[Feat]: deploy multiple SCPs to a single OU or account

awslabs / aws-deployment-framework

The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.

Apache License 2.0

647 stars 225 forks source link

[Feat]: deploy multiple SCPs to a single OU or account #724

Open itsnotsagar opened 1 month ago

itsnotsagar commented 1 month ago

Describe the feature

Hi Team,

Is it possible to deploy multiple SCPs to a OU or account via ADF, I think at the moment we can only deploy 1 SCP per OU that too has a maximum possible file size of ~5KB. Is there any ETA when such a feature will be added to the upcoming ADF versions?

This is our OU structure (example) - /adf-bootstrap

ou1
- scp.json
- sub ou 1 -scp.json
ou2
- scp.json

Can we have something like this - /adf-bootstrap

ou1
- scp.json
- scp.json
- sub ou 1 -scp.json
ou2
- scp.json
- scp.json

Use Case

This will allow the user to deploy multiple SCPs per OU/account as at the moment only one SCP is allowed which has a upper limit on the file size ~5KB

Proposed Solution

No response

Acknowledgements

[x] I may be able to implement this feature request

sbkok commented 1 month ago

@StewartW submitted a pull request (PR) #551 that aimed to refactor the AWS Service Control Policy (SCP) logic in the ADF. I believe this PR intended to introduce support for managing multiple SCPs per AWS account through Policy Campaigns.

While this PR initially showed promise, it lost momentum over time due to lack of active development. To incorporate the changes, the PR would need to be rebased and updated to align with the latest codebase. Unfortunately, this effort did not meet the cut-off deadline for the v4.0 release.

However, the ADF team recognizes the importance of this feature, and plans to revisit it in a future minor release. Supporting multiple SCPs per account remains a valuable enhancement for improving account management and security controls within the ADF ecosystem.

itsnotsagar commented 1 month ago

Thanks for the update @sbkok. I am working on adding this feature for my own use case, I can create a PR once I am done. If possible can you include it in the next major release.

StewartW commented 1 month ago

@sbkok @itsnotsagar I was going to rebase after V4 was released (same with the event bus feature) but if @itsnotsagar can contribute, I'm happy to write off this work

sbkok commented 1 month ago

I appreciate the prior work done by @StewartW on the PR #551 to support multiple SCPs per account through Policy Campaigns. This seems like a promising approach to address the requested feature and overcome the current limitations.

@itsnotsagar, I would encourage you to review the implementation details and the proposed Policy Campaigns concept in that PR. If you believe it could solve your use case for managing multiple SCPs within an OU or account, please share your thoughts and any additional requirements you may have.

It's essential to ensure that the proposed solution fully meets the needs of the community. I'm open to further discussion and refinements to the approach if needed.

itsnotsagar commented 1 month ago

@sbkok I had a look at #551, this process to support multiple SCPs seems a little confusing and unnecessary, it can be done in a simpler manner. I have already implemented this feature and have begun testing it, I will update you guys once I am done.

itsnotsagar commented 1 month ago

@sbkok can you review this PR https://github.com/awslabs/aws-deployment-framework/pull/735