instaceArn
      PermissionSets:
        - !Ref PermissionSet
      PrincipalId: !Ref principalId
      PrincipalType: GROUP
      Targets:
        - TargetType: AWS_ACCOUNT
          TargetIds: Fn::EnumTargetAccounts TargetBinding ${account}

Transpiled cloudformation template

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {
    "instaceArn": {
      "Type": "String"
    },
    "principalId": {
      "Type": "String"
    },
    "permissionName": {
      "Type": "String",
      "Default": "AdministratorAccess"
    },
    "managedPolicies": {
      "Type": "CommaDelimitedList",
      "Default": "arn:aws:iam::aws:policy/AdministratorAccess"
    },
    "sessionDuration": {
      "Type": "String",
      "Default": "PT1H"
    }
  },
  "Resources": {
    "PermissionSet": {
      "Type": "AWS::SSO::PermissionSet",
      "Properties": {
        "Name": {
          "Ref": "permissionName"
        },
        "InstanceArn": {
          "Ref": "instaceArn"
        },
        "ManagedPolicies": {
          "Ref": "managedPolicies"
        },
        "SessionDuration": {
          "Ref": "sessionDuration"
        }
      }
    },
    "AssignmentGroup": {
      "Type": "Community::SSO::AssignmentGroup",
      "Properties": {
        "InstanceArn": {
          "Ref": "instaceArn"
        },
        "PermissionSets": [
          {
            "Ref": "PermissionSet"
          }
        ],
        "PrincipalId": {
          "Ref": "principalId"
        },
        "PrincipalType": "GROUP",
        "Targets": [
          {
            "TargetType": "AWS_ACCOUNT",
            "TargetIds": "123456789012"
          }
        ]
      }
    }
  },
  "Outputs": {}
}

I would expected the TargetIds value to be [ "123456789012" ] instead of a string.

Here is the error I get while deploying:

Properties validation failed for resource AssignmentGroup with message: #/Targets/0/TargetIds: expected type: JSONArray, found: String

[OlafConijn]

i know this sounds a bit non-sensical, but if you change that to:

      Targets:
        - TargetType: AWS_ACCOUNT
           TargetIds: 
             - Fn::EnumTargetAccounts TargetBinding ${account}     

This will add the single value to the array, if the result is an array it will 'spread' it into the parent array. The behavior is here party because of backwards compat (i believe there was another reason to 🤔 )... might indeed change this to always return an array at some point