Feat/policy refactor (#3)

* Starting refactor of policy application * initial testing * Unit tests for OrganisationPolicy class * Linting * wip * Merging * sìos leis a' Bheurla * Resetting generate params * Fixing spelling mistakes * Updating documentation * Apply suggestions from code review Co-authored-by: Simon Kok <sbkok@users.noreply.github.com> * Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py Co-authored-by: Simon Kok <sbkok@users.noreply.github.com> * Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/main.py Co-authored-by: Simon Kok <sbkok@users.noreply.github.com> * Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py Co-authored-by: Simon Kok <sbkok@users.noreply.github.com> * fixing tests * fixing linting * linting again * temp remove assertion * updating logging * running black with ll 80 * linting * Tox no longer complaining --------- Co-authored-by: Simon Kok <mail@simonkok.com> Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>
StewartW · Jun 13, 2024 · 7680454 · 7680454
1 parent 51f6936
commit 7680454
Show file tree

Hide file tree

Showing 16 changed files with 2,583 additions and 240 deletions.
diff --git a/Makefile b/Makefile
@@ -154,7 +154,7 @@ tox: deps
 
 docker:
 	@echo "Prepare docker to support all architectures..."
-	docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+	docker run --rm --privileged --platform linux/amd64 multiarch/qemu-user-static --reset -p yes --verbose
 
 version_number: .venv
 	@echo "Generate a new version number..."
@@ -214,12 +214,12 @@ verify_tooling: .venv
 			exit 1 \
 		); \
 	)
-	@( \
-		sed --version &> /dev/null || ( \
-			echo '$(CLR_RED)Sed is not installed!$(CLR_END)' && \
-			exit 1 \
-		); \
-	)
+	# @( \
+	# 	sed --version &> /dev/null || ( \
+	# 		echo '$(CLR_RED)Sed is not installed!$(CLR_END)' && \
+	# 		exit 1 \
+	# 	); \
+	# )
 	@( \
 		jq --version &> /dev/null || ( \
 			echo '$(CLR_RED)Jq is not installed!$(CLR_END)' && \

diff --git a/docs/admin-guide.md b/docs/admin-guide.md
@@ -876,6 +876,67 @@ Once you have enabled all features within your Organization, ADF can manage and
 automate the application and updating process of the Tag Policies. For more
 information, see [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html).
 
+## Policies V2
+
+### What is Policies V2
+
+A new feature of ADF, that gives you the ability to define a policy in a
+single location, and apply it to multiple targets.
+
+### Enabling the new version
+
+Because of the difference in this approach to applying policies, it is not
+currently the default method and will have to be enabled. In order to enable it,
+you have to update your serverlessrepo stack in the organizational root account
+and set the parameter `EnablePolicyV2' to "TRUE". Once the stack has redeployed,
+it will be enabled.
+
+### Using the new version
+
+Inside your adf-bootstrap folder, create a directory named `adf-policies`,
+Inside the `adf-policies` directory you then create subdirectories per policy type.
+Currently, only `scp` and `tagging-policy` are supported in the AWS partition.
+Inside this directory you can create a JSON file that defines your policy.
+So in the following example, if you wanted to create an scp policy it would be in
+`adf-policies/scp/<your-file-name>.json`
+Using the following Schema:
+
+```json
+{
+    "Targets": [
+        "YourOrg", "YourOtherOrg",
+    ],
+    "Version": "2022-10-14", # Optional, Specifies the version of the API to use.
+    "PolicyName": "Example", # Name for the Policy
+    "Policy": { # The Policy, as per the AWS Documentation
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Deny",
+                "Action": "cloudtrail:Stop*",
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": "*",
+                "Resource": "*"
+            },
+            {
+                "Effect": "Deny",
+                "Action": [
+                    "config:DeleteConfigRule",
+                    "config:DeleteConfigurationRecorder",
+                    "config:DeleteDeliveryChannel",
+                    "config:Stop*"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+}
+
+```
+
 ## Integrating Slack
 
 ### Integrating with Slack using Lambda