Community::Organizations::Policy.Content - YAML support

[mbarneyjr]

It would be nice to be able to define an organization policy's content as YAML (similar to how you can define IAM policies in YAML), and have the resource provider itself do the conversion to json before calling the organizations:CreatePolicy api

[zaro0508]

hmm, i'm wondering if you can do the conversion with !JsonString function?

Examples:

Resources:
  Scp:
    Type: Community::Organizations::Policy
    Properties:
      Description: Test SCP
      Name: TestScp
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds: !Ref targetIds
      Content: !JsonString
        Version: '2012-10-17'
        Statement:
          - NotAction:
            - kms:*
            Resource: "*"
            Effect: Deny
            Condition:
              StringNotEquals:
                aws:RequestedRegion:
                - us-east-1

or put the yaml in a test.yaml file and use !ReadFile...

Resources:
  Scp:
    Type: Community::Organizations::Policy
    Properties:
      Description: Test SCP
      Name: TestScp
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds: !Ref targetIds
      Content: !JsonString [ !ReadFile ./test.yaml]

[mbarneyjr]

The !JsonString function is specific to OrgFormation-annotated templates, and is not a natively supported CloudFormation intrinsic function. It would be nice to be able to define your Organization Policies with YAML in purely CloudFormation-defined templates, so you can use this resource provider if you're in a scenario where you aren't managing your organization with OrgFormation

[OlafConijn]

@mbarneyjr contents of pr #83 got published as s3://community-resource-provider-catalog/community-organizations-policy-0.2.0.zip

this should allow you to use the type as follows:

AWSTemplateFormatVersion: '2010-09-09'
Description: Example template for a global AI opt-out organizations management policy

Resources:
  OrganizationPolicy:
    Type: Community::Organizations::Policy
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyLargerThan4XLarge
            Effect: Deny
            Action:
              - "ec2:RunInstances"
              - "ec2:ModifyInstanceAttribute"
            Resource: "arn:aws:ec2:*:*:instance/*"
            Condition:
              ForAnyValue:StringNotLike:
                "ec2:InstanceType":
                  - "*.nano"
                  - "*.small"
                  - "*.micro"
                  - "*.medium"
                  - "*.large"
                  - "*.xlarge"
                  - "*.2xlarge"
                  - "*.4xlarge"
      Description: Deny running EC2 instances larger than 4xlarge
      Name: DenyLargeEC2Instances
      PolicyType: SERVICE_CONTROL_POLICY
      TargetIds:
        - !Ref AWS::AccountId

[mbarneyjr]

I finally got around to testing this and it works like a charm! It seems both Content and PolicyDocument are supported properties on this resource now? PolicyDocument being the one that supports yaml, but when I look at the schema it doesn't contain PolicyDocument

Just want to confirm I understand how this should be used, thanks for the feature!

[OlafConijn]

yes. both are supported (more precise would be either)