fix(core): IAM Policy creation based on Org config (#610)

naveenkoppula · web-flow · commit 7505aa134789 · 2021-02-15T15:34:36.000-05:00
* Reading Organizational-Units config for policy definitions

* Adding WorkLoad Accounts

* Creating IAM Assets from workload configuration
diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts
@@ -71,8 +71,10 @@ export interface IamPolicyArtifactsOutput {
 export async function deploy({ acceleratorConfig, accountStacks, accounts, context, limiter, outputs }: PhaseInput) {
   const mandatoryAccountConfig = acceleratorConfig.getMandatoryAccountConfigs();
   const orgUnits = acceleratorConfig.getOrganizationalUnits();
+  const workLoadAccountConfig = acceleratorConfig.getWorkloadAccountConfigs();
   const masterAccountKey = acceleratorConfig.getMandatoryAccountKey('master');
   const logAccountKey = acceleratorConfig.getMandatoryAccountKey('central-log');
+  const iamConfigs = acceleratorConfig.getIamConfigs();
   const masterAccountId = getAccountId(accounts, masterAccountKey);
   if (!masterAccountId) {
     throw new Error(`Cannot find mandatory primary account ${masterAccountKey}`);
@@ -317,8 +319,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     const iamPoliciesBucketName = iamPolicyArtifactOutput[0].bucketName;
     const iamPoliciesBucketPrefix = iamPolicyArtifactOutput[0].keyPrefix + '/';
 
-    for (const [accountKey, accountConfig] of mandatoryAccountConfig) {
-      const iamConfig = accountConfig.iam;
+    for (const { iam: iamConfig } of iamConfigs) {
       if (IamConfigType.is(iamConfig)) {
         const iamPolicies = iamConfig?.policies;
         for (const iamPolicy of iamPolicies || []) {
@@ -367,7 +368,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     }
 
     if (iamPoliciesDefinition) {
-      const iamAssets = new IamAssets(accountStack, `IAM Assets-${pascalCase(accountKey)}`, {
+      new IamAssets(accountStack, `IAM Assets-${pascalCase(accountKey)}`, {
         accountKey,
         iamConfig,
         iamPoliciesDefinition,
@@ -378,31 +379,36 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     }
   };
 
-  const getNonMandatoryAccountsPerOu = (ouName: string, mandatoryAccKeys: string[]): Account[] => {
-    const accountsPerOu: Account[] = [];
-    for (const account of accounts) {
-      if (account.ou === ouName && !mandatoryAccKeys.includes(account.key)) {
-        accountsPerOu.push(account);
+  const accountIamConfigs: { [accountKey: string]: IamConfig } = {};
+  for (const { accountKey, iam: iamConfig } of iamConfigs) {
+    if (accountIamConfigs[accountKey]) {
+      if (accountIamConfigs[accountKey].policies) {
+        accountIamConfigs[accountKey].policies?.push(...(iamConfig.policies || []));
+      } else {
+        accountIamConfigs[accountKey].policies = iamConfig.policies;
       }
-    }
-    return accountsPerOu;
-  };
 
-  const mandatoryAccountKeys: string[] = [];
-  // creating assets for default account settings
-  for (const [accountKey, accountConfig] of mandatoryAccountConfig) {
-    mandatoryAccountKeys.push(accountKey);
-    await createIamAssets(accountKey, accountConfig.iam);
-  }
+      if (accountIamConfigs[accountKey].roles) {
+        accountIamConfigs[accountKey].roles?.push(...(iamConfig.roles || []));
+      } else {
+        accountIamConfigs[accountKey].roles = iamConfig.roles;
+      }
 
-  // creating assets for org unit accounts
-  for (const [orgName, orgConfig] of orgUnits) {
-    const orgAccounts = getNonMandatoryAccountsPerOu(orgName, mandatoryAccountKeys);
-    for (const orgAccount of orgAccounts) {
-      await createIamAssets(orgAccount.key, orgConfig.iam);
+      if (accountIamConfigs[accountKey].users) {
+        accountIamConfigs[accountKey].users?.push(...(iamConfig.users || []));
+      } else {
+        accountIamConfigs[accountKey].users = iamConfig.users;
+      }
+    } else {
+      accountIamConfigs[accountKey] = iamConfig;
     }
   }
 
+  // creating assets for default account settings
+  for (const [accountKey, iamConfig] of Object.entries(accountIamConfigs)) {
+    await createIamAssets(accountKey, iamConfig);
+  }
+
   // Budget creation step 2
   await budget.step2({
     accountStacks,
diff --git a/src/deployments/cdk/src/common/iam-assets.ts b/src/deployments/cdk/src/common/iam-assets.ts
@@ -29,6 +29,7 @@ export class IamAssets extends cdk.Construct {
     const customerManagedPolicies: { [policyName: string]: iam.ManagedPolicy } = {};
     // method to create IAM Policy
     const createIamPolicy = (policyName: string, policy: string): void => {
+      console.log(`Creating Policy "${policyName}" in account "${accountKey}"`);
       const iamPolicyDef = iamPoliciesDefinition[policyName];
       const iamPolicyJson = JSON.parse(iamPolicyDef);
       const statementArray = iamPolicyJson.Statement;
