Skip to content

Commit

Permalink
Feat/policy refactor (#3)
Browse files Browse the repository at this point in the history
* Starting refactor of policy application

* initial testing

* Unit tests for OrganisationPolicy class

* Linting

* wip

* Merging

* sìos leis a' Bheurla

* Resetting generate params

* Fixing spelling mistakes

* Updating documentation

* Apply suggestions from code review

Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>

* Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py

Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>

* Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/main.py

Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>

* Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py

Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>

* fixing tests

* fixing linting

* linting again

* temp remove assertion

* updating logging

* running black with ll 80

* linting

* Tox no longer complaining

---------

Co-authored-by: Simon Kok <mail@simonkok.com>
Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>
  • Loading branch information
3 people authored and stewwall committed Jun 25, 2024
1 parent 51f6936 commit dfae985
Show file tree
Hide file tree
Showing 15 changed files with 2,590 additions and 234 deletions.
61 changes: 61 additions & 0 deletions docs/admin-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -876,6 +876,67 @@ Once you have enabled all features within your Organization, ADF can manage and
automate the application and updating process of the Tag Policies. For more
information, see [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html).

## Policies V2

### What is Policies V2

A new feature of ADF, that gives you the ability to define a policy in a
single location, and apply it to multiple targets.

### Enabling the new version

Because of the difference in this approach to applying policies, it is not
currently the default method and will have to be enabled. In order to enable it,
you have to update your serverlessrepo stack in the organizational root account
and set the parameter `EnablePolicyV2' to "TRUE". Once the stack has redeployed,
it will be enabled.

### Using the new version

Inside your adf-bootstrap folder, create a directory named `adf-policies`,
Inside the `adf-policies` directory you then create subdirectories per policy type.
Currently, only `scp` and `tagging-policy` are supported in the AWS partition.
Inside this directory you can create a JSON file that defines your policy.
So in the following example, if you wanted to create an scp policy it would be in
`adf-policies/scp/<your-file-name>.json`
Using the following Schema:

```json
{
"Targets": [
"YourOrg", "YourOtherOrg",
],
"Version": "2022-10-14",
"PolicyName": "Example",
"Policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:Stop*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:Stop*"
],
"Resource": "*"
}
]
}
}
```

## Integrating Slack

### Integrating with Slack using Lambda
Expand Down
Loading

0 comments on commit dfae985

Please sign in to comment.