list index out of range when `StackInstanceAccountList` is defined but empty

[andersem]

Describe the bug
The existing condition to handle a StackInstanceAccountList which is not None, does not take into account that the list might be empty.

To Reproduce

1. Deploy the CfCT stack in a new organization with Control Tower set up, with Github as the source
2. Follow https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/easy_setup#customizations-for-control-tower-implementation-instructions to deploy the sra_easy_setup
3. Watch the state machine fail in list_stack_instances because StackInstanceAccountList is defined, but empty

Expected behavior
Expecting the state machine to continue

Please complete the following information about the solution:

• Version: v2.8.3
• Region: eu-west-1
• Was the solution modified from the version published on this repository? No
• If the answer to the previous question was yes, are the changes available on GitHub?
• Have you checked your service quotas for the sevices this solution uses? I think this step is fairly basic and not covered by quotas
• Were there any errors in the CloudWatch Logs? Yes

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context

Logs:

{
  "executionArn": "arn:aws:states:eu-west-1:account:execution:CustomControlTowerStackSetStateMachine:Create-CustomControlTower-sra-easy-setup-2025-10-29T16-45-11",
  "stateMachineArn": "arn:aws:states:eu-west-1:account:stateMachine:CustomControlTowerStackSetStateMachine",
  "name": "Create-CustomControlTower-sra-easy-setup-2025-10-29T16-45-11",
  "status": "FAILED",
  "startDate": "2025-10-29T17:45:11.509000+01:00",
  "stopDate": "2025-10-29T17:45:26.841000+01:00",
  "input": "{\"RequestType\": \"Create\", \"ResourceProperties\": {\"StackSetName\": \"CustomControlTower-sra-easy-setup\", \"TemplateURL\": \"https://custom-control-tower-init-customcontroltowerpipeli-xxxfycxmuxyb.s3.eu-west-1.amazonaws.com/_custom_ct_templates_staging/templates/sra-easy-setup.yaml\", \"Capabilities\": \"[\\\"CAPABILITY_NAMED_IAM\\\",\\\"CAPABILITY_AUTO_EXPAND\\\"]\", \"Parameters\": {\"pDeployAccountAlternateContactsSolution\": \"No\", \"pDeployCloudTrailSolution\": \"No\", \"pDeployConfigManagementSolution\": \"No\", \"pDeployConfigConformancePackSolution\": \"No\", \"pDeployDetectiveSolution\": \"No\", \"pDeployEC2DefaultEBSEncryptionSolution\": \"No\", \"pDeployFirewallManagerSolution\": \"No\", \"pDeployGuardDutySolution\": \"No\", \"pDeployIAMAccessAnalyzerSolution\": \"No\", \"pDeployIAMPasswordPolicySolution\": \"No\", \"pDeployInspectorSolution\": \"No\", \"pDeployMacieSolution\": \"No\", \"pDeployS3BlockAccountPublicAccessSolution\": \"No\", \"pDeploySecurityHubSolution\": \"No\", \"pDeployPatchMgrSolution\": \"No\", \"pExcludeAlternateContactAccountTags\": \"\", \"pBillingContactAction\": \"add\", \"pBillingEmail\": \"\", \"pBillingName\": \"\", \"pBillingPhone\": \"\", \"pBillingTitle\": \"\", \"pOperationsContactAction\": \"add\", \"pOperationsEmail\": \"\", \"pOperationsName\": \"\", \"pOperationsPhone\": \"\", \"pOperationsTitle\": \"\", \"pSecurityContactAction\": \"add\", \"pSecurityEmail\": \"\", \"pSecurityName\": \"\", \"pSecurityPhone\": \"\", \"pSecurityTitle\": \"\", \"pCloudTrailName\": \"sra-org-data-trail\", \"pEnableDataEventsOnly\": \"true\", \"pEnableLambdaDataEvents\": \"true\", \"pEnableS3DataEvents\": \"true\", \"pBucketNamePrefix\": \"sra-org-data-trail-logs\", \"pCloudTrailLogGroupKmsKey\": \"\", \"pCloudTrailLogGroupRetention\": \"400\", \"pCreateCloudTrailLogGroup\": \"true\", \"pOrganizationCloudTrailKeyAlias\": \"sra-cloudtrail-org-key\", \"pAllSupported\": \"true\", \"pFrequency\": \"1hour\", \"pIncludeGlobalResourceTypes\": \"true\", \"pKmsKeyArn\": \"\", \"pResourceTypes\": \"\", \"pConformancePackName\": \"sra-operational-best-practices-for-encryption-and-keys\", \"pConformancePackTemplateName\": \"Operational-Best-Practices-for-Encryption-and-Keys.yaml\", \"pDeliveryS3KeyPrefix\": \"\", \"pConformancePackExcludedAccounts\": \"\", \"pDatasourcePackages\": [\"ASFF_SECURITYHUB_FINDING\", \"EKS_AUDIT\"], \"pGuarddutyEnabledForMoreThan48Hours\": \"false\", \"pExcludeEC2DefaultEBSEncryptionTags\": \"\", \"pEnableRemediation\": \"false\", \"pInternalNetCIDR\": \"192.168.1.0/24\", \"pCreateVpcForSG\": \"true\", \"pVPCCidrBlock\": \"10.0.0.0/28\", \"pVpcId\": \"\", \"pDisableGuardDuty\": \"No\", \"pGuardDutyCustomerGovernedRegionsOnly\": \"true\", \"pGuardDutyEnabledRegions\": \"\", \"pAutoEnableS3Logs\": \"true\", \"pAutoEnableKubernetesAuditLogs\": \"true\", \"pAutoEnableMalwareProtection\": \"true\", \"pEnableRdsLoginEvents\": \"true\", \"pEnableRuntimeMonitoring\": \"true\", \"pEnableEksAddonManagement\": \"true\", \"pEnableEcsFargateAgentManagement\": \"true\", \"pEnableEc2AgentManagement\": \"true\", \"pEnableLambdaNetworkLogs\": \"true\", \"pGuardDutyFindingPublishingFrequency\": \"FIFTEEN_MINUTES\", \"pGuardDutyOrgDeliveryBucketPrefix\": \"sra-guardduty-org-delivery\", \"pGuardDutyOrgDeliveryKeyAlias\": \"sra-guardduty-org-delivery-key\", \"pAccessAnalyzerNamePrefix\": \"sra-account-access-analyzer\", \"pOrganizationAccessAnalyzerName\": \"sra-organization-access-analyzer\", \"pAccessAnalyzerRegisterDelegatedAdminAccount\": \"Yes\", \"pAllowUsersToChangePassword\": \"true\", \"pHardExpiry\": \"false\", \"pMaxPasswordAge\": \"90\", \"pMinimumPasswordLength\": \"14\", \"pPasswordReusePrevention\": \"24\", \"pRequireLowercaseCharacters\": \"true\", \"pRequireNumbers\": \"true\", \"pRequireSymbols\": \"true\", \"pRequireUppercaseCharacters\": \"true\", \"pScanComponents\": [\"EC2\", \"ECR\", \"LAMBDA\", \"LAMBDA_CODE\"], \"pEcrRescanDuration\": \"LIFETIME\", \"pDisableMacie\": \"No\", \"pMacieFindingPublishingFrequency\": \"FIFTEEN_MINUTES\", \"pMacieOrgDeliveryBucketPrefix\": \"sra-macie-org-delivery\", \"pMacieOrgDeliveryKeyAlias\": \"sra-macie-org-delivery-key\", \"pExcludeS3BlockAccountPublicAccessTags\": \"\", \"pEnableBlockPublicAcls\": \"true\", \"pEnableBlockPublicPolicy\": \"true\", \"pEnableIgnorePublicAcls\": \"true\", \"pEnableRestrictPublicBuckets\": \"true\", \"pDisableSecurityHub\": \"No\", \"pEnableCISStandard\": \"false\", \"pEnablePCIStandard\": \"false\", \"pEnableSecurityBestPracticesStandard\": \"true\", \"pEnableNISTStandard\": \"false\", \"pNISTStandardVersion\": \"5.0.0\", \"pRegionLinkingMode\": \"SPECIFIED_REGIONS\", \"pDisablePatchMgmt\": \"false\", \"pPatchMgmtMaintWindow1Schedule\": \"cron(0 0 1 ? * THU *)\", \"pPatchMgmtMaintWindow1Duration\": \"6\", \"pPatchMgmtMaintWindow1Cutoff\": \"1\", \"pPatchMgmtTask1RunCmd\": \"AWS-UpdateSSMAgent\", \"pPatchMgmtTarget1Value1\": \"Linux\", \"pPatchMgmtTarget1Value2\": \"Windows\", \"pPatchMgmtMaintWindow2Schedule\": \"cron(0 0 1 ? * WED *)\", \"pPatchMgmtMaintWindow2Duration\": \"6\", \"pPatchMgmtMaintWindow2Cutoff\": \"1\", \"pPatchMgmtMaintWindowTZ\": \"America/New_York\", \"pPatchMgmtTaskRebootOption\": \"RebootIfNeeded\", \"pPatchMgmtTask2RunCmd\": \"AWS-RunPatchBaseline\", \"pPatchMgmtTarget2Value1\": \"Windows\", \"pPatchMgmtTaskOperation\": \"Scan\", \"pPatchMgmtMaintWindow3Schedule\": \"cron(0 0 1 ? * FRI *)\", \"pPatchMgmtMaintWindow3Duration\": \"6\", \"pPatchMgmtMaintWindow3Cutoff\": \"1\", \"pPatchMgmtTask3RunCmd\": \"AWS-RunPatchBaseline\", \"pPatchMgmtTarget3Value1\": \"Linux\", \"pSRAAlarmEmail\": \"\", \"pCreateAWSControlTowerExecutionRole\": \"false\", \"pComplianceFrequency\": \"7\", \"pCreateLambdaLogGroup\": \"No\", \"pLambdaLogGroupKmsKey\": \"\", \"pLambdaLogGroupRetention\": \"14\", \"pLambdaLogLevel\": \"INFO\"}, \"AccountList\": [\"385845594036\", \"004596743272\"], \"RegionList\": [\"eu-west-1\"], \"SSMParameters\": {}}, \"SkipUpdateStackSet\": \"no\"}",
  "inputDetails": {
    "included": true
  },
  "error": "IndexError",
  "cause": "{\"errorMessage\": \"list index out of range\", \"errorType\": \"IndexError\", \"requestId\": \"6631b845-c1bd-481d-881a-f3efb5a18ce2\", \"stackTrace\": [\" File \\\"/var/task/state_machine_router.py\\\", line 307, in lambda_handler\\n return cloudformation(event, function_name)\\n\", \" File \\\"/var/task/state_machine_router.py\\\", line 42, in cloudformation\\n response = stack_set.list_stack_instances()\\n\", \" File \\\"/var/task/cfct/state_machine_handler.py\\\", line 261, in list_stack_instances\\n account_id = self.event.get(\\\"StackInstanceAccountList\\\")[0]\\n\"]}",
  "redriveCount": 0,
  "redriveStatus": "REDRIVABLE"
}

Suggested solution: andersem#1