Community::Organizations::Policy.Content - YAML support

org-formation / aws-resource-providers

A community driven repository where you can find AWS Resource Type Providers for different purposes (including org-formation ones).

MIT License

88 stars 21 forks source link

Community::Organizations::Policy.Content - YAML support #78

Open mbarneyjr opened 3 years ago

mbarneyjr commented 3 years ago

It would be nice to be able to define an organization policy's content as YAML (similar to how you can define IAM policies in YAML), and have the resource provider itself do the conversion to json before calling the organizations:CreatePolicy api

zaro0508 commented 3 years ago

hmm, i'm wondering if you can do the conversion with !JsonString function?

Examples:

Resources:
  Scp:
    Type: Community::Organizations::Policy
    Properties:
      Description: Test SCP
      Name: TestScp
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds: !Ref targetIds
      Content: !JsonString
        Version: '2012-10-17'
        Statement:
          - NotAction:
            - kms:*
            Resource: "*"
            Effect: Deny
            Condition:
              StringNotEquals:
                aws:RequestedRegion:
                - us-east-1

or put the yaml in a test.yaml file and use !ReadFile...

Resources:
  Scp:
    Type: Community::Organizations::Policy
    Properties:
      Description: Test SCP
      Name: TestScp
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds: !Ref targetIds
      Content: !JsonString [ !ReadFile ./test.yaml]

mbarneyjr commented 3 years ago

The !JsonString function is specific to OrgFormation-annotated templates, and is not a natively supported CloudFormation intrinsic function. It would be nice to be able to define your Organization Policies with YAML in purely CloudFormation-defined templates, so you can use this resource provider if you're in a scenario where you aren't managing your organization with OrgFormation

OlafConijn commented 3 years ago

@mbarneyjr contents of pr #83 got published as s3://community-resource-provider-catalog/community-organizations-policy-0.2.0.zip

this should allow you to use the type as follows:

AWSTemplateFormatVersion: '2010-09-09'
Description: Example template for a global AI opt-out organizations management policy

Resources:
  OrganizationPolicy:
    Type: Community::Organizations::Policy
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyLargerThan4XLarge
            Effect: Deny
            Action:
              - "ec2:RunInstances"
              - "ec2:ModifyInstanceAttribute"
            Resource: "arn:aws:ec2:*:*:instance/*"
            Condition:
              ForAnyValue:StringNotLike:
                "ec2:InstanceType":
                  - "*.nano"
                  - "*.small"
                  - "*.micro"
                  - "*.medium"
                  - "*.large"
                  - "*.xlarge"
                  - "*.2xlarge"
                  - "*.4xlarge"
      Description: Deny running EC2 instances larger than 4xlarge
      Name: DenyLargeEC2Instances
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds:
        - !Ref AWS::AccountId

mbarneyjr commented 3 years ago

I finally got around to testing this and it works like a charm! It seems both Content and PolicyDocument are supported properties on this resource now? PolicyDocument being the one that supports yaml, but when I look at the schema it doesn't contain PolicyDocument

Just want to confirm I understand how this should be used, thanks for the feature!

OlafConijn commented 3 years ago

yes. both are supported (more precise would be either)