feat(modules): Support for include/exclude parameters

Change summary:
----------------
Adding new CFT template parameters to support include/exclude
OUs and accounts.

Author: ravinadhruve10

modules/Makefile

@@ -50,7 +50,12 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
 			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
-			"Partition=${PARAM_PARTITION}"
+			"Partition=${PARAM_PARTITION}" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
 		--template-file log_ingestion.events.cft.yaml \
@@ -63,7 +68,12 @@ deploy:
 			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
 			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
-			"Partition=${PARAM_PARTITION}"
+			"Partition=${PARAM_PARTITION}" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
 		--template-file log_ingestion.s3.cft.yaml \
@@ -74,7 +84,12 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"BucketARN=$(PARAM_BUCKET_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \
 		--template-file volume_access.cft.yaml \
@@ -85,7 +100,12 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"Regions=$(PARAM_REGIONS)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \
@@ -97,7 +117,12 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 
 clean:
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX)

modules/foundational.cft.yaml

@@ -12,6 +12,11 @@ Metadata:
       - IsOrganizational
       - OrganizationalUnitIDs
       - Partition
+      - RootOUID
+      - IncludeOUIDs
+      - ExcludeOUIDs
+      - IncludeAccounts
+      - ExcludeAccounts
     ParameterLabels:
       NameSuffix:
         default: Name Suffix
@@ -22,9 +27,19 @@ Metadata:
       IsOrganizational:
         default: Is Organizational
       OrganizationalUnitIDs:
-        default: Organizational Unit IDs
+        default: (Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs
       Partition:
         default: AWS Partition
+      RootOUID:
+        default: Root Organization Unit ID
+      IncludeOUIDs:
+        default: Include Organizational Unit IDs
+      ExcludeOUIDs:
+        default: Exclude Organizational Unit IDs
+      IncludeAccounts:
+        default: Include AWS accounts
+      ExcludeAccounts:
+        default: Exclude AWS accounts
 Parameters:
   NameSuffix:
     Type: String
@@ -47,11 +62,26 @@ Parameters:
     - 'false'
   OrganizationalUnitIDs:
     Type: CommaDelimitedList
-    Description: Comma separated list of organizational unit IDs to deploy
+    Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
   Partition:
     Type: String
     Description: AWS Partition of your account or organization to create resources in
     Default: 'aws'
+  RootOUID:
+    Type: String
+    Description: Root Organizational Unit ID of your AWS organization
+  IncludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be included for deployment
+  ExcludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be excluded for deployment
+  IncludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be included for deployment
+  ExcludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be excluded for deployment
 Conditions:
   IsOrganizational:
     Fn::Equals:

modules/log_ingestion.events.cft.yaml

@@ -19,6 +19,11 @@ Metadata:
       - IsOrganizational
       - OrganizationalUnitIDs
       - Partition
+      - RootOUID
+      - IncludeOUIDs
+      - ExcludeOUIDs
+      - IncludeAccounts
+      - ExcludeAccounts
     ParameterLabels:  
       NameSuffix:
         default: Name Suffix
@@ -37,9 +42,19 @@ Metadata:
       IsOrganizational:
         default: Is Organizational
       OrganizationalUnitIDs:
-        default: Organizational Unit IDs
+        default: (Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs
       Partition:
         default: AWS Partition
+      RootOUID:
+        default: Root Organization Unit ID
+      IncludeOUIDs:
+        default: Include Organizational Unit IDs
+      ExcludeOUIDs:
+        default: Exclude Organizational Unit IDs
+      IncludeAccounts:
+        default: Include AWS accounts
+      ExcludeAccounts:
+        default: Exclude AWS accounts
 Parameters:
   NameSuffix:
     Type: String
@@ -61,7 +76,7 @@ Parameters:
     Description: Comma separated list of regions to monitor with EventBridge
   OrganizationalUnitIDs:
     Type: CommaDelimitedList
-    Description: Comma separated list of organizational unit IDs to deploy
+    Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
   RuleState:
     Type: String
     Description: The state of the EventBridge Rule
@@ -103,6 +118,21 @@ Parameters:
     Type: String
     Description: AWS Partition of your account or organization to create resources in
     Default: 'aws'
+  RootOUID:
+    Type: String
+    Description: Root Organizational Unit ID of your AWS organization
+  IncludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be included for deployment
+  ExcludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be excluded for deployment
+  IncludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be included for deployment
+  ExcludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be excluded for deployment
 Conditions:
   IsOrganizational:
     Fn::Equals:

modules/vm_workload_scanning.cft.yaml

@@ -12,6 +12,11 @@ Metadata:
           - LambdaScanningEnabled
           - IsOrganizational
           - OrganizationalUnitIDs
+          - RootOUID
+          - IncludeOUIDs
+          - ExcludeOUIDs
+          - IncludeAccounts
+          - ExcludeAccounts
     ParameterLabels:
       NameSuffix:
         default: Name Suffix
@@ -24,7 +29,17 @@ Metadata:
       IsOrganizational:
         default: Is Organizational Deployment?
       OrganizationalUnitIDs:
-        default: Organizational Unit IDs
+        default: (Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs
+      RootOUID:
+        default: Root Organization Unit ID
+      IncludeOUIDs:
+        default: Include Organizational Unit IDs
+      ExcludeOUIDs:
+        default: Exclude Organizational Unit IDs
+      IncludeAccounts:
+        default: Include AWS accounts
+      ExcludeAccounts:
+        default: Exclude AWS accounts
 Parameters:
   NameSuffix:
     Type: String
@@ -54,7 +69,22 @@ Parameters:
       - 'false'
   OrganizationalUnitIDs:
     Type: CommaDelimitedList
-    Description: Comma-separated list of organizational unit IDs to deploy (required for organizational deployments)
+    Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma-separated list of organizational unit IDs to deploy (required for organizational deployments)
+  RootOUID:
+    Type: String
+    Description: Root Organizational Unit ID of your AWS organization
+  IncludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be included for deployment
+  ExcludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be excluded for deployment
+  IncludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be included for deployment
+  ExcludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be excluded for deployment
 
 Conditions:
   IsOrganizational:

modules/volume_access.cft.yaml

@@ -13,6 +13,11 @@ Metadata:
       - Regions
       - IsOrganizational
       - OrganizationalUnitIDs
+      - RootOUID
+      - IncludeOUIDs
+      - ExcludeOUIDs
+      - IncludeAccounts
+      - ExcludeAccounts
     ParameterLabels:  
       NameSuffix:
         default: Name Suffix
@@ -27,7 +32,17 @@ Metadata:
       IsOrganizational:
         default: Is Organizational
       OrganizationalUnitIDs:
-        default: "Organizational Unit IDs"
+        default: "(Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs"
+      RootOUID:
+        default: Root Organization Unit ID
+      IncludeOUIDs:
+        default: Include Organizational Unit IDs
+      ExcludeOUIDs:
+        default: Exclude Organizational Unit IDs
+      IncludeAccounts:
+        default: Include AWS accounts
+      ExcludeAccounts:
+        default: Exclude AWS accounts
 
 Parameters:
   NameSuffix:
@@ -58,7 +73,22 @@ Parameters:
     - 'false'
   OrganizationalUnitIDs:
     Type: CommaDelimitedList
-    Description: Comma separated list of organizational unit IDs to deploy
+    Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
+  RootOUID:
+    Type: String
+    Description: Root Organizational Unit ID of your AWS organization
+  IncludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be included for deployment
+  ExcludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be excluded for deployment
+  IncludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be included for deployment
+  ExcludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be excluded for deployment
 
 Conditions:
   IsOrganizational: