aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Support Include/Exclude of OUs instead of "protected"

Open benbridts opened this issue 6 years ago • 3 comments

When deploying the ADF into an existing organization, it might be nice to have more control over which OUs should be bootstrapped, as another process (eg Landing Zone / Control Tower) might be responsible for creating account, creating ou's and moving accounts to them. It should be possible to configure ADF to only bootstrap inside an explicit allow list of ou's.

Going even further, it would be nice to support both OU-paths, OU-ids and Account-ids. Using the allow list first and the blacklist to filter out after that is probably the nost logical.

Examples:

deploy everywhere

config:
  [...]

deploy everywhere, except in ou-123 and below and account 123456789012:

config:
  exclude:
    - ou-123
    - '123456789012'

deploy in the deployment ou (and below) and in the applications ou (and below), but skip everything in applications/sandbox and below

config:
  include:
    - deployment
    - applications
  exclude:
    - applications/sandbox

The only downside is that this configuration won't be possible (as applications/sandbox/exception would stay excluded if include is always evaluated first)

config:
  include:
    - deployment
    - applications
    - applications/sandbox/exception
  exclude:
    - applications/sandbox

benbridts avatar Aug 06 '19 13:08 benbridts

Thanks for the suggestion, I think it is a great idea to extend/rework the functionality of the protected concept to be more robust. Will add this into a milestone just after 1.3.0

bundyfx avatar Aug 07 '19 15:08 bundyfx

This is good idea. I would like to see this kind of control in deployment maps. Also adding there some inheritance from parent OU (https://github.com/awslabs/aws-deployment-framework/issues/20)

hynynen avatar Sep 29 '20 10:09 hynynen

I though about this a bit more, and it would be possible to have the example below work, if instead of using an "include than exclude" logic would always use the most specific target.

config:
  include:
    - deployment
    - applications
    - applications/sandbox/exception
  exclude:
    - applications/sandbox

It might make sense to support an explicit / to indicate the whole org in that case, so you could make the exclude/include order explicit:

config:
  include:
    - deployment
    - applications
    - applications/sandbox/exception
  exclude:
    - /
    - applications/sandbox

benbridts avatar Sep 29 '20 11:09 benbridts