more account exclusion options

depaolism · Aug 9, 2023 · 5332752 · 5332752
1 parent e96e792
commit 5332752
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -7,7 +7,7 @@
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 [tool.poetry]
 name = "rdk"
-version = "0.16.0"
+version = "0.17.0"
 description = "Rule Development Kit CLI for AWS Config"
 authors = [
     "AWS RDK Maintainers <[email protected]>",

diff --git a/rdk/__init__.py b/rdk/__init__.py
@@ -6,4 +6,4 @@
 #
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 
-MY_VERSION = "0.16.0"
+MY_VERSION = "0.17.0"
diff --git a/rdk/rdk.py b/rdk/rdk.py
@@ -17,6 +17,7 @@
 import fnmatch
 import json
 import os
+import re
 import shutil
 import subprocess
 import sys
@@ -389,6 +390,11 @@ def get_rule_parser(is_required, command):
         action="store_true",
         help="[optional] Skip the check for whether the resource type is supported or not.",
     )
+    parser.add_argument(
+        "--excluded-accounts",
+        required=False,
+        help="[optional] Comma-separated list of AWS accounts to exclude from the rule. Will only be used for organizational rules.",
+    )
 
     return parser
 
@@ -604,6 +610,11 @@ def get_deployment_organization_parser(ForceArgument=False, Command="deploy-orga
         default="rdklib-layer",
         help='[optional] To use with --generated-lambda-layer, forces the flag to look for a specific lambda-layer name. If omitted, "rdklib-layer" will be used',
     )
+    parser.add_argument(
+        "--excluded-accounts",
+        required=False,
+        help="[optional] Comma-separated list of account IDs to exclude from the organization rule deployment.",
+    )
 
     if ForceArgument:
         parser.add_argument(
@@ -2216,6 +2227,9 @@ def deploy_organization(self):
                     del optional_parameters_json[key]
                 combined_input_parameters.update(optional_parameters_json)
 
+            if self.args.excluded_accounts or "ExcludedAccounts" in rule_params:
+                combined_excluded_accounts = set(rule_params.get("ExcludedAccounts", []), self.args.excluded_accounts)
+
             if "SourceIdentifier" in rule_params:
                 print("Found Managed Rule.")
                 # create CFN Parameters for Managed Rules
@@ -2249,6 +2263,10 @@ def deploy_organization(self):
                         "ParameterKey": "SourceIdentifier",
                         "ParameterValue": rule_params["SourceIdentifier"],
                     },
+                    {
+                        "ParameterKey": "ExcludedAccounts",
+                        "ParameterValue": combined_excluded_accounts,
+                    },
                 ]
                 my_cfn = my_session.client("cloudformation")
 
@@ -2391,6 +2409,10 @@ def deploy_organization(self):
                     "ParameterKey": "Timeout",
                     "ParameterValue": str(self.args.lambda_timeout),
                 },
+                {
+                    "ParameterKey": "ExcludedAccounts",
+                    "ParameterValue": combined_excluded_accounts,
+                },
             ]
             layers = self.__get_lambda_layers(my_session, self.args, rule_params)
 
@@ -3411,6 +3433,10 @@ def __parse_rule_args(self, is_required):
             print(f"Number of specified resource types exceeds Config service maximum of {max_resource_types}.")
             sys.exit(1)
 
+        if self.args.excluded_accounts and not re.match(r"^(\d{12})(,\d{12})*$", self.args.excluded_accounts):
+            print("Invalid Excluded Accounts. Must be 12-digit account numbers, separated by commas and no spaces.")
+            sys.exit(1)
+
         if self.args.rulename:
             if len(self.args.rulename) > 128:
                 print("Rule names must be 128 characters or fewer.")
@@ -3559,6 +3585,12 @@ def __parse_deploy_organization_args(self, ForceArgument=False):
         if self.args.rulesets:
             self.args.rulesets = self.args.rulesets.split(",")
 
+        if self.args.excluded_accounts:
+            if not re.match(r"^(\d{12})(,\d{12})*$", self.args.excluded_accounts):
+                print("Invalid excluded accounts.  Must be a comma-separated list of 12-digit account numbers.")
+                sys.exit(1)
+            self.args.excluded_accounts = self.args.excluded_accounts.split(",")
+
     def __parse_export_args(self, ForceArgument=False):
         self.args = get_export_parser(ForceArgument).parse_args(self.args.command_args, self.args)
 
@@ -3720,6 +3752,9 @@ def __populate_params(self):
             parameters["CodeKey"] = None
             parameters["SourceRuntime"] = None
 
+        if self.args.excluded_accounts:
+            parameters["ExcludedAccounts"] = self.args.excluded_accounts
+
         if my_remediation:
             parameters["Remediation"] = my_remediation