feat(modules): Support for include/exclude parameters (#145)

* feat(modules): Support for include/exclude parameters

Change summary:
----------------
Adding new CFT template parameters to support include/exclude
OUs and accounts.

* Honor include/exclude params in deployment targets

* Update cfn-lint version

* Test without cfn-lint version

* Temp remove to avoid lint checks

* Add back the commented lines

* Fix version command for GHA

* Fix length function

* Get rid of extensions

* Lint fixes

* Update all templates

* Remove PARAM_EXCLUDE_OU_IDS since its a NOOP

* Support migration by always checking OrganizationalUnitIDs first

* Update modules README

* Fix typo

Author: ravinadhruve10

.github/workflows/ci-modules.yaml

@@ -26,7 +26,7 @@ jobs:
     - name: cfn-lint
       uses: scottbrenner/cfn-lint-action@v2
       with:
-        version: 1.18.3
+        version: "==1.18.3"
 
     - name: Lint
       working-directory: modules

modules/Makefile

@@ -50,7 +50,11 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
 			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
-			"Partition=${PARAM_PARTITION}"
+			"Partition=${PARAM_PARTITION}" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
 		--template-file log_ingestion.events.cft.yaml \
@@ -63,7 +67,11 @@ deploy:
 			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
 			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
-			"Partition=${PARAM_PARTITION}"
+			"Partition=${PARAM_PARTITION}" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
 		--template-file log_ingestion.s3.cft.yaml \
@@ -74,7 +82,11 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"BucketARN=$(PARAM_BUCKET_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \
 		--template-file volume_access.cft.yaml \
@@ -85,7 +97,11 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"Regions=$(PARAM_REGIONS)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \
@@ -97,7 +113,11 @@ deploy:
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
 
 clean:
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX)

modules/README.md

@@ -12,4 +12,14 @@ Modular templates support cross sections of Sysdig Secure feature sets. Each tem
 
 Organizations are supported by setting the following template parameters
 * `IsOrganizational=true`
-* `OrganizationalUnitIDs=ou-...`
+* `OrganizationalUnitIDs=ou-...` (to be deprecated soon, please read below)
+
+### Organizational Install Configurations
+
+Following are the new parameters to configure organizational deployments on the cloud for Sysdig Secure for Cloud :-
+1. `RootOUID` - Root Organization Unit ID
+2. `IncludeOUIDs` - List of AWS Organizational Unit IDs to deploy the Sysdig Secure for Cloud resources in.
+3. `IncludeAccounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
+4. `ExcludeAccounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.
+
+**WARNING**: module template parameter `OrganizationalUnitIDs` will be DEPRECATED soon going forward. Please work with Sysdig to migrate your CFT based installs to use `IncludeOUIDs` instead to achieve the same deployment outcome.

modules/foundational.cft.yaml

@@ -12,6 +12,10 @@ Metadata:
       - IsOrganizational
       - OrganizationalUnitIDs
       - Partition
+      - RootOUID
+      - IncludeOUIDs
+      - IncludeAccounts
+      - ExcludeAccounts
     ParameterLabels:
       NameSuffix:
         default: Name Suffix
@@ -22,9 +26,17 @@ Metadata:
       IsOrganizational:
         default: Is Organizational
       OrganizationalUnitIDs:
-        default: Organizational Unit IDs
+        default: (TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs
       Partition:
         default: AWS Partition
+      RootOUID:
+        default: Root Organization Unit ID
+      IncludeOUIDs:
+        default: Include Organizational Unit IDs
+      IncludeAccounts:
+        default: Include AWS accounts
+      ExcludeAccounts:
+        default: Exclude AWS accounts
 Parameters:
   NameSuffix:
     Type: String
@@ -47,16 +59,78 @@ Parameters:
     - 'false'
   OrganizationalUnitIDs:
     Type: CommaDelimitedList
-    Description: Comma separated list of organizational unit IDs to deploy
+    Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy
   Partition:
     Type: String
     Description: AWS Partition of your account or organization to create resources in
     Default: 'aws'
+  RootOUID:
+    Type: CommaDelimitedList
+    Description: Root Organizational Unit ID of your AWS organization
+  IncludeOUIDs:
+    Type: CommaDelimitedList
+    Description: Comma separated list of organizational unit IDs to be included for deployment
+  IncludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be included for deployment
+  ExcludeAccounts:
+    Type: CommaDelimitedList
+    Description: Comma separated list of AWS accounts in your organization to be excluded for deployment
 Conditions:
   IsOrganizational:
     Fn::Equals:
     - Ref: IsOrganizational
     - 'true'
+  # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it
+  IsOldOuidConfigured:
+    !And
+    - !Condition IsOrganizational
+    - !Not
+      - !Equals
+        - !Join ["", !Ref OrganizationalUnitIDs]
+        - ''
+
+  # Else, check for new Inclusion and Exclusion params
+  # INCLUSIONS
+  OUInclusionsConfigured:
+    !And
+    - !Condition IsOrganizational
+    - !Not
+      - !Equals
+        - !Join ["", !Ref IncludeOUIDs]
+        - ''
+  AccountInclusionsConfigured:
+    !And
+    - !Condition IsOrganizational
+    - !Not
+      - !Equals
+        - !Join ["", !Ref IncludeAccounts]
+        - ''
+  # -----------------------------------------------------------------------------------------------------
+  # Remove below condition once AWS issue is fixed and replace with using UNION filter -
+  # https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100
+  # -----------------------------------------------------------------------------------------------------
+  # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested.
+  # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter.
+  # i.e till we can't deploy UNION, we deploy it all
+  AllowedInclusions:
+    !And
+    - !Condition OUInclusionsConfigured
+    - !Not
+      - !Condition AccountInclusionsConfigured
+
+  # EXCLUSIONS
+  # cannot do OU exclusions from ExcludeOUIDs since CFT templates are static and don't have a way to fetch dynamic data from AWS
+  AccountExclusionsConfigured:
+    !And
+    - !Condition IsOrganizational
+    - !Equals
+      - !Join ["", !Ref IncludeAccounts]
+      - ''
+    - !Not
+      - !Equals
+        - !Join ["", !Ref ExcludeAccounts]
+        - ''
 Resources:
   ConfigPostureRole:
     Type: AWS::IAM::Role
@@ -166,7 +240,30 @@ Resources:
           Ref: Partition
       StackInstancesGroup:
       - DeploymentTargets:
-          OrganizationalUnitIds: !Ref OrganizationalUnitIDs
+          OrganizationalUnitIds:
+            Fn::If:
+            - IsOldOuidConfigured
+            - !Ref OrganizationalUnitIDs
+            - Fn::If:
+              - AllowedInclusions
+              - !Ref IncludeOUIDs
+              - !Ref RootOUID
+          AccountFilterType:
+            Fn::If:
+            - IsOldOuidConfigured
+            - !Ref 'AWS::NoValue'
+            - Fn::If:
+              - AccountExclusionsConfigured
+              - "DIFFERENCE"
+              - "NONE"
+          Accounts:
+            Fn::If:
+            - IsOldOuidConfigured
+            - !Ref 'AWS::NoValue'
+            - Fn::If:
+              - AccountExclusionsConfigured
+              - !Ref ExcludeAccounts
+              - !Ref 'AWS::NoValue'
         Regions:
         - Ref: AWS::Region
       TemplateBody: |