Merge pull request #510 from dgraeber/feature/force-policy-deploy

adding force update logic of project policies
awslabs · Feb 26, 2024 · c275168 · c275168
2 parents 5a16893 + 5770680
commit c275168
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,8 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a Ch
 - added `--update-seedkit` support to `apply` 
   - SeedFarmer will no longer try to update the seedkit on every request
   - Users can override this with the `--update-seedkit` flag in case AWS CodeSeeder has updated the SeedKit
+- added `--update-project_policy` support to `apply` 
+  - SeedFarmer will apply a changeset to the project policy when this flag is set
 
 ### Fixes
 - adding in workaround for manifests whose char length is greater than SSM limit of 8192 k

diff --git a/seedfarmer/__main__.py b/seedfarmer/__main__.py
@@ -112,6 +112,13 @@ def version() -> None:
     show_default=True,
     type=bool,
 )
+@click.option(
+    "--update-project-policy/--no-update-project-policy",
+    default=False,
+    help="Force SeedFarmer to update the deployed Project Policy",
+    show_default=True,
+    type=bool,
+)
 def apply(
     spec: str,
     profile: Optional[str],
@@ -124,6 +131,7 @@ def apply(
     enable_session_timeout: bool,
     session_timeout_interval: int,
     update_seedkit: bool,
+    update_project_policy: bool,
 ) -> None:
     """Apply manifests to a SeedFarmer managed deployment"""
     if debug:
@@ -146,6 +154,7 @@ def apply(
         enable_session_timeout=enable_session_timeout,
         session_timeout_interval=session_timeout_interval,
         update_seedkit=update_seedkit,
+        update_project_policy=update_project_policy,
     )
 
 

diff --git a/seedfarmer/commands/_deployment_commands.py b/seedfarmer/commands/_deployment_commands.py
@@ -372,7 +372,9 @@ def _render_permissions_boundary_arn(
     du.write_deployed_deployment_manifest(deployment_manifest=deployment_manifest)
 
 
-def prime_target_accounts(deployment_manifest: DeploymentManifest, update_seedkit: bool = False) -> None:
+def prime_target_accounts(
+    deployment_manifest: DeploymentManifest, update_seedkit: bool = False, update_project_policy: bool = False
+) -> None:
     _logger.info("Priming Accounts")
     with concurrent.futures.ThreadPoolExecutor(max_workers=len(deployment_manifest.target_accounts_regions)) as workers:
 
@@ -388,6 +390,7 @@ def _prime_accounts(args: Dict[str, Any]) -> List[Any]:
                 "account_id": target_account_region["account_id"],
                 "region": target_account_region["region"],
                 "update_seedkit": update_seedkit,
+                "update_project_policy": update_project_policy,
             }
             if target_account_region["network"] is not None:
                 network = commands.load_network_values(
@@ -474,6 +477,7 @@ def destroy_deployment(
                     def _exec_destroy(args: Dict[str, Any]) -> Optional[ModuleDeploymentResponse]:
                         return _execute_destroy(**args)
 
+                    params = []
                     for _module in _group.modules:
                         _process_module_path(module=_module) if _module.path.startswith("git::") else None
 
@@ -665,6 +669,7 @@ def apply(
     enable_session_timeout: bool = False,
     session_timeout_interval: int = 900,
     update_seedkit: bool = False,
+    update_project_policy: bool = False,
 ) -> None:
     """
     apply
@@ -698,6 +703,10 @@ def apply(
         If enabled, boto3 Sessions will be reset on the timeout interval
     session_timeout_interval: int
         The interval, in seconds, to reset boto3 Sessions
+    update_seedkit: bool
+        Force update run of seedkit, defaults to False
+    update_project_policy: bool
+        Force update run of managed project policy, defaults to False
 
     Raises
     ------
@@ -755,7 +764,11 @@ def apply(
                 raise seedfarmer.errors.InvalidPathError("Cannot parse manifest file path")
     deployment_manifest.validate_and_set_module_defaults()
 
-    prime_target_accounts(deployment_manifest=deployment_manifest, update_seedkit=update_seedkit)
+    prime_target_accounts(
+        deployment_manifest=deployment_manifest,
+        update_seedkit=update_seedkit,
+        update_project_policy=update_project_policy,
+    )
 
     module_info_index = du.populate_module_info_index(deployment_manifest=deployment_manifest)
     destroy_manifest = du.filter_deploy_destroy(deployment_manifest, module_info_index)

diff --git a/seedfarmer/commands/_stack_commands.py b/seedfarmer/commands/_stack_commands.py
@@ -78,7 +78,11 @@ def _check_stack_status() -> Tuple[bool, Dict[str, str]]:
 
 
 def deploy_managed_policy_stack(
-    deployment_manifest: DeploymentManifest, account_id: str, region: str, **kwargs: Any
+    deployment_manifest: DeploymentManifest,
+    account_id: str,
+    region: str,
+    update_project_policy: Optional[bool] = False,
+    **kwargs: Any,
 ) -> None:
     """
     deploy_managed_policy_stack
@@ -98,7 +102,7 @@ def deploy_managed_policy_stack(
     project_managed_policy_stack_exists, _ = services.cfn.does_stack_exist(
         stack_name=info.PROJECT_MANAGED_POLICY_CFN_NAME, session=session
     )
-    if not project_managed_policy_stack_exists:
+    if not project_managed_policy_stack_exists or update_project_policy:
         project_managed_policy_template = config.PROJECT_POLICY_PATH
         _logger.info("Resolved the ProjectPolicyPath %s", project_managed_policy_template)
         if not os.path.exists(project_managed_policy_template):
@@ -436,6 +440,7 @@ def deploy_seedkit(
     private_subnet_ids: Optional[List[str]] = None,
     security_group_ids: Optional[List[str]] = None,
     update_seedkit: Optional[bool] = False,
+    **kwargs: Any,
 ) -> Dict[str, Any]:
     """
     deploy_seedkit