EN-1912: add service control policy support

[JonathanLoscalzo]

What changed?

• apply: support service control policies files, tags and targets
• import: import service control policies with tags and targets
• detect: cloudformation files changes:
  • force event-bus, rules and sqs to be at us-east-1 region (cloudtrail is not crossregional)

How was it tested?

If it was manually verified, list the instructions for your reviewers to follow.

• Unit Tests
• Functional Tests
• Manually Verified
  • Tag
  • Untag
  • Create Policy
  • Delete Policy (and its variations)
  • Update Policy (expire statements, update statements, modify name or description)
  • Attach Target
  • Detach Target
  • Detect Before changes (take care the actor at if actor != identity_arn:)

[codecov]

Codecov Report

Patch coverage: 76.89% and project coverage change: -9.66 ⚠️

Comparison is base (b9d1aa9) 85.20% compared to head (5432eaf) 75.54%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #384      +/-   ##
==========================================
- Coverage   85.20%   75.54%   -9.66%     
==========================================
  Files          98      102       +4     
  Lines       10731    11372     +641     
==========================================
- Hits         9143     8591     -552     
- Misses       1588     2781    +1193     

Flag	Coverage Δ
functional_tests	?
functional_tests_config_discovery	?
unit_tests	75.54% <76.89%> (+0.25%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
iambic/core/template_generation.py	84.67% <ø> (-3.35%)	⬇️
iambic/main.py	50.49% <0.00%> (ø)
iambic/plugins/v0_1_0/aws/handlers.py	30.05% <42.55%> (-25.81%)	⬇️
iambic/plugins/v0_1_0/aws/models.py	59.79% <43.47%> (-26.65%)	⬇️
...bic/plugins/v0_1_0/aws/organizations/scp/models.py	62.30% <62.30%> (ø)
iambic/plugins/v0_1_0/aws/iambic_plugin.py	75.71% <75.00%> (-5.77%)	⬇️
...0_1_0/aws/organizations/scp/template_generation.py	95.23% <95.23%> (ø)
...mbic/plugins/v0_1_0/aws/organizations/scp/utils.py	96.39% <96.39%> (ø)
iambic/core/models.py	82.32% <100.00%> (-7.89%)	⬇️
iambic/core/utils.py	82.51% <100.00%> (-4.82%)	⬇️
... and 3 more

... and 39 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[Will-NOQ]

It's not a blocker but at some point it may be worth circling back and removing organization and aws_config to prevent accidental circular refs.

We could do something like adding the additional required org attributes to the AWSAccount object and have some type of org directory on the org AWSAccount. We're currently doing something similar with CloudUMI.

[JonathanLoscalzo]

Indeed the problem is you are not able to know if your account should be used to execute any operation over aws-organizations. You need the config to parse the account names to id's.

[Will-NOQ]

We'll need to check if SSO messages are duplicated or if we're going to need a dedicated queue for SSO.

It may just require a ticket and not need to worry about fixing in this PR.

[Will-NOQ]

It'd also be worth adding some functional tests to this PR to check the typical CRUD scenarios with multiple SCPs on the org.

[Will-NOQ]

Left some notes but nothing huge. Nice stuff!

[Will-NOQ]

Not a big deal but classmethod is a better fit here

[Will-NOQ]

Not a big deal but legacy_paginated_search, paginated_search, and boto_crud_call already have a retry with backoff on recoverable errors. It's really just throttling limit right now but if you're hitting an exception in these functions that aren't SCP specific the handling should really go there.

[Will-NOQ]

It may be worth changing a lot of these logging messages to debug to reduce the noise a user will see when they're running it locally. I've def be guilty of using info instead of debug in here but I've been trying to go back and adjust.

[Will-NOQ]

I don't think this function will encounter a recoverable exception

[Will-NOQ]

I don't think this function will encounter a recoverable exception

[Will-NOQ]

I don't think this function will encounter a recoverable exception

[Will-NOQ]

I don't think this function will encounter a recoverable exception

[castrapel]

@Will-NOQ - Unfortunately all of these need retry operators because AWS Orgs has ridiculously low rate limits (I saw TooManyRequestsException too easily, it was super brittle), A lot of ConcurrentModificationException errors (even though our modifications often are not being performed in parallel), and some other issues. Some discussions around this in Slack:

https://noqglobal.slack.com/archives/C02HF22G4MU/p1685030515330609?thread_ts=1685029944.899119&cid=C02HF22G4MU

https://noqglobal.slack.com/archives/C02HF22G4MU/p1685029944899119

[castrapel]

LGTM!