This fixes nested OU bug

- Fixes #24
- Corrects an issue with nested OU names not being resolved
- Updated docs to reflect

Author: Mike Grima

deploy/starfleet-execution-role-org-management.yml

@@ -124,24 +124,14 @@ Resources:
                 aws:PrincipalOrgId:
                   - !Ref OrganizationId
       Policies:
-        - PolicyName: AuthorizeOrganizationsList
+        - PolicyName: OrganizationsReadOnly
           PolicyDocument:
             Version: '2012-10-17'
             Statement:
-              - Sid: AuthorizeOrgListRestricted
-                Effect: Allow
+              - Effect: Allow
                 Action:
-                  - organizations:ListOrganizationalUnitsForParent
-                  - organizations:ListParents
-                  - organizations:ListTagsForResource
-                Resource:
-                  - !Sub 'arn:${Partition}:organizations::${AWS::AccountId}:account/${OrganizationId}/*'
-                  - !Sub 'arn:${Partition}:organizations::${AWS::AccountId}:ou/${OrganizationId}/ou-*'
-                  - !Sub 'arn:${Partition}:organizations::${AWS::AccountId}:root/${OrganizationId}/r-*'
-              - Sid: AuthorizeOrgListAccounts
-                Effect: Allow
-                Action:
-                  - organizations:ListAccounts
+                  - organizations:Describe*
+                  - organizations:List*
                 Resource:
                   - '*'
 
@@ -212,7 +202,7 @@ Outputs:
     Description: The 12-digit AWS account ID of the Starfleet management account.
     Value: !Ref StarfleetAccountId
   StarfleetAccountIndexRoleArn:
-    Description: >- 
+    Description: >-
       The Amazon Resource Name (ARN) of the Starfleet Account Index Generator
       execution role.
     Value: !GetAtt AccountIndexExecutionRole.Arn

mkdocs/images/StarfleetArchitecture.svg

@@ -108,15 +108,20 @@ Resources:
     If you do decide to go with the CloudFormation StackSets route, you need to keep in mind that StackSets will _NOT_ deploy to the Organization Root account. If you do choose to use StackSets, you will need to _manually_ create an IAM role in the organization root account that has the exact same permissions as what is documented in the StackSet YAML above.
 
 !!! Note
-    If you leverage the `AccountIndexGeneratorShip` worker ship for your AWS account inventory (recommended), you will need to make sure that the Starfleet IAM roles in the Organization Root has the following permissions:
+    If you leverage the `AccountIndexGeneratorShip` worker ship for your AWS account inventory (recommended), you will need to make sure that the Starfleet IAM roles in the Organization Root account has the following permissions (in addition to the permissions you grant to the other worker roles):
 
     ```json
     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
-                "Action": "organizations:List*",
+                "Action": [
+                    [
+                      "organizations:Describe*",
+                      "organizations:List*"
+                    ]
+                ]
                 "Resource": "*"
             }
         ]

mkdocs/installation/IAM.md

@@ -8,7 +8,7 @@ authors = [
     {name = "Gemini", email = "careers@gemini.com"},
     {name = "Mike Grima", email = "michael.grima@gemini.com"},
 ]
-version = "0.0.1"
+version = "1.0.0"
 dynamic = ["dependencies"]
 
 [tool.setuptools]

pyproject.toml

@@ -60,24 +60,28 @@ def execute(self, commit: bool = False) -> None:
         config = STARFLEET_CONFIGURATION.config[self.worker_ship_name]
         LOGGER.info(f"[📡] Reaching out to the Orgs API to get the list of AWS accounts in account: {config['OrgAccountId']}...")
         all_accounts = list_accounts(  # pylint: disable=no-value-for-parameter
-            account_number=config["OrgAccountId"], assume_role=config["OrgAccountAssumeRole"]
+            account_number=config["OrgAccountId"], assume_role=config["OrgAccountAssumeRole"], region="us-east-1"
         )
         account_map = get_account_map(all_accounts)  # Reformat the data
 
-        # Fetch the list of org OUs:
-        LOGGER.info("[📡] Reaching out to the Orgs API to get the list of all OUs in the org...")
+        # Fetch the list of org OUs for root:
+        LOGGER.info("[📡] Reaching out to the Orgs API to get the list of all OUs under the ROOT OU...")
         all_ous = list_organizational_units_for_parent(  # pylint: disable=no-value-for-parameter
-            ParentId=config["OrgRootId"], account_number=config["OrgAccountId"], assume_role=config["OrgAccountAssumeRole"]
+            ParentId=config["OrgRootId"], account_number=config["OrgAccountId"], assume_role=config["OrgAccountAssumeRole"], region="us-east-1"
         )
-        ou_map = {ou["Id"]: ou["Name"] for ou in all_ous}  # noqa  # Reformat the data into a nice map
-        ou_map[config["OrgRootId"]] = "ROOT"  # Add the root in
+
+        # The resolved parents map: This is used to provide us with the parents for each account eventually pointing to ROOT.
+        # At this point, we know that the top level OUs map to root, so we build that mapping list now so we don't have to resolve this later with lots of
+        # unnecessary recursive API calls:
+        root = {"Id": config["OrgRootId"], "Name": "ROOT", "Type": "ROOT"}
+        resolved_parent_map = {ou["Id"]: [{"Id": ou["Id"], "Name": ou["Name"], "Type": "ORGANIZATIONAL_UNIT"}, root] for ou in all_ous}
+        resolved_parent_map[config["OrgRootId"]] = [root]  # Any account that has a parent of ROOT will just have ROOT as the parent.
 
         # Fetch the tags and enabled regions:
         LOGGER.info("[🚚] Fetching tags and enabled regions for each account...")
         fetch_additional_details(
             account_map,
-            ou_map,
-            config["OrgRootId"],
+            resolved_parent_map,
             config["OrgAccountId"],
             config["OrgAccountAssumeRole"],
             config["DescribeRegionsAssumeRole"],
@@ -93,13 +97,18 @@ def execute(self, commit: bool = False) -> None:
                 Bucket=self.payload["account_inventory_bucket"],
                 Key=self.payload["inventory_object_prefix"],
                 ACL="bucket-owner-full-control",
-                Body=json.dumps(dump_accounts, indent=4),
+                Body=json.dumps(dump_accounts, indent=4, sort_keys=True),
                 ContentType="application/json",
             )
 
         # If we are not committing, then just output the raw data out:
         else:
-            LOGGER.info(f"[🍣] Raw Inventory:\n{json.dumps(account_map, indent=4)}")
+            LOGGER.info(f"[🍣] Raw Inventory:\n{json.dumps(account_map, sort_keys=True, indent=4)}")
+
+        # If you need to update the index JSON for unit tests, then run the tests and uncomment the code below. That will generate a new index JSON.
+        # Simply copy and paste this `generatedIndex.json` file to `tests/starfleet_included_plugins/account_index_generator/generatedIndex.json`:
+        # with open("generatedIndex.json", "w") as file:
+        #     file.write(json.dumps({"accounts": account_map, "generated": datetime.utcnow().replace(tzinfo=None, microsecond=0).isoformat() + "Z"}, indent=4, sort_keys=True))
 
 
 @click.group()

src/starfleet/worker_ships/plugins/account_index_generator/ship.py

@@ -36,7 +36,13 @@ def list_accounts(client: BaseClient, **kwargs) -> Dict[str, Any]:
 @paginated("OrganizationalUnits", request_pagination_marker="NextToken", response_pagination_marker="NextToken")
 def list_organizational_units_for_parent(client: BaseClient, **kwargs) -> Dict[str, Any]:
     """This will list all the OUs for the given parent -- calls are wrapped by CloudAux"""
-    return client.list_organizational_units_for_parent(**kwargs)  # pragma: no cover
+    return client.list_organizational_units_for_parent(**kwargs)
+
+
+@sts_conn("organizations")
+def describe_organizational_unit(client: BaseClient, **kwargs) -> Dict[str, Any]:
+    """This will describe the OU given the OU ID. This is used to extract the name of the OU -- calls are wrapped by CloudAux"""
+    return client.describe_organizational_unit(**kwargs)
 
