From 27b120b67b89e0c5ae7a78b50c4d728480070d69 Mon Sep 17 00:00:00 2001
From: ievgeniia ieromenko <ieviero@amazon.com>
Date: Thu, 12 Sep 2024 16:31:00 -0400
Subject: [PATCH] allow empty id

---
 .../templates/sra-security-lake-org-main-ssm.yaml          | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml
index f2eacbc0..11d581d3 100644
--- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml
+++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml
@@ -453,9 +453,10 @@ Rules:
       - Assert: !Not [!Equals [!Ref pEnabledRegions, '']]
         AssertDescription: Please provide Enabled Regions
   ProvideUniqueExternalIds:
-    RuleCondition: !Equals
-      - !Ref pAuditAccountDataSubscriberExternalId
-      - !Ref pAuditAccountQuerySubscriberExternalId
+    RuleCondition: !And
+      - !Not [!Equals [!Ref pAuditAccountDataSubscriberExternalId, '']]
+      - !Not [!Equals [!Ref pAuditAccountQuerySubscriberExternalId, '']]
+      - !Equals [!Ref pAuditAccountDataSubscriberExternalId, !Ref pAuditAccountQuerySubscriberExternalId]
     Assertions:
       - Assert: !Not [!Equals [!Ref pAuditAccountDataSubscriberExternalId, !Ref pAuditAccountQuerySubscriberExternalId]]
         AssertDescription: The external ID for Security Lake Audit (Security Tooling) data access and query access subscribers must be different from one another.