Feat/policy refactor #551
Feat/policy refactor #551
Conversation
|
Still todo:
|
StewartW
force-pushed
the
feat/policy-refactor
branch
from
30c5c40 to
24c05e5
Compare
| Because of the difference in this approach to applying policies, it is not | ||
| currently the default method and will have to be enabled. In order to enable it, | ||
| you have to update your serverlessrepo stack in the organizational root account | ||
| and set the parameter `EnablePolicyV2' to "TRUE". Once the stack has redeployed, |
There was a problem hiding this comment.
Shall we move this to the extensions feature?
Or maybe even better, lets say we would merge this for the next v4.0.0 release, should we enable it without a property and explain the different approach in the changelog / steps to upgrade?
There was a problem hiding this comment.
Happy to postpone to V4.0.0.
There was a problem hiding this comment.
Happy to get your thoughts on this, because the new V2 approach is 100% backwards compatible with old definitions
src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/main.py
Outdated
Show resolved
Hide resolved
.../initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py
Outdated
Show resolved
Hide resolved
.../initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py
Outdated
Show resolved
Hide resolved
.../initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py
Outdated
Show resolved
Hide resolved
Co-authored-by: Simon Kok <[email protected]>
…ild/shared/python/organization_policy_campaign.py Co-authored-by: Simon Kok <[email protected]>
…ild/main.py Co-authored-by: Simon Kok <[email protected]>
…ild/shared/python/organization_policy_campaign.py Co-authored-by: Simon Kok <[email protected]>
| ou_id, | ||
| [], # Initial empty array to hold OU Path, | ||
| cache | ||
| ou_id, [], cache # Initial empty array to hold OU Path, |
There was a problem hiding this comment.
Can you revert this change, as the comment is linked to the empty list. Not the cache or all three arguments together?
src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/organization_policy_v2.py
Show resolved
Hide resolved
src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/organization_policy_v2.py
Show resolved
Hide resolved
| status = organizations.get_organization_info() | ||
| if status.get("feature_set") != "ALL": | ||
| LOGGER.info( | ||
| "All Features are currently NOT enabled for this Organization, " |
There was a problem hiding this comment.
If we are tasked to apply an SCP or Tagging Policy, maybe it would be better to raise this as a warning or even a fatal error. As it might go unnoticed otherwise. What do you think?
src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/organization_policy_v2.py
Outdated
Show resolved
Hide resolved
| stubber.assert_no_pending_responses() | ||
|
|
||
|
|
||
| class SadTestCases(unittest.TestCase): |
There was a problem hiding this comment.
Can you add a test case that will test that we throw an error when AWS Organizations is not configured with all features that we require for Tagging and Service Control Policies?
| exit 1 \ | ||
| ); \ | ||
| ) | ||
| # @( \ |
There was a problem hiding this comment.
This isn't reliable on mac. Is there a better way to do this @sbkok ?
|
Closing to favour the v4.0.0 compatible version |
Why?
A refactor of how policies (SCP/Tagging) are managed.
Provides backwards compatibility with the current process whilst enabling an additional folder "adf-policies" that allows for SCPs, Tagging policies (and potentially more) to be defined in a central location. Allowing for policies to be-used across multiple targets. (Currently supports OU-names, but also supports extension going forward)
Issue #, if available:
What?
Description of changes:
Creates a new concept called Policy Campaigns. Which is an object used to orchestrate the updating of policies and their targets.
Policy Campaigns have a list of Policies that require creating. (A policy is classed as requiring creation when a policy with the same name does not exist). Policies that require updating (A policy is classed as requiring updating when an existing policy has a different content) and policies that require deleting (Any policy that is ADF managed but does not receive an interaction throughout the campaign is considered for deletion)
Policies themselves do similar logic for targets, and depending on the adf config, a target will either have the default SCP maintained or removed.
The overall logic is the same for the legacy policy management, the primary difference is that adf-policies is now an optional source for policies.
By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.