There are a growing number of option settings in Turbot Guardrails that utilize a list of values as the option setting. This is extraordinarily useful for options that blacklist or whitelist groups of resources, but as the number of AWS accounts grows it can get a bit tedious maintaining large lists of these types when there are many exceptions at the individual account level. We are happy to announce two new features to make maintaining lists significantly easier: Turbot::Inherit & Turbot::Include.
The Turbot::Inherit keyword can be added to a list option setting to automatically include the list of options from its parent's setting. This will allow you to pull in the list values from the same option setting at the parent level and then add exceptions at the current level: simplifying management of lists and mitigating the need to repeat changes for each and every option with an exception.
Here is an example of using inheritance to specify which accounts are trusted for cross-account IAM:
The Turbot::Include keyword works in much the same way, but instead of inheriting from a parent, you can use it to reference a list of values from a different setting at the same level of the hierarchy. This allows you to share common lists (e.g. Trusted Accounts) between option settings at the same level without having to maintain the list in multiple places.
In this example we show how an option can inherit from the cluster, create some exceptions and another option can then include both the inherited option list and the exceptions within the same account:
The new features are currently available in our latest release, please contact us to discuss how to enable this for your Turbot Guardrails cluster.