 
 @paginated("Tags", request_pagination_marker="NextToken", response_pagination_marker="NextToken")
@@ -45,9 +51,10 @@ def list_tags_for_resource(client: BaseClient, **kwargs) -> Dict[str, Any]:
     return client.list_tags_for_resource(**kwargs)
 
 
+@sts_conn("organizations")
 @paginated("Parents", request_pagination_marker="NextToken", response_pagination_marker="NextToken")
 def list_parents(client: BaseClient, **kwargs) -> Dict[str, Any]:
-    """This will query organizations to list all the parent OUs and Root for a given account -- calls are wrapped by CloudAux"""
+    """This will query organizations to list the immediate parent a given account or OU -- calls are wrapped by CloudAux"""
     return client.list_parents(**kwargs)
 
 
@@ -65,8 +72,8 @@ def get_account_map(account_list: List[Dict[str, Any]]) -> Dict[str, Dict[str, A
 
 
 @retry(tries=3, jitter=(0, 3), delay=1, backoff=2, max_delay=3, logger=LOGGER)
-def fetch_tags_and_parents(account_id: str, creds: Dict[str, str], deployment_region: str) -> Tuple[str, Dict[str, str], List[Dict[str, str]]]:
-    """Fetch the tags and parent OUs for each individual account"""
+def fetch_tags_and_parent(account_id: str, creds: Dict[str, str], deployment_region: str) -> Tuple[str, Dict[str, str], List[Dict[str, str]]]:
+    """Fetch the tags and the immediate parent OU for each individual account"""
     LOGGER.debug(f"[🏷️] Fetching tags for account id: {account_id}...")
     client = boto3.client(
         "organizations",
@@ -79,9 +86,9 @@ def fetch_tags_and_parents(account_id: str, creds: Dict[str, str], deployment_re
     extracted_tags = {tag["Key"]: tag["Value"] for tag in returned_tags}
 
     LOGGER.debug(f"[👪] Fetching parents for account id: {account_id}...")
-    returned_parents = list_parents(client, ChildId=account_id)
+    returned_parent = list_parents(force_client=client, ChildId=account_id)  # pylint: disable=no-value-for-parameter
 
-    return account_id, extracted_tags, returned_parents
+    return account_id, extracted_tags, returned_parent
 
 
 @retry(tries=3, jitter=(0, 3), delay=1, backoff=2, max_delay=3, logger=LOGGER)
@@ -107,6 +114,54 @@ def fetch_regions(account_id: str, assume_role: str, deployment_region: str) ->
     return account_id, enabled_regions
 
