feat(core)Enable account level SCP mgmt (#708)

charliejllewellyn · Charlie Llewellyn · web-flow · commit da88c5cb74d3 · 2021-04-23T08:11:49.000-04:00
* Added scps on account type
* inital commit for account SCPs
* added example account scp configuration
* made mandatory
* correct formatting
* added code to restore policy if policy is edited by non accelerator role
* removed code attempting to implement duplicate functionality

Co-authored-by: Charlie Llewellyn &lt;cjl@amazon.co.uk&gt;
diff --git a/reference-artifacts/SAMPLE_CONFIGS/sample_snippets.md b/reference-artifacts/SAMPLE_CONFIGS/sample_snippets.md
@@ -705,6 +705,17 @@
 
 ---
 
+- Add SCP on a per account basis - add this to either workload or mandatory accounts sections
+
+```
+      "scps": [
+        "SCP 1",
+        "SCP 2"
+      ]
+```
+
+---
+
 - Future description
 
 ```
diff --git a/src/core/runtime/src/add-scp-step.ts b/src/core/runtime/src/add-scp-step.ts
@@ -103,6 +103,13 @@ export const handler = async (input: AddScpInput) => {
     acceleratorPrefix,
   });
 
+  await scps.attachOrDetachPoliciesToAccounts({
+    existingPolicies,
+    configurationAccounts: accounts,
+    accountConfigs: config.getAccountConfigs(),
+    acceleratorPrefix,
+  });
+
   return {
     status: 'SUCCESS',
   };
diff --git a/src/lib/common-config/src/index.ts b/src/lib/common-config/src/index.ts
@@ -592,6 +592,7 @@ export const MandatoryAccountConfigType = t.interface({
   'populate-all-elbs-in-param-store': fromNullable(t.boolean, false),
   'ssm-automation': fromNullable(t.array(SsmShareAutomation), []),
   'aws-config': fromNullable(t.array(AwsConfigAccountConfig), []),
+  scps: optional(t.array(t.string)),
 });
 
 export type MandatoryAccountConfig = t.TypeOf<typeof MandatoryAccountConfigType>;
diff --git a/src/lib/common/src/scp/index.ts b/src/lib/common/src/scp/index.ts
@@ -5,6 +5,8 @@ import { stringType } from 'aws-sdk/clients/iam';
 import { PolicySummary } from 'aws-sdk/clients/organizations';
 import { OrganizationalUnit } from '@aws-accelerator/common-outputs/src/organizations';
 import { additionalReplacements, replaceDefaults } from './../util/common';
+import { AccountConfig } from '@aws-accelerator/common-config/src';
+import { Account } from '@aws-accelerator/common-outputs/src/accounts';
 
 export const FULL_AWS_ACCESS_POLICY_NAME = 'FullAWSAccess';
 
@@ -266,6 +268,76 @@ export class ServiceControlPolicy {
     }
   }
 
+  /**
+   * Attach new or detach removed policies based on the account configuration.
+   */
+  async attachOrDetachPoliciesToAccounts(props: {
+    existingPolicies: PolicySummary[];
+    configurationAccounts: Account[];
+    accountConfigs: [string, AccountConfig][];
+    acceleratorPrefix: string;
+  }) {
+    const { existingPolicies, configurationAccounts, accountConfigs, acceleratorPrefix } = props;
+
+    for (const [accountKey, accountConfig] of accountConfigs) {
+      const Account = configurationAccounts.find(Account => Account.key === accountKey);
+      /**
+       * Check if scps key is set on account. If not, ignore as SCPs are being managed in the outside the installer.
+       */
+      if (accountConfig.scps == null) {
+        continue;
+      }
+
+      // Attach Accelerator SCPs to Accounts
+      if (!Account) {
+        console.warn(`Cannot find Account configuration with key "${accountKey}"`);
+        continue;
+      }
+
+      const accountPolicyNames = accountConfig.scps.map(policyName =>
+        ServiceControlPolicy.policyNameToAcceleratorPolicyName({ acceleratorPrefix, policyName }),
+      );
+
+      if (accountPolicyNames.length > 4) {
+        console.warn(`Maximum allowed SCP per Account is 5. Limit exceeded for Account ${accountKey}`);
+        continue;
+      }
+
+      // Find targets for this policy
+      const policyTargets = await this.org.listPoliciesForTarget({
+        Filter: 'SERVICE_CONTROL_POLICY',
+        TargetId: Account.id,
+      });
+
+      // Detach removed policies
+      for (const policyTarget of policyTargets) {
+        const policyTargetName = policyTarget.Name!;
+        if (!accountPolicyNames.includes(policyTargetName) && policyTargetName !== FULL_AWS_ACCESS_POLICY_NAME) {
+          console.log(`Detaching ${policyTargetName} from Account ${accountKey}`);
+          await this.org.detachPolicy(policyTarget.Id!, Account.id);
+        }
+      }
+
+      // Attach new policies
+      for (const accountPolicyName of accountPolicyNames) {
+        const policy = existingPolicies.find(p => p.Name === accountPolicyName);
+        if (!policy) {
+          console.warn(`Cannot find policy with name "${accountPolicyName}"`);
+          continue;
+        }
+
+        const policyTarget = policyTargets.find(x => x.Name === accountPolicyName);
+        if (policyTarget) {
+          console.log(`Skipping attachment of ${accountPolicyName} to already attached Account ${accountKey}`);
+          continue;
+        }
+
+        console.log(`Attaching ${accountPolicyName} to Account ${accountKey}`);
+        await this.org.attachPolicy(policy.Id!, Account.id);
+      }
+    }
+  }
+
   static createQuarantineScpContent(props: { acceleratorPrefix: string; organizationAdminRole: string }) {
     return JSON.stringify({
       Version: '2012-10-17',
