-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EN-1912: add service control policy support #384
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #384 +/- ##
==========================================
- Coverage 85.20% 75.54% -9.66%
==========================================
Files 98 102 +4
Lines 10731 11372 +641
==========================================
- Hits 9143 8591 -552
- Misses 1588 2781 +1193
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
b01ba37
to
093b13e
Compare
81917c6
to
c29e9c4
Compare
c29e9c4
to
938cb18
Compare
938cb18
to
fc14167
Compare
129b099
to
5e17ea5
Compare
9dd43cc
to
74553dd
Compare
organization_account: bool = Field( | ||
False, description="if this is an organization account" | ||
) | ||
organization: Optional[AWSOrganization] = Field( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not a blocker but at some point it may be worth circling back and removing organization
and aws_config
to prevent accidental circular refs.
We could do something like adding the additional required org attributes to the AWSAccount object and have some type of org directory on the org AWSAccount. We're currently doing something similar with CloudUMI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed the problem is you are not able to know if your account should be used to execute
any operation over aws-organizations. You need the config to parse the account names to id's.
iambic/plugins/v0_1_0/aws/organizations/scp/template_generation.py
Outdated
Show resolved
Hide resolved
@@ -1875,7 +1876,9 @@ def configuration_wizard_change_detection_setup(self, aws_org: AWSOrganization): | |||
|
|||
role_name = IAMBIC_SPOKE_ROLE_NAME | |||
hub_account_id = self.hub_account_id | |||
sqs_arn = f"arn:aws:sqs:{self.aws_default_region}:{hub_account_id}:IAMbicChangeDetectionQueue{IAMBIC_CHANGE_DETECTION_SUFFIX}" | |||
# cloudtrail is not cross-region, so we need to use us-east-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need to check if SSO messages are duplicated or if we're going to need a dedicated queue for SSO.
It may just require a ticket and not need to worry about fixing in this PR.
It'd also be worth adding some functional tests to this PR to check the typical CRUD scenarios with multiple SCPs on the org. |
4516516
to
3edc841
Compare
84f8439
to
cb1ac53
Compare
cb1ac53
to
f7a4d78
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some notes but nothing huge. Nice stuff!
return self.statement.sid | ||
|
||
@staticmethod | ||
def parse_raw_policy(resource_raw) -> "PolicyDocument": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a big deal but classmethod is a better fit here
] | ||
|
||
|
||
@retry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a big deal but legacy_paginated_search, paginated_search, and boto_crud_call already have a retry with backoff on recoverable errors. It's really just throttling limit right now but if you're hitting an exception in these functions that aren't SCP specific the handling should really go there.
|
||
await asyncio.gather(*targets_tasks) | ||
|
||
log.info(f"Deleting policy {policyId}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be worth changing a lot of these logging messages to debug to reduce the noise a user will see when they're running it locally. I've def be guilty of using info instead of debug in here but I've been trying to go back and adjust.
return tasks, response | ||
|
||
|
||
@retry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this function will encounter a recoverable exception
return response | ||
|
||
|
||
@retry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this function will encounter a recoverable exception
return tasks, response | ||
|
||
|
||
@retry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this function will encounter a recoverable exception
return tasks, response | ||
|
||
|
||
@retry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this function will encounter a recoverable exception
@Will-NOQ - Unfortunately all of these need retry operators because AWS Orgs has ridiculously low rate limits (I saw TooManyRequestsException too easily, it was super brittle), A lot of ConcurrentModificationException errors (even though our modifications often are not being performed in parallel), and some other issues. Some discussions around this in Slack: https://noqglobal.slack.com/archives/C02HF22G4MU/p1685029944899119 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
What changed?
How was it tested?
If it was manually verified, list the instructions for your reviewers to follow.
if actor != identity_arn:
)