 
+@retry(tries=3, jitter=(0, 3), delay=1, backoff=2, max_delay=3, logger=LOGGER)
+def resolve_parents(ou_dict: Dict[str, Any], resolved_parents: Dict[str, List[Dict[str, str]]], org_account_id: str, assume_role: str) -> List[Dict[str, Any]]:
+    """
+    This will resolve the parents for a given account's parent OU. the `resolved_parents` map is a dictionary that contains a list of the parents for the given OU ID passed in.
+    If we have an OU ID that is not resolved, then we need to build the parent tree for it. This involves recursively calling the list_parents call so that we can
+    resolve all parents up to one that we have already resolved parents for.
+
+    Before this function runs, the `resolved_parents` parameter should at a minimum have the ROOT resolved. It should also have all the ROOT's immediate children OUs resolved
+    as well.
+
+    This function is required to address issue #24. Orgs does not provide an API to just get the Org OU tree. When this worker ship first runs, we list the OUs that are under
+    the ROOT, but that doesn't list all the nested OUs. This addresses that by fetching and updating the map as missing OUs are encountered. Very annoying but is required. :/
+    """
+    ou_id = ou_dict["Id"]
+    if parents := resolved_parents.get(ou_id):
+        return parents
+
+    # We have not yet resolved the parent OUs and we need to resolve it:
+    LOGGER.debug(f"[🌲] Need to query the Orgs API to fetch the parents for OU ID: {ou_dict['Id']}...")
+
+    # We also need to get the name of this OU because we haven't seen it yet:
+    ou_response = describe_organizational_unit(  # pylint: disable=no-value-for-parameter
+        OrganizationalUnitId=ou_dict["Id"], account_number=org_account_id, assume_role=assume_role, region="us-east-1"
+    )["OrganizationalUnit"]
+    resolved_ou = {"Name": ou_response["Name"], "Id": ou_id, "Type": "ORGANIZATIONAL_UNIT"}
+    LOGGER.debug(f"[🆔] OU ID: {ou_id} has name: {ou_response['Name']}.")
+
+    # Append this OU as the first parent in the list:
+    resolved_parents[ou_id] = [resolved_ou]
+
+    # Unfortunately, when we list_parents, we only get back the immediate parent. This sucks. So we need to have the following logic:
+    # 1. Get the immediate parent that is returned (it should only be 1) -- but it's a list that's returned.
+    # 2. Call this function again (recurse) with the parent provided. Keep going until we find a parent we know about (we should always map to ROOT at a minimum).
+    # 3. As we continue, we are traversing the Org tree. As we go along we continue to update the parents and grandparents parents
+    # 4. After the tree traversal is completed, we update the current OU list with the list of resolved parents.
+    # 5. We now have the full parents list for an Account with the passed in OU ID. In future calls regarding this OU ID, it will reside in the resolved_parents map
+    #    and will simply be returned without additional API calls necessary!
+    LOGGER.debug(f"[👪] Fetching parents for OU ID: {ou_id}/{resolved_ou['Name']}...")
+    returned_parents = list_parents(  # pylint: disable=no-value-for-parameter
+        ChildId=ou_id, account_number=org_account_id, assume_role=assume_role, region="us-east-1"
+    )
+    # It only returns exactly 1 parent back out. Now, resolve the parent's parents...
+    if returned_parents:
+        resolved_parents[ou_id] += resolve_parents(returned_parents[0], resolved_parents, org_account_id, assume_role)
+
+    return resolved_parents[ou_id]
+
+
 TagAndParentResults = List[Tuple[str, Dict[str, str], List[Dict[str, str]]]]
 RegionsResults = List[Tuple[str, List[str]]]
 
@@ -128,7 +183,7 @@ async def fetch_additional_async(
         regions_tasks = []
 
         for account_id in all_accounts.keys():
-            tag_and_parent_tasks.append(loop.run_in_executor(executor, fetch_tags_and_parents, account_id, creds, deployment_region))
+            tag_and_parent_tasks.append(loop.run_in_executor(executor, fetch_tags_and_parent, account_id, creds, deployment_region))
             regions_tasks.append(loop.run_in_executor(executor, fetch_regions, account_id, region_role, deployment_region))
 
         try:
@@ -143,14 +198,21 @@ async def fetch_additional_async(
 
 
 def fetch_additional_details(
-    all_accounts: Dict[str, Any], all_ous: Dict[str, str], root_id: str, org_id: str, org_role: str, region_role: str, deployment_region: str
+    all_accounts: Dict[str, Any],
+    resolved_parent_map: Dict[str, List[Dict[str, str]]],
+    org_account_id: str,
+    org_role: str,
+    region_role: str,
+    deployment_region: str,
 ) -> None:
-    """This is the function that will go out and fetch all the additional details asynchronously with multiple spun processes. This wraps everything
-    in the event loop."""
+    """
+    This is the function that will go out and fetch all the additional details asynchronously with multiple spun processes. This wraps everything
+    in the event loop.
+    """
     loop = asyncio.new_event_loop()
     try:
         tag_and_parent_results, region_results = loop.run_until_complete(
-            fetch_additional_async(loop, all_accounts, org_id, org_role, region_role, deployment_region)
+            fetch_additional_async(loop, all_accounts, org_account_id, org_role, region_role, deployment_region)
         )
     finally:
         loop.close()
@@ -159,20 +221,11 @@ def fetch_additional_details(
     for result in tag_and_parent_results:
         all_accounts[result[0]]["Tags"] = result[1]
 
-        parent_ous = []
-        has_root = False  # If the Root wasn't added in, then we will append it so that there is a full chain up to the Root.
-        for parent in result[2]:
-            if parent["Type"] == "ROOT":
-                has_root = True
-
-            parent_ous.append({"Id": parent["Id"], "Type": parent["Type"], "Name": all_ous[parent["Id"]]})
-
-        # If Root wasn't there, then append it:
-        if not has_root:
-            parent_ous.append({"Id": root_id, "Type": "ROOT", "Name": "ROOT"})
-
+        # Resolve all the parents:
+        parent_ous = resolve_parents(result[2][0], resolved_parent_map, org_account_id, org_role)
         all_accounts[result[0]]["Parents"] = parent_ous
 
+    # Merge in the regions:
     for result in region_results:
         all_accounts[result[0]]["Regions"] = result[1]
 

src/starfleet/worker_ships/plugins/account_index_generator/utils.py

@@ -10,7 +10,7 @@
 # pylint: disable=redefined-outer-name,unused-argument,duplicate-code
 import json
 from datetime import datetime
-from typing import Any, Dict, Generator, List, Optional
+from typing import Any, Dict, Generator, Optional
 from unittest import mock
 from unittest.mock import MagicMock
 
@@ -103,35 +103,69 @@ def account_generator(paginator: Optional[str] = None) -> Dict[str, Any]:
 
 
 @pytest.fixture
-def mock_list_account() -> MagicMock:
-    """This will mock out the Organizations list_account call so that it will return the generated account list."""
+def mock_boto3_sts_orgs_calls() -> Generator[MagicMock, None, None]:
+    """This will mock out the Organizations STS related calls so that it will return the proper responses back out"""
 
     def list_accounts(**kwargs) -> Dict[str, Any]:
         """This is the mocked out list_accounts call."""
         return account_generator(paginator=kwargs.pop("NextToken", None))
 
+    unit_map = {
+        "ou-1234-5678910": "SomeOU",
+        "ou-1234-5678911": "SomeNestedOU",
+        "ou-1234-5678912": "SomeNestedNestedOU",
+    }
+
+    def list_organizational_units_for_parent(*args, **kwargs) -> Dict[str, Any]:  # noqa
+        """This is the mocked out function that will just list all the OUs that are not Root back out."""
+        return {
+            "OrganizationalUnits": [{"Id": "ou-1234-5678910", "Arn": "arn:aws:organizations::000000000020:ou/o-000000000020/ou-1234-5678910", "Name": "SomeOU"}]
+        }
+
+    def fetch_parent_ous_in_resolve(*args, **kwargs) -> Dict[str, Any]:  # noqa
+        """This is the mocked out function that will return the parent OUs in the resolve function. This is only ever called"""
+        if kwargs["ChildId"] == "ou-1234-5678912":
+            return {"Parents": [{"Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT"}]}
+
+        return {"Parents": [{"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT"}]}
+
+    def describe_organizational_unit(*args, **kwargs) -> Dict[str, Any]:  # noqa
+        """The mocked out call to describing organizational units"""
+        return {
+            "OrganizationalUnit": {
+                "Id": kwargs["OrganizationalUnitId"],
+                "Arn": f"arn:aws:organizations::000000000020:ou/o-000000000020/{kwargs['OrganizationalUnitId']}",
+                "Name": unit_map[kwargs["OrganizationalUnitId"]],
+            }
+        }
+
     # Make the "returned" magic mock. This is the mocked out boto3 client, which is returned when the boto3_cached_conn function is instantiated
     mocked_boto_client = MagicMock()
     mocked_boto_client.list_accounts = MagicMock(side_effect=list_accounts)
+    mocked_boto_client.list_organizational_units_for_parent = MagicMock(side_effect=list_organizational_units_for_parent)
+    mocked_boto_client.list_parents = MagicMock(side_effect=fetch_parent_ous_in_resolve)
+    mocked_boto_client.describe_organizational_unit = MagicMock(side_effect=describe_organizational_unit)
 
