Open mbarneyjr opened 3 years ago
hmm, i'm wondering if you can do the conversion with !JsonString function?
Examples:
Resources:
Scp:
Type: Community::Organizations::Policy
Properties:
Description: Test SCP
Name: TestScp
PolicyType: SERVICE_CONTROL_POLICY
TargetIds: !Ref targetIds
Content: !JsonString
Version: '2012-10-17'
Statement:
- NotAction:
- kms:*
Resource: "*"
Effect: Deny
Condition:
StringNotEquals:
aws:RequestedRegion:
- us-east-1
or put the yaml in a test.yaml file and use !ReadFile
...
Resources:
Scp:
Type: Community::Organizations::Policy
Properties:
Description: Test SCP
Name: TestScp
PolicyType: SERVICE_CONTROL_POLICY
TargetIds: !Ref targetIds
Content: !JsonString [ !ReadFile ./test.yaml]
The !JsonString
function is specific to OrgFormation-annotated templates, and is not a natively supported CloudFormation intrinsic function. It would be nice to be able to define your Organization Policies with YAML in purely CloudFormation-defined templates, so you can use this resource provider if you're in a scenario where you aren't managing your organization with OrgFormation
@mbarneyjr contents of pr #83 got published as s3://community-resource-provider-catalog/community-organizations-policy-0.2.0.zip
this should allow you to use the type as follows:
AWSTemplateFormatVersion: '2010-09-09'
Description: Example template for a global AI opt-out organizations management policy
Resources:
OrganizationPolicy:
Type: Community::Organizations::Policy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: DenyLargerThan4XLarge
Effect: Deny
Action:
- "ec2:RunInstances"
- "ec2:ModifyInstanceAttribute"
Resource: "arn:aws:ec2:*:*:instance/*"
Condition:
ForAnyValue:StringNotLike:
"ec2:InstanceType":
- "*.nano"
- "*.small"
- "*.micro"
- "*.medium"
- "*.large"
- "*.xlarge"
- "*.2xlarge"
- "*.4xlarge"
Description: Deny running EC2 instances larger than 4xlarge
Name: DenyLargeEC2Instances
PolicyType: SERVICE_CONTROL_POLICY
TargetIds:
- !Ref AWS::AccountId
I finally got around to testing this and it works like a charm! It seems both Content
and PolicyDocument
are supported properties on this resource now? PolicyDocument
being the one that supports yaml, but when I look at the schema it doesn't contain PolicyDocument
Just want to confirm I understand how this should be used, thanks for the feature!
yes. both are supported (more precise would be either)
It would be nice to be able to define an organization policy's content as YAML (similar to how you can define IAM policies in YAML), and have the resource provider itself do the conversion to json before calling the
organizations:CreatePolicy
api