fix(core): PolicyChanges by adding ignoredOu validation (#595)

naveenkoppula · web-flow · commit e6dd868b24ff · 2021-02-04T07:38:46.000-05:00
* Fixing PolicyChanges by adding ignoredOu validation
* minor spelling tweaks
diff --git a/src/deployments/runtime/src/ou-validation-events/policy-changes.ts b/src/deployments/runtime/src/ou-validation-events/policy-changes.ts
@@ -59,6 +59,7 @@ export const handler = async (input: PolicyChangeEvent) => {
 
   const organizationAdminRole = config['global-options']['organization-admin-role']!;
   const configScps = config['global-options'].scps;
+  const ignoredOus: string[] = config['global-options']['ignored-ous'] || [];
   const scpNames = configScps.map(scp =>
     ServiceControlPolicy.policyNameToAcceleratorPolicyName({
       acceleratorPrefix,
@@ -71,24 +72,40 @@ export const handler = async (input: PolicyChangeEvent) => {
     console.warn(`Missing policyId, Ignoring`);
     return 'INVALID_REQUEST';
   }
-  if (!(await isAcceleratorScp(policyId, scpNames))) {
+  const eventName = requestDetail.eventName;
+  if (eventName !== 'DeletePolicy' && !(await isAcceleratorScp(policyId, scpNames))) {
     console.log(`SCP ${policyId} is not managed by Accelerator`);
     return 'SUCCESS';
   }
-  const eventName = requestDetail.eventName;
+  const scps = new ServiceControlPolicy(acceleratorPrefix, organizationAdminRole, organizations);
+  const { organizationalUnits, accounts } = await loadAccountsAndOrganizationsFromConfig(config);
   if (eventName === 'DetachPolicy') {
     const { targetId } = requestDetail.requestParameters;
     if (!targetId) {
       console.warn(`Missing required parameters, Ignoring`);
       return 'INVALID_REQUEST';
     }
+    if (ignoredOus.length > 0) {
+      if (targetId.startsWith('ou-')) {
+        const destinationOrg = await organizations.getOrganizationalUnitWithPath(targetId);
+        const destinationRootOrg = destinationOrg.Name!;
+        if (ignoredOus.includes(destinationRootOrg)) {
+          console.log(`DetachPolicy is on ignored-ou from ROOT, no need to reattach`);
+          return 'IGNORE';
+        }
+      } else {
+        const accountObject = accounts.find(acc => acc.accountId === targetId);
+        if (ignoredOus.includes(accountObject?.organizationalUnit!)) {
+          console.log(`DetachPolicy is on account in ignored-ous from ROOT, no need to reattach`);
+          return 'IGNORE';
+        }
+      }
+    }
     // ReAttach target to policy
-    console.log(`ReAttaching target "${targetId}" to policy "${policyId}"`);
+    console.log(`Reattaching target "${targetId}" to policy "${policyId}"`);
     await organizations.attachPolicy(policyId, targetId);
   } else if (eventName === 'UpdatePolicy' || eventName === 'DeletePolicy') {
-    console.log(`${eventName}, Changing back to original config from config`);
-    const scps = new ServiceControlPolicy(acceleratorPrefix, organizationAdminRole, organizations);
-    const { organizationalUnits, accounts } = await loadAccountsAndOrganizationsFromConfig(config);
+    console.log(`${eventName}, changing back to original config from config`);
 
     // Find policy config
     const globalOptionsConfig = config['global-options'];