     # This is the mocked boto3_cached_conn function itself. It needs to have a return_value to the mocked out client above:
     with mock.patch("cloudaux.aws.sts.boto3_cached_conn", return_value=mocked_boto_client) as mocked_cache_conn:
         yield mocked_cache_conn
 
 
 @pytest.fixture
-def account_map(mock_list_account: MagicMock) -> Dict[str, Any]:
+def account_map(mock_boto3_sts_orgs_calls: MagicMock) -> Dict[str, Any]:
     """The account list from the mocked call."""
     from starfleet.worker_ships.plugins.account_index_generator.utils import list_accounts, get_account_map
 
     return get_account_map(list_accounts(account_number="000000000020", assume_role="testing"))  # pylint: disable=no-value-for-parameter
 
 
 @pytest.fixture
-def mock_direct_boto_clients() -> MagicMock:
+def mock_direct_boto_clients() -> Generator[MagicMock, None, None]:
     """
     Mocks out the direct boto3 client creator. The mocked boto3 object has a new client() function that will return the normal boto3 client (gets mocked with moto)
-    for all services *except* organizations. For organizations, we're making a MagicMock that mocks out the `list_tags_for_resource` call.
+    for all services *except* organizations. For organizations, we're making a MagicMock that mocks out the `list_tags_for_resource` and `list_parents` call.
+
+    Accounts 10 and 11 have nested OU residency.
     """
     old_client = boto3.client
 
@@ -145,6 +179,16 @@ def fetch_parent_ous(*args, **kwargs) -> Dict[str, Any]:  # noqa
         if kwargs["ChildId"] == "000000000020":
             return {"Parents": [{"Id": "r-123456", "Type": "ROOT"}]}
 
+        # If account 10 is passed in (000000000010), then return the parent OU (ou-1234-5678912) - Account 10 will live in a nested OU of a nested OU
+        # (SomeOU --> SomeNestedOU --> SomeNestedNestedOU --> Account10)
+        if kwargs["ChildId"] == "000000000010":
+            return {"Parents": [{"Id": "ou-1234-5678912", "Type": "ORGANIZATIONAL_UNIT"}]}
+
+        # If account 11 is passed in (000000000011), then return the parent OU (ou-1234-5678911) - Account 11 will live in a nested OU of a nested OU
+        # (SomeOU --> SomeNestedOU --> Account11)
+        if kwargs["ChildId"] == "000000000011":
+            return {"Parents": [{"Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT"}]}
+
         return {"Parents": [{"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT"}]}
 
     class MockedBoto3:
@@ -169,21 +213,6 @@ def client(self, service, **kwargs):
             yield mocked_boto
 
