Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Include/Exclude of OUs instead of "protected" #123

Open
benbridts opened this issue Aug 6, 2019 · 3 comments
Open

Support Include/Exclude of OUs instead of "protected" #123

benbridts opened this issue Aug 6, 2019 · 3 comments
Labels
enhancement New feature or request

Comments

@benbridts
Copy link
Contributor

When deploying the ADF into an existing organization, it might be nice to have more control over which OUs should be bootstrapped, as another process (eg Landing Zone / Control Tower) might be responsible for creating account, creating ou's and moving accounts to them.
It should be possible to configure ADF to only bootstrap inside an explicit allow list of ou's.

Going even further, it would be nice to support both OU-paths, OU-ids and Account-ids.
Using the allow list first and the blacklist to filter out after that is probably the nost logical.

Examples:

deploy everywhere

config:
  [...]

deploy everywhere, except in ou-123 and below and account 123456789012:

config:
  exclude:
    - ou-123
    - '123456789012'

deploy in the deployment ou (and below) and in the applications ou (and below), but skip everything in applications/sandbox and below

config:
  include:
    - deployment
    - applications
  exclude:
    - applications/sandbox

The only downside is that this configuration won't be possible (as applications/sandbox/exception would stay excluded if include is always evaluated first)

config:
  include:
    - deployment
    - applications
    - applications/sandbox/exception
  exclude:
    - applications/sandbox
@bundyfx bundyfx added the enhancement New feature or request label Aug 7, 2019
@bundyfx
Copy link
Contributor

bundyfx commented Aug 7, 2019

Thanks for the suggestion, I think it is a great idea to extend/rework the functionality of the protected concept to be more robust. Will add this into a milestone just after 1.3.0

@ErikMeinders ErikMeinders mentioned this issue Jan 17, 2020
Closed
@hynynen
Copy link

hynynen commented Sep 29, 2020

This is good idea. I would like to see this kind of control in deployment maps. Also adding there some inheritance from parent OU (#20)

@benbridts
Copy link
Contributor Author

I though about this a bit more, and it would be possible to have the example below work, if instead of using an "include than exclude" logic would always use the most specific target.

config:
  include:
    - deployment
    - applications
    - applications/sandbox/exception
  exclude:
    - applications/sandbox

It might make sense to support an explicit / to indicate the whole org in that case, so you could make the exclude/include order explicit:

config:
  include:
    - deployment
    - applications
    - applications/sandbox/exception
  exclude:
    - /
    - applications/sandbox

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benbridts @bundyfx @hynynen