diff --git a/.github/workflows/ci-modules.yaml b/.github/workflows/ci-modules.yaml index 8529252..59f76a7 100644 --- a/.github/workflows/ci-modules.yaml +++ b/.github/workflows/ci-modules.yaml @@ -26,7 +26,7 @@ jobs: - name: cfn-lint uses: scottbrenner/cfn-lint-action@v2 with: - version: 1.18.3 + version: "==1.18.3" - name: Lint working-directory: modules diff --git a/modules/Makefile b/modules/Makefile index a29ed19..a00b2c2 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -50,7 +50,11 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "Partition=${PARAM_PARTITION}" + "Partition=${PARAM_PARTITION}" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.events.cft.yaml \ @@ -63,7 +67,11 @@ deploy: "TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "Partition=${PARAM_PARTITION}" + "Partition=${PARAM_PARTITION}" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.s3.cft.yaml \ @@ -74,7 +82,11 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "BucketARN=$(PARAM_BUCKET_ARN)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \ --template-file volume_access.cft.yaml \ @@ -85,7 +97,11 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "Regions=$(PARAM_REGIONS)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \ @@ -97,7 +113,11 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" clean: aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX) diff --git a/modules/README.md b/modules/README.md index 4764462..75701b0 100644 --- a/modules/README.md +++ b/modules/README.md @@ -12,4 +12,14 @@ Modular templates support cross sections of Sysdig Secure feature sets. Each tem Organizations are supported by setting the following template parameters * `IsOrganizational=true` -* `OrganizationalUnitIDs=ou-...` +* `OrganizationalUnitIDs=ou-...` (to be deprecated soon, please read below) + +### Organizational Install Configurations + +Following are the new parameters to configure organizational deployments on the cloud for Sysdig Secure for Cloud :- +1. `RootOUID` - Root Organization Unit ID +2. `IncludeOUIDs` - List of AWS Organizational Unit IDs to deploy the Sysdig Secure for Cloud resources in. +3. `IncludeAccounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in. +4. `ExcludeAccounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in. + +**WARNING**: module template parameter `OrganizationalUnitIDs` will be DEPRECATED soon going forward. Please work with Sysdig to migrate your CFT based installs to use `IncludeOUIDs` instead to achieve the same deployment outcome. diff --git a/modules/foundational.cft.yaml b/modules/foundational.cft.yaml index 1f21d4c..4035dee 100644 --- a/modules/foundational.cft.yaml +++ b/modules/foundational.cft.yaml @@ -12,6 +12,10 @@ Metadata: - IsOrganizational - OrganizationalUnitIDs - Partition + - RootOUID + - IncludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -22,9 +26,17 @@ Metadata: IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: Organizational Unit IDs + default: (TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs Partition: default: AWS Partition + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: Type: String @@ -47,16 +59,78 @@ Parameters: - 'false' OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma separated list of organizational unit IDs to deploy + Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy Partition: Type: String Description: AWS Partition of your account or organization to create resources in Default: 'aws' + RootOUID: + Type: CommaDelimitedList + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: Fn::Equals: - Ref: IsOrganizational - 'true' + # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it + IsOldOuidConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref OrganizationalUnitIDs] + - '' + + # Else, check for new Inclusion and Exclusion params + # INCLUSIONS + OUInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeOUIDs] + - '' + AccountInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + # ----------------------------------------------------------------------------------------------------- + # Remove below condition once AWS issue is fixed and replace with using UNION filter - + # https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100 + # ----------------------------------------------------------------------------------------------------- + # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. + # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. + # i.e till we can't deploy UNION, we deploy it all + AllowedInclusions: + !And + - !Condition OUInclusionsConfigured + - !Not + - !Condition AccountInclusionsConfigured + + # EXCLUSIONS + # cannot do OU exclusions from ExcludeOUIDs since CFT templates are static and don't have a way to fetch dynamic data from AWS + AccountExclusionsConfigured: + !And + - !Condition IsOrganizational + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + - !Not + - !Equals + - !Join ["", !Ref ExcludeAccounts] + - '' Resources: ConfigPostureRole: Type: AWS::IAM::Role @@ -166,7 +240,30 @@ Resources: Ref: Partition StackInstancesGroup: - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' Regions: - Ref: AWS::Region TemplateBody: | diff --git a/modules/log_ingestion.events.cft.yaml b/modules/log_ingestion.events.cft.yaml index 3a57795..b5a5e73 100644 --- a/modules/log_ingestion.events.cft.yaml +++ b/modules/log_ingestion.events.cft.yaml @@ -19,6 +19,10 @@ Metadata: - IsOrganizational - OrganizationalUnitIDs - Partition + - RootOUID + - IncludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -37,9 +41,17 @@ Metadata: IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: Organizational Unit IDs + default: (TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs Partition: default: AWS Partition + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: Type: String @@ -61,7 +73,7 @@ Parameters: Description: Comma separated list of regions to monitor with EventBridge OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma separated list of organizational unit IDs to deploy + Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy RuleState: Type: String Description: The state of the EventBridge Rule @@ -103,11 +115,73 @@ Parameters: Type: String Description: AWS Partition of your account or organization to create resources in Default: 'aws' + RootOUID: + Type: CommaDelimitedList + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: Fn::Equals: - Ref: IsOrganizational - 'true' + # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it + IsOldOuidConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref OrganizationalUnitIDs] + - '' + + # Else, check for new Inclusion and Exclusion params + # INCLUSIONS + OUInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeOUIDs] + - '' + AccountInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + # ----------------------------------------------------------------------------------------------------- + # Remove below condition once AWS issue is fixed and replace with using UNION filter - + # https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100 + # ----------------------------------------------------------------------------------------------------- + # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. + # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. + # i.e till we can't deploy UNION, we deploy it all + AllowedInclusions: + !And + - !Condition OUInclusionsConfigured + - !Not + - !Condition AccountInclusionsConfigured + + # EXCLUSIONS + # cannot do OU exclusions from ExcludeOUIDs since CFT templates are static and don't have a way to fetch dynamic data from AWS + AccountExclusionsConfigured: + !And + - !Condition IsOrganizational + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + - !Not + - !Equals + - !Join ["", !Ref ExcludeAccounts] + - '' Resources: AdministrationRole: Type: AWS::IAM::Role @@ -288,7 +362,30 @@ Resources: ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' Regions: [!Ref "AWS::Region"] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" @@ -376,7 +473,30 @@ Resources: ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' Regions: !Ref Regions TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index 53e57e2..fd685a7 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -12,6 +12,10 @@ Metadata: - LambdaScanningEnabled - IsOrganizational - OrganizationalUnitIDs + - RootOUID + - IncludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -24,7 +28,15 @@ Metadata: IsOrganizational: default: Is Organizational Deployment? OrganizationalUnitIDs: - default: Organizational Unit IDs + default: (TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: Type: String @@ -54,7 +66,19 @@ Parameters: - 'false' OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma-separated list of organizational unit IDs to deploy (required for organizational deployments) + Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma-separated list of organizational unit IDs to deploy (required for organizational deployments) + RootOUID: + Type: CommaDelimitedList + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: @@ -65,6 +89,56 @@ Conditions: Fn::Equals: - Ref: LambdaScanningEnabled - 'true' + # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it + IsOldOuidConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref OrganizationalUnitIDs] + - '' + + # Else, check for new Inclusion and Exclusion params + # INCLUSIONS + OUInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeOUIDs] + - '' + AccountInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + # ----------------------------------------------------------------------------------------------------- + # Remove below condition once AWS issue is fixed and replace with using UNION filter - + # https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100 + # ----------------------------------------------------------------------------------------------------- + # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. + # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. + # i.e till we can't deploy UNION, we deploy it all + AllowedInclusions: + !And + - !Condition OUInclusionsConfigured + - !Not + - !Condition AccountInclusionsConfigured + + # EXCLUSIONS + # cannot do OU exclusions from ExcludeOUIDs since CFT templates are static and don't have a way to fetch dynamic data from AWS + AccountExclusionsConfigured: + !And + - !Condition IsOrganizational + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + - !Not + - !Equals + - !Join ["", !Ref ExcludeAccounts] + - '' Resources: ScanningRole: @@ -157,7 +231,30 @@ Resources: Ref: LambdaScanningEnabled StackInstancesGroup: - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' Regions: - Ref: AWS::Region TemplateBody: | diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml index c5e1438..6ca56da 100644 --- a/modules/volume_access.cft.yaml +++ b/modules/volume_access.cft.yaml @@ -13,6 +13,10 @@ Metadata: - Regions - IsOrganizational - OrganizationalUnitIDs + - RootOUID + - IncludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -27,7 +31,15 @@ Metadata: IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: "Organizational Unit IDs" + default: "(TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs" + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: @@ -58,13 +70,75 @@ Parameters: - 'false' OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma separated list of organizational unit IDs to deploy + Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy + RootOUID: + Type: CommaDelimitedList + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: Fn::Equals: - Ref: IsOrganizational - 'true' + # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it + IsOldOuidConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref OrganizationalUnitIDs] + - '' + + # Else, check for new Inclusion and Exclusion params + # INCLUSIONS + OUInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeOUIDs] + - '' + AccountInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + # ----------------------------------------------------------------------------------------------------- + # Remove below condition once AWS issue is fixed and replace with using UNION filter - + # https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100 + # ----------------------------------------------------------------------------------------------------- + # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. + # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. + # i.e till we can't deploy UNION, we deploy it all + AllowedInclusions: + !And + - !Condition OUInclusionsConfigured + - !Not + - !Condition AccountInclusionsConfigured + + # EXCLUSIONS + # cannot do OU exclusions from ExcludeOUIDs since CFT templates are static and don't have a way to fetch dynamic data from AWS + AccountExclusionsConfigured: + !And + - !Condition IsOrganizational + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + - !Not + - !Equals + - !Join ["", !Ref ExcludeAccounts] + - '' Resources: AdministrationRole: @@ -324,7 +398,30 @@ Resources: ParameterValue: !Ref ExternalID StackInstancesGroup: - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' Regions: !Ref Regions TemplateBody: | AWSTemplateFormatVersion: "2010-09-09"