 
-@pytest.fixture
-def mock_list_parent_ous() -> Generator[None, None, None]:
-    """
-    This very specifically mocks out the boto3 call for listing the parent OUs. Not using Moto for this. The original function is wrapped by CloudAux's STS wrapper,
-    and it's easier to just mock out what we need vs. test the boto3 stuff itself.
-    """
-
-    def mocked_func(*args, **kwargs) -> List[Dict[str, Any]]:  # noqa
-        """This is the mocked out function that will just list all the OUs that are not Root back out."""
-        return [{"Id": "ou-1234-5678910", "Arn": "arn:aws:organizations::000000000020:ou/o-000000000020/ou-1234-5678910", "Name": "SomeOU"}]
-
-    with mock.patch("starfleet.worker_ships.plugins.account_index_generator.ship.list_organizational_units_for_parent", mocked_func):
-        yield
-
-
 @pytest.fixture
 def lambda_payload(good_payload: Dict[str, Any]) -> Dict[str, Any]:
     """This is the payload from SQS encoded in the Body of the dictionary. Not including the rest of the SQS details."""

tests/starfleet_included_plugins/account_index_generator/conftest.py

@@ -55,7 +55,7 @@ def test_payload_schema(good_payload: Dict[str, Any]) -> None:
         AccountIndexGeneratorShipPayloadTemplate().load(good_payload)
 
 
-def test_list_org_accounts(mock_list_account: MagicMock) -> None:
+def test_list_org_accounts(mock_boto3_sts_orgs_calls: MagicMock) -> None:
     """This mostly tests that our code will pull out the proper (mocked) results from the AWS API. This also ensures that our fixture is working properly."""
     from starfleet.worker_ships.plugins.account_index_generator.utils import list_accounts
 
@@ -92,9 +92,12 @@ def test_fetch_additional_details(
     """This is a test to ensure that we can fetch all the additional details about"""
     from starfleet.worker_ships.plugins.account_index_generator.utils import fetch_additional_details
 
-    ous = {"ou-1234-5678910": "SomeOU", "r-123456": "ROOT"}
+    resolved_parent_map = {
+        "ou-1234-5678910": [{"Name": "SomeOU", "Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT"}, {"Name": "ROOT", "Id": "r-123456", "Type": "ROOT"}],
+        "r-123456": [{"Name": "ROOT", "Id": "r-123456", "Type": "ROOT"}],
+    }
 
-    fetch_additional_details(account_map, ous, "r-123456", "000000000020", "testing", "testing", "us-east-2")
+    fetch_additional_details(account_map, resolved_parent_map, "000000000020", "testing", "testing", "us-east-2")
 
     # Verify that everything is there:
     tag_value = {f"Key{x}": f"Value{x}" for x in range(1, 4)}
@@ -106,13 +109,50 @@ def test_fetch_additional_details(
         assert account["Regions"] == regions
 
         # And the parent OUs:
-        if account["Id"] != "000000000020":
+        if account["Id"] not in {"000000000020", "000000000010", "000000000011"}:
             assert account["Parents"] == [
                 {"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeOU"},
                 {"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"},
             ]
-        else:
+        elif account["Id"] == "000000000020":
+            assert account["Parents"] == [{"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"}]
+        elif account["Id"] == "000000000010":  # Account 10
+            assert account["Parents"] == [
+                {"Id": "ou-1234-5678912", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeNestedNestedOU"},
+                {"Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeNestedOU"},
+                {"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeOU"},
+                {"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"},
+            ]
+        elif account["Id"] == "000000000011":  # Account 11
+            assert account["Parents"] == [
+                {"Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeNestedOU"},
+                {"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeOU"},
+                {"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"},
+            ]
+
+    # Let's try this again with the resolved parent map having been fully resolved. We should get the proper parent OUs back out:
+    fetch_additional_details(account_map, resolved_parent_map, "000000000020", "testing", "testing", "us-east-2")
+    for account in account_map.values():
+        if account["Id"] not in {"000000000020", "000000000010", "000000000011"}:
+            assert account["Parents"] == [
+                {"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeOU"},
+                {"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"},
+            ]
+        elif account["Id"] == "000000000020":
             assert account["Parents"] == [{"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"}]
+        elif account["Id"] == "000000000010":  # Account 10
+            assert account["Parents"] == [
+                {"Id": "ou-1234-5678912", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeNestedNestedOU"},
+                {"Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeNestedOU"},
+                {"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeOU"},
+                {"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"},
+            ]
+        elif account["Id"] == "000000000011":  # Account 11
+            assert account["Parents"] == [
+                {"Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeNestedOU"},
+                {"Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT", "Name": "SomeOU"},
+                {"Id": "r-123456", "Type": "ROOT", "Name": "ROOT"},
+            ]
 
