From 1634d1ef7018346348efb9ecfe78b2063495a5eb Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Sun, 23 Feb 2025 20:11:21 -0800 Subject: [PATCH] feat(modules): Support for include/exclude parameters Change summary: ---------------- Adding new CFT template parameters to support include/exclude OUs and accounts. --- modules/Makefile | 35 +++++++++++++++++++++++---- modules/foundational.cft.yaml | 34 ++++++++++++++++++++++++-- modules/log_ingestion.events.cft.yaml | 34 ++++++++++++++++++++++++-- modules/vm_workload_scanning.cft.yaml | 34 ++++++++++++++++++++++++-- modules/volume_access.cft.yaml | 34 ++++++++++++++++++++++++-- 5 files changed, 158 insertions(+), 13 deletions(-) diff --git a/modules/Makefile b/modules/Makefile index a29ed19..a818ca2 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -50,7 +50,12 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "Partition=${PARAM_PARTITION}" + "Partition=${PARAM_PARTITION}" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.events.cft.yaml \ @@ -63,7 +68,12 @@ deploy: "TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "Partition=${PARAM_PARTITION}" + "Partition=${PARAM_PARTITION}" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.s3.cft.yaml \ @@ -74,7 +84,12 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "BucketARN=$(PARAM_BUCKET_ARN)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \ --template-file volume_access.cft.yaml \ @@ -85,7 +100,12 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "Regions=$(PARAM_REGIONS)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" aws cloudformation deploy \ --stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \ @@ -97,7 +117,12 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "ExcludeOUIDs=$(PARAM_EXCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" clean: aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX) diff --git a/modules/foundational.cft.yaml b/modules/foundational.cft.yaml index 1f21d4c..5cd40e4 100644 --- a/modules/foundational.cft.yaml +++ b/modules/foundational.cft.yaml @@ -12,6 +12,11 @@ Metadata: - IsOrganizational - OrganizationalUnitIDs - Partition + - RootOUID + - IncludeOUIDs + - ExcludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -22,9 +27,19 @@ Metadata: IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: Organizational Unit IDs + default: (Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs Partition: default: AWS Partition + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + ExcludeOUIDs: + default: Exclude Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: Type: String @@ -47,11 +62,26 @@ Parameters: - 'false' OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma separated list of organizational unit IDs to deploy + Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy Partition: Type: String Description: AWS Partition of your account or organization to create resources in Default: 'aws' + RootOUID: + Type: String + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + ExcludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be excluded for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: Fn::Equals: diff --git a/modules/log_ingestion.events.cft.yaml b/modules/log_ingestion.events.cft.yaml index 3a57795..2cafef8 100644 --- a/modules/log_ingestion.events.cft.yaml +++ b/modules/log_ingestion.events.cft.yaml @@ -19,6 +19,11 @@ Metadata: - IsOrganizational - OrganizationalUnitIDs - Partition + - RootOUID + - IncludeOUIDs + - ExcludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -37,9 +42,19 @@ Metadata: IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: Organizational Unit IDs + default: (Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs Partition: default: AWS Partition + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + ExcludeOUIDs: + default: Exclude Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: Type: String @@ -61,7 +76,7 @@ Parameters: Description: Comma separated list of regions to monitor with EventBridge OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma separated list of organizational unit IDs to deploy + Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy RuleState: Type: String Description: The state of the EventBridge Rule @@ -103,6 +118,21 @@ Parameters: Type: String Description: AWS Partition of your account or organization to create resources in Default: 'aws' + RootOUID: + Type: String + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + ExcludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be excluded for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: Fn::Equals: diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index 53e57e2..6cb5af9 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -12,6 +12,11 @@ Metadata: - LambdaScanningEnabled - IsOrganizational - OrganizationalUnitIDs + - RootOUID + - IncludeOUIDs + - ExcludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -24,7 +29,17 @@ Metadata: IsOrganizational: default: Is Organizational Deployment? OrganizationalUnitIDs: - default: Organizational Unit IDs + default: (Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + ExcludeOUIDs: + default: Exclude Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: Type: String @@ -54,7 +69,22 @@ Parameters: - 'false' OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma-separated list of organizational unit IDs to deploy (required for organizational deployments) + Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma-separated list of organizational unit IDs to deploy (required for organizational deployments) + RootOUID: + Type: String + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + ExcludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be excluded for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml index c5e1438..aafa604 100644 --- a/modules/volume_access.cft.yaml +++ b/modules/volume_access.cft.yaml @@ -13,6 +13,11 @@ Metadata: - Regions - IsOrganizational - OrganizationalUnitIDs + - RootOUID + - IncludeOUIDs + - ExcludeOUIDs + - IncludeAccounts + - ExcludeAccounts ParameterLabels: NameSuffix: default: Name Suffix @@ -27,7 +32,17 @@ Metadata: IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: "Organizational Unit IDs" + default: "(Deprecated, use RootOUID or IncludeOUIDs instead) Organizational Unit IDs" + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + ExcludeOUIDs: + default: Exclude Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts Parameters: NameSuffix: @@ -58,7 +73,22 @@ Parameters: - 'false' OrganizationalUnitIDs: Type: CommaDelimitedList - Description: Comma separated list of organizational unit IDs to deploy + Description: (Deprecated, use RootOUID or IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy + RootOUID: + Type: String + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + ExcludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be excluded for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment Conditions: IsOrganizational: