can_close_accounts_in_resource_org_paths only works with root

[malhussan]

Problem

Currently, the replicator's ability to close AWS accounts is controlled using the following configuration:

can_close_accounts_in_resource_org_paths = ["<org-id>/<root-OU-id>/*"]

This works when granting access at the organization root level. However, attempts to narrow access down to specific Organizational Units (OUs), such as:

can_close_accounts_in_resource_org_paths = ["<org-id>/<root-OU-id>/<child-OU>/*"]

do not work as expected.

Suggestion

To improve flexibility and security, we propose two enhancements:

1. Allow organization-wide access
   Provide an option for module consumers to disable aws:ResourceOrgPath conditions entirely, allowing full org-wide permissions to close accounts when needed.

2. Support tag-based access control
   Introduce support for using aws:ResourceTag/<tag-key> in IAM conditions. This would allow fine-grained control by restricting account closure actions to accounts tagged with specific key-value pairs. We can identify meshStack managed AWS accounts by the presence of these tags.