 
 def test_async_exceptions(aws_sts: BaseClient) -> None:
@@ -125,9 +165,16 @@ def raise_exception(*args, **kwargs) -> None:  # noqa
 
     # Just mock with lambda functions. These can't be pickled and cause an exception.
     with pytest.raises(AccountIndexerProcessError) as exc:
-        with mock.patch("starfleet.worker_ships.plugins.account_index_generator.utils.fetch_tags_and_parents", raise_exception):
+        with mock.patch("starfleet.worker_ships.plugins.account_index_generator.utils.fetch_tags_and_parent", raise_exception):
             with mock.patch("starfleet.worker_ships.plugins.account_index_generator.utils.fetch_regions", raise_exception):
-                fetch_additional_details({"000000000000": {}}, {"r-123456": "ROOT"}, "r-123456", "000000000020", "testing", "testing", "us-east-2")
+                fetch_additional_details(
+                    {"000000000000": {}},
+                    {"r-123456": [{"Type": "ROOT", "Name": "ROOT", "Id": "r-123456"}]},
+                    "000000000020",
+                    "testing",
+                    "testing",
+                    "us-east-2",
+                )
 
     assert "Fetching tags and regions" in str(exc.value)
 
@@ -141,7 +188,6 @@ def test_full_run(
     aws_s3: BaseClient,
     aws_sts: BaseClient,
     inventory_bucket: str,
-    mock_list_parent_ous: None,
     account_map: Dict[str, Any],
     mock_direct_boto_clients: MagicMock,
     lambda_payload: Dict[str, Any],
@@ -152,8 +198,22 @@ def test_full_run(
     from starfleet.worker_ships.plugins.account_index_generator.utils import fetch_additional_details
 
     # We need to get the proper account map so we can verify that we generated the proper thing:
-    ou_map = {"ou-1234-5678910": "SomeOU", "r-123456": "ROOT"}
-    fetch_additional_details(account_map, ou_map, "r-123456", "000000000020", "testing", "testing", "us-east-2")
+    resolved_parent_map = {
+        "ou-1234-5678910": [{"Name": "SomeOU", "Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT"}, {"Name": "ROOT", "Id": "r-123456", "Type": "ROOT"}],
+        "ou-1234-5678911": [
+            {"Name": "SomeNestedOU", "Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT"},
+            {"Name": "SomeOU", "Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT"},
+            {"Name": "ROOT", "Id": "r-123456", "Type": "ROOT"},
+        ],
+        "ou-1234-5678912": [
+            {"Name": "SomeNestedNestedOU", "Id": "ou-1234-5678912", "Type": "ORGANIZATIONAL_UNIT"},
+            {"Name": "SomeNestedOU", "Id": "ou-1234-5678911", "Type": "ORGANIZATIONAL_UNIT"},
+            {"Name": "SomeOU", "Id": "ou-1234-5678910", "Type": "ORGANIZATIONAL_UNIT"},
+            {"Name": "ROOT", "Id": "r-123456", "Type": "ROOT"},
+        ],
+        "r-123456": [{"Name": "ROOT", "Id": "r-123456", "Type": "ROOT"}],
+    }
+    fetch_additional_details(account_map, resolved_parent_map, "000000000020", "testing", "testing", "us-east-2")
 
     with mock.patch("starfleet.worker_ships.plugins.account_index_generator.ship.LOGGER") as mocked_logger:
         if cli: