feat: adding thee ability to define the organizational units (#33)

Author: gambol99

.commitlintrc.yaml

@@ -0,0 +1,19 @@
+---
+rules:
+  body-leading-blank: [1, always]
+  body-max-line-length: [2, always, 100]
+  footer-leading-blank: [1, always]
+  footer-max-line-length: [2, always, 100]
+  header-max-length: [2, always, 100]
+  subject-case:
+    - 2
+    - never
+    - [sentence-case, start-case, pascal-case, upper-case]
+  subject-empty: [2, never]
+  subject-full-stop: [2, never, "."]
+  type-case: [2, always, lower-case]
+  type-empty: [2, never]
+  type-enum:
+    - 2
+    - always
+    - [build, chore, ci, docs, feat, fix, perf, refactor, revert, style, test]

.terraform-docs.yaml

@@ -1,5 +1,4 @@
 formatter: markdown
-#header-from: .header.md
 settings:
   anchor: true
   color: true

.tflint.hcl

@@ -1,12 +1,12 @@
 plugin "aws" {
   enabled = true
-  version = "0.32.0"
+  version = "0.33.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 
 plugin "terraform" {
   enabled = true
-  version = "0.7.0"
+  version = "0.9.1"
   source  = "github.com/terraform-linters/tflint-ruleset-terraform"
 }
 

Makefile

@@ -1,6 +1,4 @@
 #
-# Copyright (C) 2024  Appvia Ltd <[email protected]>
-#  
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; either version 2
@@ -14,9 +12,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
-AUTHOR_EMAIL[email protected]
 
-.PHONY: all security lint format documentation documentation-examples validate-all validate validate-examples init
+.PHONY: all security lint format documentation validate init commitlint
 
 default: all
 
@@ -31,65 +28,38 @@ all:
 documentation: 
 	@echo "--> Generating documentation"
 	@terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
-	$(MAKE) documentation-examples
-
-documentation-examples:
-	@echo "--> Generating documentation examples"
-	@find examples -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \;
 
 init: 
 	@echo "--> Running terraform init"
 	@terraform init -backend=false
 
 security: 
 	@echo "--> Running Security checks"
-	@trivy config .
-	$(MAKE) security-examples
-
-security-examples:
-	@echo "--> Running Security checks on examples"
-	@find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-		echo "--> Validating $$dir"; \
-		trivy config $$dir; \
-	done
-
-validate-all:
-	@echo "--> Running all validation checks"
-	$(MAKE) validate
-	$(MAKE) validate-examples
-
-validate:
-	@echo "--> Running terraform validate"
-	@terraform init -backend=false
-	@terraform validate
-	$(MAKE) validate-examples
+	trivy config  --format table --exit-code  1 --severity  CRITICAL,HIGH --ignorefile .trivyignore .
 
-validate-examples:
-	@echo "--> Running terraform validate on examples"
-	@find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-		echo "--> Validating $$dir"; \
-		terraform -chdir=$$dir init; \
-		terraform -chdir=$$dir validate; \
-	done
+commitlint:
+	@echo "--> Running commitlint against the main branch"
+	@command -v commitlint >/dev/null 2>&1 || { echo "commitlint is not installed. Please install it by running 'npm install -g commitlint'"; exit 1; }
+	@git log --pretty=format:"%s" origin/main..HEAD | commitlint --from=origin/main
 
 lint:
 	@echo "--> Running tflint"
 	@tflint --init 
 	@tflint -f compact
-	$(MAKE) lint-examples
-
-lint-examples:
-	@echo "--> Running tflint on examples"
-	@find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-		echo "--> Linting $$dir"; \
-		tflint --chdir=$$dir --init; \
-		tflint --chdir=$$dir -f compact; \
-	done
 
 format: 
 	@echo "--> Running terraform fmt"
 	@terraform fmt -recursive -write=true
 
+validate:
+	@echo "--> Running terraform validate"
+	@terraform init -backend=false
+	@terraform validate
+	$(MAKE) lint 
+	$(MAKE) commitlint
+	$(MAKE) format
+	$(MAKE) security
+
 clean:
 	@echo "--> Cleaning up"
 	@find . -type d -name ".terraform" | while read -r dir; do \

README.md

@@ -82,6 +82,7 @@ No modules.
 | <a name="input_capabilities"></a> [capabilities](#input\_capabilities) | The capabilities required to deploy the cloudformation template | `list(string)` | <pre>[<br/>  "CAPABILITY_NAMED_IAM",<br/>  "CAPABILITY_AUTO_EXPAND",<br/>  "CAPABILITY_IAM"<br/>]</pre> | no |
 | <a name="input_enable_management_account"></a> [enable\_management\_account](#input\_enable\_management\_account) | Enable the deployment to the management account | `bool` | `false` | no |
 | <a name="input_max_concurrent_count"></a> [max\_concurrent\_count](#input\_max\_concurrent\_count) | The maximum number of concurrent deployments | `number` | `10` | no |
+| <a name="input_organization_units"></a> [organization\_units](#input\_organization\_units) | A list of organization units to deploy the boundary (defaults to all organization units) | `list(string)` | `[]` | no |
 | <a name="input_parameters"></a> [parameters](#input\_parameters) | The parameters to pass to the cloudformation template | `map(string)` | `{}` | no |
 
 ## Outputs

examples/basic/main.tf

@@ -7,11 +7,41 @@
 module "boundary" {
   source = "../.."
 
-  description               = "Used to deploy the default permissions boundary for the pipelines."
+  ## The description of the cloudformation stack 
+  description = "Used to deploy the default permissions boundary for the pipelines."
+  ## Enable the deployment to the management account as well
   enable_management_account = true
-  name                      = "LZA-IAM-DefaultBoundary"
-  region                    = "us-west-2"
-  tags                      = {}
-  template                  = file("assets/default-boundary.yml")
-  parameters                = {}
+  ## The name of the cloudformation stack 
+  name = "LZA-IAM-DefaultBoundary-Sandbox"
+  ## The region to deploy the cloudformation template
+  region = "us-west-2"
+  ## The tags to apply to the cloudformation stack 
+  tags = {}
+  ## The cloudformation template to deploy 
+  template = file("assets/default-boundary.yml")
+  ## Parameters passed to the cloudformation template
+  parameters = {}
+  ## Optional list of organization units to deploy the boundary, else defaults to all organization units
+}
+
+## Deploy the boundary to a specific organization unit 
+module "boundary_by_organization" {
+  source = "../.."
+
+  ## The description of the cloudformation stack 
+  description = "Used to deploy the default permissions boundary for the pipelines."
+  ## Enable the deployment to the management account as well
+  enable_management_account = true
+  ## The name of the cloudformation stack 
+  name = "LZA-IAM-DefaultBoundary-Sandbox"
+  ## The region to deploy the cloudformation template
+  region = "us-west-2"
+  ## The tags to apply to the cloudformation stack 
+  tags = {}
+  ## The cloudformation template to deploy 
+  template = file("assets/default-boundary.yml")
+  ## Parameters passed to the cloudformation template
+  parameters = {}
+  ## Optional list of organization units to deploy the boundary, else defaults to all organization units
+  organization_units = ["ou-1234567890"]
 }

locals.tf

@@ -0,0 +1,9 @@
+
+locals {
+  ## The root organization unit 
+  root_organization_unit = data.aws_organizations_organization.current.roots[0].id
+
+  ## The organization units to deploy the boundary - defaults to all organization units if the 
+  ## organization_units variable is not set
+  organizational_units = length(var.organization_units) > 0 ? var.organization_units : [local.root_organization_unit]
+}

main.tf

@@ -32,7 +32,7 @@ resource "aws_cloudformation_stack_set" "boundary" {
 ## Deploy the permissive boundary to the organizational root 
 resource "aws_cloudformation_stack_set_instance" "root" {
   deployment_targets {
-    organizational_unit_ids = [data.aws_organizations_organization.current.roots[0].id]
+    organizational_unit_ids = local.organizational_units
   }
   region         = var.region
   stack_set_name = aws_cloudformation_stack_set.boundary.name

variables.tf

@@ -15,6 +15,12 @@ variable "enable_management_account" {
   default     = false
 }
 
+variable "organization_units" {
+  description = "A list of organization units to deploy the boundary (defaults to all organization units)"
+  type        = list(string)
+  default     = []
+}
+
 variable "max_concurrent_count" {
   description = "The maximum number of concurrent deployments"
   type        = number