Merge remote-tracking branch 'netflix/master'

README.md

@@ -63,7 +63,7 @@ or [**SAML**](https://hawkins.gitbook.io/consoleme/configuration/authentication-
 
 ## Companies that use ConsoleMe (alphabetically sorted)
 
-- [AB180](https://en.ab180.co/)
+- [AB180](https://www.ab180.co/en)
 - [Calm](https://www.calm.com/)
 - [FollowAnalytics](https://followanalytics.com/)
 - [myKaarma](https://mykaarma.com/)

helm/consoleme/templates/configmap-organization.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "consoleme.fullname" . }}-config-organization
+  labels:
+    {{- include "consoleme.labels" . | nindent 4 }}
+data:
+  config_organization.yaml: |
+    # ConsoleMe can cache account, org structure, and SCPs from AWS Organizations in one or more accounts
+    cache_accounts_from_aws_organizations:
+    #  # This is the account ID of your AWS organizations master
+      - organizations_master_account_id: "{{ .Values.cache_accounts_from_aws_organizations.organizations_master_account_id }}"
+    #    # This is the name of the role that consoleme will attempt to assume on your Organizations master account to retrieve
+    #    # account information. Ensure that ConsoleMe can assume this role, and that this role has the permissions:
+    #    # organizations:DescribeAccount
+    #    # organizations:DescribeOrganizationalUnit
+    #    # organizations:DescribePolicy
+    #    # organizations:ListAccounts
+    #    # organizations:ListChildren
+    #    # organizations:ListPolicies
+    #    # organizations:ListRoots
+    #    # organizations:ListTargetsForPolicy
+        organizations_master_role_to_assume: "{{ .Values.cache_accounts_from_aws_organizations.organizations_master_role_to_assume }}"
+    
+    cache_cloud_accounts:
+      from_aws_organizations: True
+{{- end }}

helm/consoleme/templates/configmap.yaml

@@ -11,6 +11,9 @@ data:
       - config_dynamo.yaml
       - config_redis.yaml
       - config_auth.yaml
+    {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+      - config_organization.yaml
+    {{- end }}
     {{- if .Values.awsSecretsManager.enabled }}
       - AWS_SECRETS_MANAGER:{{ .Values.awsSecretsManager.name }}
     {{- else }}

helm/consoleme/templates/deployment-celery-worker.yaml

@@ -69,6 +69,12 @@ spec:
               name: consoleme-config-auth
               readOnly: true
               subPath: config_auth.yaml
+            {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+            - mountPath: /etc/consoleme/config_organization.yaml
+              name: consoleme-config-organization
+              subPath: config_organization.yaml
+              readOnly: true
+            {{- end }}
             - mountPath: /etc/consoleme/config_redis.yaml
               name: consoleme-config-redis
               readOnly: true
@@ -90,6 +96,11 @@ spec:
         - name: consoleme-config-auth
           configMap:
             name: {{ include "consoleme.fullname" . }}-config-auth
+        {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+        - name: consoleme-config-organization
+          configMap:
+            name: {{ include "consoleme.fullname" . }}-config-organization
+        {{- end }}
         - name: consoleme-config-redis
           configMap:
             name: {{ include "consoleme.fullname" . }}-config-redis

helm/consoleme/templates/deployment-celery.yaml

@@ -69,6 +69,12 @@ spec:
               name: consoleme-config-auth
               readOnly: true
               subPath: config_auth.yaml
+            {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+            - mountPath: /etc/consoleme/config_organization.yaml
+              name: consoleme-config-organization
+              subPath: config_organization.yaml
+              readOnly: true
+            {{- end }}
             - mountPath: /etc/consoleme/config_redis.yaml
               name: consoleme-config-redis
               readOnly: true
@@ -90,6 +96,11 @@ spec:
         - name: consoleme-config-auth
           configMap:
             name: {{ include "consoleme.fullname" . }}-config-auth
+        {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+        - name: consoleme-config-organization
+          configMap:
+            name: {{ include "consoleme.fullname" . }}-config-organization
+        {{- end }}
         - name: consoleme-config-redis
           configMap:
             name: {{ include "consoleme.fullname" . }}-config-redis

helm/consoleme/templates/deployment-consoleme.yaml

@@ -89,6 +89,12 @@ spec:
               name: consoleme-config-auth
               readOnly: true
               subPath: config_auth.yaml
+            {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+            - mountPath: /etc/consoleme/config_organization.yaml
+              name: consoleme-config-organization
+              subPath: config_organization.yaml
+              readOnly: true
+            {{- end }}
             - mountPath: /etc/consoleme/config_redis.yaml
               name: consoleme-config-redis
               readOnly: true
@@ -120,6 +126,11 @@ spec:
         - name: consoleme-config-auth
           configMap:
             name: {{ include "consoleme.fullname" . }}-config-auth
+        {{- if .Values.cache_accounts_from_aws_organizations.enabled }}
+        - name: consoleme-config-organization
+          configMap:
+            name: {{ include "consoleme.fullname" . }}-config-organization
+        {{- end }}
         - name: consoleme-config-redis
           configMap:
             name: {{ include "consoleme.fullname" . }}-config-redis

helm/consoleme/values.yaml

@@ -225,6 +225,11 @@ aws:
   account_number: "<Main AWS account number>"
   region: us-east-1
 
+cache_accounts_from_aws_organizations:
+  enabled: false
+  organizations_master_account_id: '<Organization AWS account number>'
+  organizations_master_role_to_assume: ConsoleMe
+
 cli_auth: {}
 #   certificate_header: certificate_header
 #   required_headers: