Feat/policy refactor (#3)

* Starting refactor of policy application * initial testing * Unit tests for OrganisationPolicy class * Linting * wip * Merging * sìos leis a' Bheurla * Resetting generate params * Fixing spelling mistakes * Updating documentation * Apply suggestions from code review Co-authored-by: Simon Kok <[email protected]> * Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py Co-authored-by: Simon Kok <[email protected]> * Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/main.py Co-authored-by: Simon Kok <[email protected]> * Update src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/organization_policy_campaign.py Co-authored-by: Simon Kok <[email protected]> * fixing tests * fixing linting * linting again * temp remove assertion * updating logging * running black with ll 80 * linting * Tox no longer complaining --------- Co-authored-by: Simon Kok <[email protected]> Co-authored-by: Simon Kok <[email protected]>
awslabs · Jun 25, 2024 · dfae985 · dfae985
1 parent 51f6936
commit dfae985
Show file tree

Hide file tree

Showing 15 changed files with 2,590 additions and 234 deletions.
diff --git a/docs/admin-guide.md b/docs/admin-guide.md
@@ -876,6 +876,67 @@ Once you have enabled all features within your Organization, ADF can manage and
 automate the application and updating process of the Tag Policies. For more
 information, see [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html).
 
+## Policies V2
+
+### What is Policies V2
+
+A new feature of ADF, that gives you the ability to define a policy in a
+single location, and apply it to multiple targets.
+
+### Enabling the new version
+
+Because of the difference in this approach to applying policies, it is not
+currently the default method and will have to be enabled. In order to enable it,
+you have to update your serverlessrepo stack in the organizational root account
+and set the parameter `EnablePolicyV2' to "TRUE". Once the stack has redeployed,
+it will be enabled.
+
+### Using the new version
+
+Inside your adf-bootstrap folder, create a directory named `adf-policies`,
+Inside the `adf-policies` directory you then create subdirectories per policy type.
+Currently, only `scp` and `tagging-policy` are supported in the AWS partition.
+Inside this directory you can create a JSON file that defines your policy.
+So in the following example, if you wanted to create an scp policy it would be in
+`adf-policies/scp/<your-file-name>.json`
+Using the following Schema:
+
+```json
+{
+    "Targets": [
+        "YourOrg", "YourOtherOrg",
+    ],
+    "Version": "2022-10-14",
+    "PolicyName": "Example",
+    "Policy": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Deny",
+                "Action": "cloudtrail:Stop*",
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": "*",
+                "Resource": "*"
+            },
+            {
+                "Effect": "Deny",
+                "Action": [
+                    "config:DeleteConfigRule",
+                    "config:DeleteConfigurationRecorder",
+                    "config:DeleteDeliveryChannel",
+                    "config:Stop*"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+}
+
+```
+
 ## Integrating Slack
 
 ### Integrating with Slack using Lambda