From 7b8be18a73813b59b324b490374f1c94a86429dc Mon Sep 17 00:00:00 2001 From: nachundu Date: Mon, 7 Sep 2020 14:40:19 +0530 Subject: [PATCH 1/5] added version to accelerator version ssm parameter --- src/installer/cdk/src/index.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/installer/cdk/src/index.ts b/src/installer/cdk/src/index.ts index 37eefaa96..7f343fe0f 100644 --- a/src/installer/cdk/src/index.ts +++ b/src/installer/cdk/src/index.ts @@ -14,6 +14,9 @@ process.on('unhandledRejection', (reason, _) => { }); async function main() { + const pkg = require('../package.json'); + const acceleratorVersion = pkg.version; + const app = new cdk.App(); const stack = new cdk.Stack(app, 'InstallerStack', { @@ -315,6 +318,7 @@ async function main() { repository: githubRepository, owner: githubOwner, branch: githubBranch, + acceleratorVersion, }, }), ], From fdb54e063f59c5ba94835d4831ec358e42a0c174 Mon Sep 17 00:00:00 2001 From: nachundu Date: Mon, 7 Sep 2020 20:41:18 +0530 Subject: [PATCH 2/5] added installer version environment variable --- src/core/cdk/src/initial-setup.ts | 3 +- ...enable-trusted-access-for-services-step.ts | 12 ++- src/deployments/cdk/package.json | 95 ++++++++++--------- src/deployments/cdk/src/apps/phase-1.ts | 1 + src/deployments/cdk/src/apps/phase-2.ts | 1 + src/deployments/cdk/src/apps/phase-3.ts | 1 + src/deployments/cdk/src/apps/phase-5.ts | 1 + .../cdk/src/common/ad-users-groups.ts | 3 + .../cdk/src/common/security-group.ts | 2 + src/deployments/cdk/src/common/vpc.ts | 5 + .../cdk/src/deployments/rsyslog/step-2.ts | 17 +++- src/deployments/cdk/src/utils/context.ts | 2 + src/lib/common/src/aws/ssm.ts | 13 +++ 13 files changed, 102 insertions(+), 54 deletions(-) diff --git a/src/core/cdk/src/initial-setup.ts b/src/core/cdk/src/initial-setup.ts index 42a8bf153..2b948fcb7 100644 --- a/src/core/cdk/src/initial-setup.ts +++ b/src/core/cdk/src/initial-setup.ts @@ -514,7 +514,7 @@ export namespace InitialSetup { 'configFilePath.$': '$.configFilePath', 'configCommitId.$': '$.configCommitId', }, - resultPath: 'DISCARD', + resultPath: '$.installerVersion', }); const codeBuildStateMachine = new sfn.StateMachine(this, `${props.acceleratorPrefix}CodeBuild_sm`, { @@ -534,6 +534,7 @@ export namespace InitialSetup { 'CONFIG_COMMIT_ID.$': '$.configCommitId', 'ACCELERATOR_BASELINE.$': '$.baseline', 'CONFIG_ROOT_FILE_PATH.$': '$.configRootFilePath', + 'INSTALLER_VERSION.$': '$.installerVersion', ACCELERATOR_PIPELINE_ROLE_NAME: pipelineRole.roleName, ACCELERATOR_STATE_MACHINE_NAME: props.stateMachineName, CONFIG_BRANCH_NAME: props.configBranchName, diff --git a/src/core/runtime/src/enable-trusted-access-for-services-step.ts b/src/core/runtime/src/enable-trusted-access-for-services-step.ts index e96cc5d99..b1bbc074c 100644 --- a/src/core/runtime/src/enable-trusted-access-for-services-step.ts +++ b/src/core/runtime/src/enable-trusted-access-for-services-step.ts @@ -5,6 +5,7 @@ import { IAM } from '@aws-accelerator/common/src/aws/iam'; import { Account } from '@aws-accelerator/common-outputs/src/accounts'; import { LoadConfigurationInput } from './load-configuration-step'; import { loadAcceleratorConfig } from '@aws-accelerator/common-config/src/load'; +import { SSM } from '@aws-accelerator/common/src/aws/ssm'; interface EnableTrustedAccessForServicesInput extends LoadConfigurationInput { accounts: Account[]; @@ -80,8 +81,11 @@ export const handler = async (input: EnableTrustedAccessForServicesInput) => { await org.registerDelegatedAdministrator(securityAccountId, 'guardduty.amazonaws.com'); console.log('Security account registered as delegated administrator for Guard Duty in the organization.'); - return { - status: 'SUCCESS', - statusReason: `Successfully enabled trusted access for AWS services within the organization.