PF-119: Account Factory should be able to vend in a subdirectory

[gruntwork-ci]

Implements plan for Linear issue PF-119.

Plan source: https://github.com/gruntwork-io-team/linear-claude-plans/blob/main/plans/PF-119.md

---

Claude's implementation summary

All work is done. Here is the summary of changes per repo:

---

## Repo: `gruntwork-io/pipelines`

Added the `new_account_parent_path` HCL attribute to the `account_factory` block so customers (e.g. Bill.com) can vend new AWS accounts into a repo-relative subdirectory (such as `aws/`) instead of the repo root. Default behavior (vending at the root) is preserved when the attribute is empty.

- `internal/config/accountfactory/accountfactory.go` — added `NewAccountParentPath` to `AccountFactory` and `AccountFactoryHCL`; changed `Resolve()` to return `(AccountFactory, hcl.Diagnostics)`; added a `normalizeNewAccountParentPath` helper that silently strips leading/trailing slashes and rejects `..` segments.
- `internal/config/global/global.go` — propagated the new diagnostics from `AccountFactoryHCL.Resolve()`.
- `main.go` — joined `cfg.AccountFactory.NewAccountParentPath` into the three account-baseline `WorkDir` constructions (`baseline-core`, `baseline-child-account` init, `baseline-child-account` main).
- `internal/actions/accountfactory/templatebaselines.go` — directed `boilerplate.Template` at `filepath.Join(workDir, NewAccountParentPath)` and exposed `NewAccountParentPath` to the template variables.
- `internal/infrachanges/infrachange.go` — rewrote `accountAdded` to filter on the configured parent path; new account directories are detected at the level just below the parent path, and emitted `InfraChange.Path` values are joined under the parent (e.g. `aws/web-dev`).
- `internal/jobs/jobs.go` — `buildAccountsAddedJob` now prefixes `JobData.WorkingDirectory` with the parent path so downstream workflows `cd` into the correct on-disk directory.
- `internal/infrachanges/infrachange_test.go` — added two tests: vending under a parent path on an empty source, and vending alongside an existing sibling under the same parent path (ensures the parent itself is not reported).
- `internal/config/accountfactory/accountfactory_test.go` — added normalization tests, an explicit `..`-rejection test, and HCL-level round-trip tests for valid and invalid values.
- `internal/jobs/jobs_test.go` — added `TestBuildAccountsAddedJobWithParentPath` asserting `WorkingDirectory == "aws/dev"`.
- `internal/actions/accountfactory/templatebaselines_test.go` — added a `NewAccountParentPath` assertion in `TestGetTemplateVars`.
- `test-fixtures/pipelines-config/devops-foundations-infra-live-root-w-parent-path/` — new fixture that exercises `new_account_parent_path = "aws"`; existing fixtures were regenerated so their `expected.json` includes the new (empty) field. The `generate_fixtures` tool was used to regenerate the JSON outputs.

No experiment flag was added: the empty-string default plus `filepath.Join`'s dropping of empty segments makes the change structurally backward-compatible.

---

## Repo: `gruntwork-io/docs`

- `docs/2.0/reference/accountfactory/configurations-as-code.md` — added a new `### new_account_parent_path` subsection (alphabetically placed between `management_account_name` and `pipelines_read_token_name`) describing semantics, default, scope (newly vended accounts only), and validation rules.
- `docs/2.0/docs/accountfactory/architecture/index.md` — extended the on-disk-layout paragraph to mention `new_account_parent_path` and noted that `_new-account-requests/` and `accounts.yml` remain at the repo root.

---

## Repo: `gruntwork-io/terraform-aws-architecture-catalog`

- `blueprints/components/gw-pipelines-config/account-factory/.gruntwork/account-factory.hcl` — emits `new_account_parent_path = "..."` when the new boilerplate variable is non-empty.
- `blueprints/components/gw-pipelines-config/account-factory/boilerplate.yml` — added the `NewAccountParentPath` variable (order 23, default `""`).
- `blueprints/components/gw-pipelines-config/environment/.gruntwork/{{ .FormattedAccountName }}.hcl` — the environment filter `paths` now conditionally prefixes the parent path so vended env filters point at the correct disk location.
- `blueprints/components/gw-pipelines-config/environment/boilerplate.yml` — added the `NewAccountParentPath` variable consumed by the filter template.
- `templates/single-account-baseline/boilerplate.yml` — added `NewAccountParentPath` as a top-level variable and forwarded it to the `gw-pipelines-config/environment` dependency.

Follow-up note: per the original plan §3.3, the env filter file should ideally live under the root `.gruntwork/` directory rather than the parent-path-relative `.gruntwork/`. Since `boilerplate.Template` is invoked once with `outDir = workDir/parentPath`, the env subcomponent currently writes to `<workDir>/<parentPath>/.gruntwork/<name>.hcl`. Customers can rely on Pipelines' `.gruntwork/` upward traversal for vended units, but consolidating config into the root `.gruntwork/` is a follow-up architecture-catalog change (would require either two boilerplate invocations from pipelines or a restructured `single-account-baseline`).

---

## Tests run

- `go test ./internal/config/accountfactory/...` ✓
- `go test ./internal/infrachanges/ -run "TestAccountsAdded*|TestAccountsAddedWithOtherChanges|TestUnitAdded$|TestUnitChanged$|TestBuildChangeListInTeamRepo|TestHCLChanged|TestEnvCommon|TestAccountsChanged$|TestAccountsRequested$"` ✓
- `go test ./internal/jobs/ -run "TestBuildAccountsAddedJob|TestBuildAccountsRequestedJob|TestBuildAccountChangedJob|TestBuildAccountDeletedJob|TestDeduplicate"` ✓
- `go test ./test/plumbing/config/...` ✓ (all 31 fixtures, including the new `devops-foundations-infra-live-root-w-parent-path`)
- `go vet ./...` ✓
- `go build ./...` ✓

Pre-existing failures in tests that shell out to a real `terragrunt` binary (stack tests, DAG validation) are environmental and unrelated to this change.

---

Related PRs in this change set

• pipelines: https://github.com/gruntwork-io/pipelines/pull/587
• terraform-aws-architecture-catalog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1203

Summary by CodeRabbit

Release Notes

• Documentation
  • Updated Account Factory documentation to clarify the location of newly provisioned accounts in the repository structure.
  • Documented the new new_account_parent_path configuration attribute, enabling customization of the parent directory for newly vended accounts while maintaining the request directory and configuration file at the repository root.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 12, 2026 8:16pm

[coderabbitai]

Walkthrough

This PR adds documentation for a new new_account_parent_path optional configuration attribute in Account Factory. The architecture doc explains that newly provisioned accounts use this setting to customize their parent directory, while the reference doc formally documents the attribute with path normalization rules, validation constraints, and practical examples.

Changes

Account Factory new_account_parent_path Documentation

Layer / File(s)

Summary

Document new account parent path configuration docs/2.0/docs/accountfactory/architecture/index.md, docs/2.0/reference/accountfactory/configurations-as-code.md

Architecture documentation clarifies that newly provisioned accounts are recorded under a customizable parent directory using new_account_parent_path (defaulting to repo root), while the configuration reference formally documents the attribute with behavior scope, path normalization (strips leading/trailing slashes), constraint validation (rejects .. segments at config load), and an HCL usage example.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📚 A path for new accounts takes shape,
Where new_account_parent_path helps escape
The repository root with custom grace,
Normalized, validated, in its rightful place. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: enabling Account Factory to vend new accounts into a subdirectory, which is the core feature implemented across the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude-pr/PF-119-25758084303

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/2.0/reference/accountfactory/configurations-as-code.md`:
- Around line 306-319: The example HCL block under the new_account_parent_path
description is currently indented and parsed as an indented code block; replace
it with a fenced code block using the language tag "hcl" and unindented contents
so markdownlint rule MD046 is satisfied—for example, wrap the account_factory {
new_account_parent_path = "aws" } snippet in ```hcl ... ``` and ensure the block
uses the exact symbol names account_factory and new_account_parent_path as
shown.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 588d7193-62cf-41c5-81f3-ebad0e7f4d0a

📥 Commits

Reviewing files that changed from the base of the PR and between 9ecc3eb and 9300f5e.

📒 Files selected for processing (2)

• docs/2.0/docs/accountfactory/architecture/index.md
• docs/2.0/reference/accountfactory/configurations-as-code.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix Markdown code-block style to satisfy MD046 in this new section.

The newly added example snippets are being parsed as indented-style blocks by markdownlint. Please switch them to explicit fenced style in this section so doc lint stays clean.

Suggested adjustment

-    A repo-relative subdirectory under which newly vended accounts are created. When set to a value such as `"aws"`, Account Factory will vend new AWS accounts into `{repo_root}/aws/{account_name}/…` instead of `{repo_root}/{account_name}/…`. The default is `""`, meaning new accounts are vended at the repository root (today's behavior).
+    A repo-relative subdirectory under which newly vended accounts are created. When set to a value such as `"aws"`, Account Factory will vend new AWS accounts into `{repo_root}/aws/{account_name}/…` instead of `{repo_root}/{account_name}/…`. The default is `""`, meaning new accounts are vended at the repository root (today's behavior).

@@
-    ```hcl
-    account_factory {
-      new_account_parent_path = "aws"
-    }
-    ```
+```hcl
+account_factory {
+  new_account_parent_path = "aws"
+}
+```

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 306-306: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

---

[warning] 315-315: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2.0/reference/accountfactory/configurations-as-code.md` around lines 306
- 319, The example HCL block under the new_account_parent_path description is
currently indented and parsed as an indented code block; replace it with a
fenced code block using the language tag "hcl" and unindented contents so
markdownlint rule MD046 is satisfied—for example, wrap the account_factory {
new_account_parent_path = "aws" } snippet in ```hcl ... ``` and ensure the block
uses the exact symbol names account_factory and new_account_parent_path as
shown.