Account Name and Account Alias in AWS are not the same thing!

Did you know that?

I was surprised when I found out…

I was about to implement an Organization wide solution with AWS Control Tower Account Factory for Terraform (AFT) that, in my case, is using Account Name for further resources creation.
As I don’t read Account Aliases often with Terraform, I googled and the first result I got was this article from StackOverflow.
I became a bit worried about how it could affect my solution, but I decided to proceed.
And - unfortunately - I confirmed this is true.

Account Name vs. Account Alias

I want to briefly describe how Account Name and Account Alias differ from each other.

As they are different things, they don’t have to be equal and it may require proper handling depending on the situation.

Account Name

The Account Name in AWS is a name that is used by AWS Organizations and it is organized within the scope of AWS Organizations.

The details regarding AWS Organizations are available only to the Root Account of the AWS Organization, therefore reading it with the aws_organizations_account data source requires configuring Terraform to access that account first to read the details.
This is not straightforward, as it requires reading two accounts at once - technically possible with separate AWS providers to connect to different accounts, but this is not necessarily an optimal approach and may not be possible in some organizations due to additional constraints.
It is also possible to overcome this by storing the Account Name in AWS SSM Parameter Store for each account in the Organization, but we would be already building a solution that requires maintenance, so it may not be suitable option.

Because Account Name exists in terms of AWS Organization, it doesn’t have to be unique across the whole AWS - it only needs to be unique in your Organization.

Contradictory to the Account Alias, Account Name has to be set, it is required.

You can read more about accounts in AWS Organizations in Managing member accounts with AWS Organizations User Guide.

Account Alias

The Account Alias is a different thing.

An AWS Account doesn’t have to be a part of an AWS Organization - so the Account Name for this account may not exist.
Yet every AWS Account can have the Account Alias.

The Account Alias is used to identify a particular AWS Account.
It is optional, so it doesn’t have to be set for an account, but if it is, it has to be unique.
The Account Alias is used to uniquely identify the account and it may be used instead of Account ID to log in to the AWS Console.
The Account Alias is easy to remember and many organizations and individuals use Aliases for simplification.

The Account Alias can also be deleted

My scenario

In my scenario Account Name is different from Account Alias for at least a subset of accounts.
Therefore I could not rely on data source below without additional modifications:

data "aws_iam_account_alias" "current" {}

Luckily I could resolve this, as in my case there is a pattern, so I could manipulate the data.aws_iam_account_alias.current.account_alias value at later step to achieve my goal.

For my scenario it was creating buckets following a certain pattern for logs of one of the landing zone components and I needed to have a unification across the whole Organization.
The optimal solution would be to use aws_s3_bucket data source to read the bucket from each account, when configuring logs that should be pointed to there - but aws_s3_bucket data source doesn’t support wildcards at the moment, full bucket name is required - so this is not a solution for me, it doesn’t simplify anything.

There is an open issue for aws_s3_bucket data source to enable retrieving a list of buckets matching a particular filter, which would work in my scenario really well, but the issue is open since October 2020 and doesn’t seem to be prioritized.
And this is especially frustrating that there was a PR with this feature submitted already!

Luckily, the S3 ARN doesn’t contain any unique IDs, it is in form of arn:aws:s3:::${BUCKET_NAME} and my buckets didn’t require any random ID to be unique, so it was easy to just manipulate the Account Alias accordingly to achieve the final goal.

And I am writing all that because as it was a case for me, it may be as well a case for you!
I work in IT field long enough to see that people follow similar patterns although they have never met each other - some details may differ, but there still can be similar patterns used - and with these patterns, you might fail at some point into this issue, just as I did.