resource account: allow setting NoStackInheritance

You can now set NoStackInheritance: true for an account. This will make
it so that a stack doesn't inherit from the current OU or parent OUs.

The most useful case for this is when you have the management account at
the top level and want to declare top level stacks as well to target all
sub accounts except the management account.

resource/account.go

@@ -19,6 +19,7 @@ type Account struct {
 	Tags                   []string `yaml:"Tags,omitempty"`
 	AWSTags                []string `yaml:"-"`
 	BaselineStacks         []Stack  `yaml:"Stacks,omitempty"`
+	NoStackInheritance     bool     `yaml:"NoStackInheritance,omitempty"`
 	ServiceControlPolicies []Stack  `yaml:"ServiceControlPolicies,omitempty"`
 	ManagementAccount      bool     `yaml:"-"`
 
@@ -109,7 +110,7 @@ func (a Account) CurrentTags() []string {
 
 func (a Account) AllBaselineStacks() ([]Stack, error) {
 	var stacks []Stack
-	if a.Parent != nil {
+	if a.Parent != nil && !a.NoStackInheritance {
 		stacks = append(stacks, a.Parent.AllBaselineStacks()...)
 	}
 

resource/account_test.go

@@ -40,6 +40,19 @@ var (
 				AccountName: "Example2",
 				AccountID:   "2",
 			},
+			{
+				Email:              "[email protected]",
+				AccountName:        "mgmt-account",
+				AccountID:          "3",
+				NoStackInheritance: true,
+				BaselineStacks: []resource.Stack{
+					{
+						Name: "mgmt-stack",
+						Type: "Terraform",
+						Path: "tf/mgmt",
+					},
+				},
+			},
 		},
 		ChildOUs: []*resource.OrganizationUnit{
 			{
@@ -163,6 +176,17 @@ func TestAllBaselineStacks(t *testing.T) {
 				},
 			},
 		},
+		{
+			rootOU:             rootOU,
+			targetAccountEmail: "[email protected]",
+			wantStacks: []resource.Stack{
+				{
+					Name: "mgmt-stack",
+					Type: "Terraform",
+					Path: "tf/mgmt",
+				},
+			},
+		},
 	}
 
 	for _, tc := range tests {