`, - }; + const ssm = new SSM(); + // Get all the parameter history versions from SSM parameter store + const parameterHistoryList = await ssm.getParameterHistory('/accelerator/version'); + // Finding the first entry of the parameter version + const installerVersion = parameterHistoryList.find(p => p.Version === 1); + const installerVersionValue = JSON.parse(installerVersion!.Value!); + return !installerVersionValue.AcceleratorVersion ? '<1.2.1' : installerVersionValue.AcceleratorVersion; }; diff --git a/src/deployments/cdk/package.json b/src/deployments/cdk/package.json index f851fef97..1953bd518 100644 --- a/src/deployments/cdk/package.json +++ b/src/deployments/cdk/package.json @@ -9,12 +9,12 @@ "synth": "pnpx cdk synth" }, "devDependencies": { + "@aws-accelerator/cdk-plugin-assume-role": "workspace:^0.0.1", + "@aws-accelerator/deployments-runtime": "workspace:^0.0.1", "@aws-cdk/assert": "1.46.0", "@aws-cdk/cfnspec": "1.46.0", "@aws-cdk/cloud-assembly-schema": "1.46.0", "@aws-cdk/cx-api": "1.46.0", - "@aws-accelerator/cdk-plugin-assume-role": "workspace:^0.0.1", - "@aws-accelerator/deployments-runtime": "workspace:^0.0.1", "@types/jest": "25.1.4", "@types/mri": "^1.1.0", "@types/node": "12.12.6", @@ -31,49 +31,18 @@ "typescript": "3.8.3" }, "dependencies": { - "@aws-cdk/aws-accessanalyzer": "1.46.0", - "@aws-cdk/aws-autoscaling": "1.46.0", - "@aws-cdk/aws-budgets": "1.46.0", - "@aws-cdk/aws-certificatemanager": "1.46.0", - "@aws-cdk/aws-cloudformation": "1.46.0", - "@aws-cdk/aws-config": "1.46.0", - "@aws-cdk/aws-directoryservice": "1.46.0", - "@aws-cdk/aws-ec2": "1.46.0", - "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", - "@aws-cdk/aws-guardduty": "1.46.0", - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-kinesis": "1.46.0", - "@aws-cdk/aws-kinesisfirehose": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-logs": "1.46.0", - "@aws-cdk/aws-ram": "1.46.0", - "@aws-cdk/aws-route53": "1.46.0", - "@aws-cdk/aws-route53-targets": "1.46.0", - "@aws-cdk/aws-route53resolver": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0", - "@aws-cdk/aws-s3-deployment": "1.46.0", - "@aws-cdk/aws-secretsmanager": "1.46.0", - "@aws-cdk/aws-securityhub": "1.46.0", - "@aws-cdk/aws-sns": "1.46.0", - "@aws-cdk/aws-ssm": "1.46.0", - "@aws-cdk/aws-cloudwatch": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0", - "@aws-cdk/aws-events": "1.46.0", - "@aws-cdk/aws-stepfunctions": "1.46.0", "@aws-accelerator/cdk-accelerator": "workspace:^0.0.1", + "@aws-accelerator/cdk-constructs": "workspace:^0.0.1", "@aws-accelerator/common": "workspace:^0.0.1", "@aws-accelerator/common-config": "workspace:^0.0.1", "@aws-accelerator/common-outputs": "workspace:^0.0.1", "@aws-accelerator/common-types": "workspace:^0.0.1", - "@aws-accelerator/cdk-constructs": "workspace:^0.0.1", "@aws-accelerator/custom-resource-accept-tgw-peering-attachment": "workspace:^0.0.1", "@aws-accelerator/custom-resource-acm-import-certificate": "workspace:^0.0.1", "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cur-report-definition": "workspace:^0.0.1", "@aws-accelerator/custom-resource-cloud-trail": "workspace:^0.0.1", "@aws-accelerator/custom-resource-create-tgw-peering-attachment": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cur-report-definition": "workspace:^0.0.1", "@aws-accelerator/custom-resource-ds-log-subscription": "workspace:^0.0.1", "@aws-accelerator/custom-resource-ec2-ebs-default-encryption": "workspace:^0.0.1", "@aws-accelerator/custom-resource-ec2-image-finder": "workspace:^0.0.1", @@ -82,12 +51,23 @@ "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation": "workspace:^0.0.1", "@aws-accelerator/custom-resource-ec2-vpn-attachment": "workspace:^0.0.1", "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-admin-setup": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-create-publish": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-enable-admin": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-get-detector": "workspace:^0.0.1", "@aws-accelerator/custom-resource-iam-create-role": "workspace:^0.0.1", "@aws-accelerator/custom-resource-iam-password-policy": "workspace:^0.0.1", "@aws-accelerator/custom-resource-kms-grant": "workspace:^0.0.1", "@aws-accelerator/custom-resource-logs-add-subscription-filter": "workspace:^0.0.1", "@aws-accelerator/custom-resource-logs-log-group": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-logs-metric-filter": "workspace:^0.0.1", "@aws-accelerator/custom-resource-logs-resource-policy": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-create-member": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-enable": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-enable-admin": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-export-config": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-update-config": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-update-session": "workspace:^0.0.1", "@aws-accelerator/custom-resource-organization": "workspace:^0.0.1", "@aws-accelerator/custom-resource-r53-dns-endpoint-ips": "workspace:^0.0.1", "@aws-accelerator/custom-resource-s3-copy-files": "workspace:^0.0.1", @@ -97,19 +77,39 @@ "@aws-accelerator/custom-resource-security-hub-disable-controls": "workspace:^0.0.1", "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1", "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-enable-admin": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-create-member": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-enable": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-update-config": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-update-session": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-export-config": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-get-detector": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-enable-admin": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-create-publish": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-admin-setup": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-vpc-default-security-group": "workspace:^0.0.1", "@aws-accelerator/custom-resource-ssm-session-manager-document": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-logs-metric-filter": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-vpc-default-security-group": "workspace:^0.0.1", + "@aws-cdk/aws-accessanalyzer": "1.46.0", + "@aws-cdk/aws-autoscaling": "1.46.0", + "@aws-cdk/aws-budgets": "1.46.0", + "@aws-cdk/aws-certificatemanager": "1.46.0", + "@aws-cdk/aws-cloudformation": "1.46.0", + "@aws-cdk/aws-cloudwatch": "1.46.0", + "@aws-cdk/aws-config": "1.46.0", + "@aws-cdk/aws-directoryservice": "1.46.0", + "@aws-cdk/aws-ec2": "1.46.0", + "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", + "@aws-cdk/aws-events": "1.46.0", + "@aws-cdk/aws-guardduty": "1.46.0", + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-kinesis": "1.46.0", + "@aws-cdk/aws-kinesisfirehose": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-logs": "1.46.0", + "@aws-cdk/aws-ram": "1.46.0", + "@aws-cdk/aws-route53": "1.46.0", + "@aws-cdk/aws-route53-targets": "1.46.0", + "@aws-cdk/aws-route53resolver": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0", + "@aws-cdk/aws-s3-deployment": "1.46.0", + "@aws-cdk/aws-secretsmanager": "1.46.0", + "@aws-cdk/aws-securityhub": "1.46.0", + "@aws-cdk/aws-sns": "1.46.0", + "@aws-cdk/aws-ssm": "1.46.0", + "@aws-cdk/aws-stepfunctions": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0", "@types/cfn-response": "^1.0.3", "colors": "1.4.0", "constructs": "2.0.1", @@ -117,6 +117,7 @@ "io-ts": "2.1.2", "io-ts-types": "0.5.6", "pascal-case": "^3.1.1", + "semver": "^7.3.2", "tempy": "0.5.0" }, "jest": { diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts index 014e3e80b..89f4480ec 100644 --- a/src/deployments/cdk/src/apps/phase-1.ts +++ b/src/deployments/cdk/src/apps/phase-1.ts @@ -231,6 +231,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte vpcConfigs: acceleratorConfig.getVpcConfigs(), outputs, acceleratorName, + installerVersion: context.installerVersion, }); const pcxConfig = vpcConfig.pcx; diff --git a/src/deployments/cdk/src/apps/phase-2.ts b/src/deployments/cdk/src/apps/phase-2.ts index 7c1446b45..c2cccae04 100644 --- a/src/deployments/cdk/src/apps/phase-2.ts +++ b/src/deployments/cdk/src/apps/phase-2.ts @@ -167,6 +167,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte vpcId: vpcOutput.vpcId, accountKey, vpcConfigs, + installerVersion: context.installerVersion, }); const accountId = getAccountId(accounts, accountKey); diff --git a/src/deployments/cdk/src/apps/phase-3.ts b/src/deployments/cdk/src/apps/phase-3.ts index 096587826..dbce7f83b 100644 --- a/src/deployments/cdk/src/apps/phase-3.ts +++ b/src/deployments/cdk/src/apps/phase-3.ts @@ -80,6 +80,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte outputs, vpcs: allVpcs, centralBucket, + context, }); // Deploy Security Hub Step-2 diff --git a/src/deployments/cdk/src/apps/phase-5.ts b/src/deployments/cdk/src/apps/phase-5.ts index fae433e09..a365dada5 100644 --- a/src/deployments/cdk/src/apps/phase-5.ts +++ b/src/deployments/cdk/src/apps/phase-5.ts @@ -129,6 +129,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte userSecrets, accountKey, serviceLinkedRoleArn: madAutoScalingRoleOutput.roleArn, + installerVersion: context.installerVersion, }); adUsersAndGroups.node.addDependency(keyPair); } diff --git a/src/deployments/cdk/src/common/ad-users-groups.ts b/src/deployments/cdk/src/common/ad-users-groups.ts index ae95f5f96..7ab2fbb19 100644 --- a/src/deployments/cdk/src/common/ad-users-groups.ts +++ b/src/deployments/cdk/src/common/ad-users-groups.ts @@ -23,6 +23,7 @@ export interface ADUsersAndGroupsProps extends cdk.StackProps { userSecrets: UserSecret[]; accountKey: string; serviceLinkedRoleArn: string; + installerVersion: string; } export interface UserSecret { @@ -50,6 +51,7 @@ export class ADUsersAndGroups extends cdk.Construct { userSecrets, accountKey, serviceLinkedRoleArn, + installerVersion, } = props; // Creating AD Users command @@ -102,6 +104,7 @@ export class ADUsersAndGroups extends cdk.Construct { accountKey, vpcId, vpcName, + installerVersion, }); const stack = AcceleratorStack.of(this); diff --git a/src/deployments/cdk/src/common/security-group.ts b/src/deployments/cdk/src/common/security-group.ts index 5f1c01c85..fcc5d647d 100644 --- a/src/deployments/cdk/src/common/security-group.ts +++ b/src/deployments/cdk/src/common/security-group.ts @@ -49,6 +49,8 @@ export interface SecurityGroupProps { */ vpcName: string; + installerVersion: string; + vpcConfigs?: config.ResolvedVpcConfig[]; } diff --git a/src/deployments/cdk/src/common/vpc.ts b/src/deployments/cdk/src/common/vpc.ts index 5b654e0bd..a45cfd986 100644 --- a/src/deployments/cdk/src/common/vpc.ts +++ b/src/deployments/cdk/src/common/vpc.ts @@ -47,6 +47,8 @@ export interface VpcCommonProps { * List of account stacks in the organization. */ accountStacks: AccountStacks; + + installerVersion: string; } export interface AzSubnet extends constructs.Subnet { @@ -146,6 +148,7 @@ export class Vpc extends cdk.Construct implements constructs.Vpc { vpcConfigs, accountStacks, acceleratorName, + installerVersion, } = props.vpcProps; const vpcName = props.vpcProps.vpcConfig.name; @@ -510,6 +513,7 @@ export class Vpc extends cdk.Construct implements constructs.Vpc { vpcId: this.vpcId, accountKey, vpcConfigs: vpcConfigs!, + installerVersion, }); } @@ -523,6 +527,7 @@ export class Vpc extends cdk.Construct implements constructs.Vpc { subnets: this.azSubnets, limiter, vpc: vpcObj, + installerVersion, }); const vpcSecurityGroup = new VpcDefaultSecurityGroup(this, 'VpcDefaultSecurityGroup', { diff --git a/src/deployments/cdk/src/deployments/rsyslog/step-2.ts b/src/deployments/cdk/src/deployments/rsyslog/step-2.ts index b06e712df..66957e6a4 100644 --- a/src/deployments/cdk/src/deployments/rsyslog/step-2.ts +++ b/src/deployments/cdk/src/deployments/rsyslog/step-2.ts @@ -15,6 +15,7 @@ import { checkAccountWarming } from '../account-warming/outputs'; import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output'; import { ImageIdOutputFinder } from '@aws-accelerator/common-outputs/src/ami-output'; import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role'; +import { Context } from '../../utils/context'; export interface RSysLogStep1Props { accountStacks: AccountStacks; @@ -22,10 +23,11 @@ export interface RSysLogStep1Props { outputs: StackOutput[]; vpcs: Vpc[]; centralBucket: s3.IBucket; + context: Context; } export async function step2(props: RSysLogStep1Props) { - const { accountStacks, config, outputs, vpcs, centralBucket } = props; + const { accountStacks, config, outputs, vpcs, centralBucket, context } = props; for (const [accountKey, accountConfig] of config.getMandatoryAccountConfigs()) { const rsyslogConfig = accountConfig.deployments?.rsyslog; @@ -52,7 +54,16 @@ export async function step2(props: RSysLogStep1Props) { const rsyslogTargetGroup = createTargetGroupForInstance(accountStack, 'RsyslogTG', vpc.id); createNlb(accountKey, rsyslogConfig, accountStack, vpc, rsyslogTargetGroup.ref); - createAsg(accountKey, rsyslogConfig, accountStack, outputs, vpc, rsyslogTargetGroup.ref, centralBucket.bucketName); + createAsg( + accountKey, + rsyslogConfig, + accountStack, + outputs, + vpc, + rsyslogTargetGroup.ref, + centralBucket.bucketName, + context.installerVersion, + ); } } @@ -107,6 +118,7 @@ export function createAsg( vpc: Vpc, targetGroupArn: string, centralBucketName: string, + installerVersion: string, ) { const instanceSubnetIds: string[] = []; for (const subnetConfig of rsyslogConfig['app-subnets']) { @@ -158,6 +170,7 @@ export function createAsg( accountKey, vpcId: vpc.id, vpcName: vpc.name, + installerVersion, }); const securityGroupId = securityGroup.securityGroups[0].id; diff --git a/src/deployments/cdk/src/utils/context.ts b/src/deployments/cdk/src/utils/context.ts index adea3fd77..b8be11b93 100644 --- a/src/deployments/cdk/src/utils/context.ts +++ b/src/deployments/cdk/src/utils/context.ts @@ -14,6 +14,7 @@ export interface Context { configBranch: string; acceleratorStateMachineName: string; configRootFilePath: string; + installerVersion: string; } export function loadContext(): Context { @@ -39,5 +40,6 @@ export function loadContext(): Context { configFilePath: process.env.CONFIG_FILE_PATH!, acceleratorStateMachineName: process.env.ACCELERATOR_STATE_MACHINE_NAME!, configRootFilePath: process.env.CONFIG_ROOT_FILE_PATH!, + installerVersion: process.env.INSTALLER_VERSION!, }; } diff --git a/src/lib/common/src/aws/ssm.ts b/src/lib/common/src/aws/ssm.ts index 68ead4340..5e8e955c5 100644 --- a/src/lib/common/src/aws/ssm.ts +++ b/src/lib/common/src/aws/ssm.ts @@ -21,4 +21,17 @@ export class SSM { .promise(), ); } + + async getParameterHistory(name: string): Promise { + const parameterVersions: sts.ParameterHistory[] = []; + let token: string | undefined; + do { + const response = await throttlingBackOff(() => + this.client.getParameterHistory({ Name: name, NextToken: token, MaxResults: 100 }).promise(), + ); + token = response.NextToken; + parameterVersions.push(...response.Parameters!); + } while (token); + return parameterVersions; + } } From 7116aeddd89d64cbd8e968b0c889f02dcef8a109 Mon Sep 17 00:00:00 2001 From: nachundu Date: Mon, 7 Sep 2020 21:29:04 +0530 Subject: [PATCH 3/5] changed max results value --- src/lib/common/src/aws/ssm.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/common/src/aws/ssm.ts b/src/lib/common/src/aws/ssm.ts index 5e8e955c5..50a97a4d0 100644 --- a/src/lib/common/src/aws/ssm.ts +++ b/src/lib/common/src/aws/ssm.ts @@ -27,7 +27,7 @@ export class SSM { let token: string | undefined; do { const response = await throttlingBackOff(() => - this.client.getParameterHistory({ Name: name, NextToken: token, MaxResults: 100 }).promise(), + this.client.getParameterHistory({ Name: name, NextToken: token, MaxResults: 50 }).promise(), ); token = response.NextToken; parameterVersions.push(...response.Parameters!); From 0c3d5619f2750591005d64737a4c4d3de4455a10 Mon Sep 17 00:00:00 2001 From: nachundu Date: Tue, 8 Sep 2020 12:22:28 +0530 Subject: [PATCH 4/5] updated description based on installer version and fixed tests --- .../src/enable-trusted-access-for-services-step.ts | 2 +- src/deployments/cdk/package.json | 1 + src/deployments/cdk/src/apps/phase-1.ts | 4 ++-- src/deployments/cdk/src/apps/phase-2.ts | 1 + src/deployments/cdk/src/common/security-group.ts | 14 ++++++++++++-- src/deployments/cdk/src/common/vpc.ts | 4 +--- .../cdk/test/apps/unsupported-changes.mocks.ts | 1 + src/deployments/cdk/test/common/vpc.spec.ts | 6 ++++++ 8 files changed, 25 insertions(+), 8 deletions(-) diff --git a/src/core/runtime/src/enable-trusted-access-for-services-step.ts b/src/core/runtime/src/enable-trusted-access-for-services-step.ts index b1bbc074c..5430132fe 100644 --- a/src/core/runtime/src/enable-trusted-access-for-services-step.ts +++ b/src/core/runtime/src/enable-trusted-access-for-services-step.ts @@ -11,6 +11,7 @@ interface EnableTrustedAccessForServicesInput extends LoadConfigurationInput { accounts: Account[]; } +const ssm = new SSM(); export const handler = async (input: EnableTrustedAccessForServicesInput) => { console.log(`Enable Trusted Access for AWS services within the organization ...`); console.log(JSON.stringify(input, null, 2)); @@ -81,7 +82,6 @@ export const handler = async (input: EnableTrustedAccessForServicesInput) => { await org.registerDelegatedAdministrator(securityAccountId, 'guardduty.amazonaws.com'); console.log('Security account registered as delegated administrator for Guard Duty in the organization.'); - const ssm = new SSM(); // Get all the parameter history versions from SSM parameter store const parameterHistoryList = await ssm.getParameterHistory('/accelerator/version'); // Finding the first entry of the parameter version diff --git a/src/deployments/cdk/package.json b/src/deployments/cdk/package.json index 1953bd518..383b8e132 100644 --- a/src/deployments/cdk/package.json +++ b/src/deployments/cdk/package.json @@ -111,6 +111,7 @@ "@aws-cdk/core": "1.46.0", "@aws-cdk/custom-resources": "1.46.0", "@types/cfn-response": "^1.0.3", + "@types/semver": "^7.3.3", "colors": "1.4.0", "constructs": "2.0.1", "generate-password": "1.5.1", diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts index 89f4480ec..72e6b7184 100644 --- a/src/deployments/cdk/src/apps/phase-1.ts +++ b/src/deployments/cdk/src/apps/phase-1.ts @@ -71,7 +71,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte throw new Error(`Cannot find mandatory primary account ${masterAccountKey}`); } - const { acceleratorName } = context; + const { acceleratorName, installerVersion } = context; // Find the central bucket in the outputs const centralBucket = CentralBucketOutput.getBucket({ accountStacks, @@ -231,7 +231,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte vpcConfigs: acceleratorConfig.getVpcConfigs(), outputs, acceleratorName, - installerVersion: context.installerVersion, + installerVersion, }); const pcxConfig = vpcConfig.pcx; diff --git a/src/deployments/cdk/src/apps/phase-2.ts b/src/deployments/cdk/src/apps/phase-2.ts index c2cccae04..0e8b67f52 100644 --- a/src/deployments/cdk/src/apps/phase-2.ts +++ b/src/deployments/cdk/src/apps/phase-2.ts @@ -167,6 +167,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte vpcId: vpcOutput.vpcId, accountKey, vpcConfigs, + sharedAccountKey, installerVersion: context.installerVersion, }); diff --git a/src/deployments/cdk/src/common/security-group.ts b/src/deployments/cdk/src/common/security-group.ts index fcc5d647d..d7286ae5c 100644 --- a/src/deployments/cdk/src/common/security-group.ts +++ b/src/deployments/cdk/src/common/security-group.ts @@ -3,6 +3,7 @@ import * as ec2 from '@aws-cdk/aws-ec2'; import * as config from '@aws-accelerator/common-config/src'; import * as constructs from '@aws-accelerator/cdk-constructs/src/vpc'; import { NonEmptyString } from 'io-ts-types/lib/NonEmptyString'; +import * as sv from 'semver'; export interface NameToSecurityGroupMap { [key: string]: ec2.CfnSecurityGroup; @@ -52,6 +53,8 @@ export interface SecurityGroupProps { installerVersion: string; vpcConfigs?: config.ResolvedVpcConfig[]; + + sharedAccountKey?: string; } export class SecurityGroup extends cdk.Construct { @@ -60,12 +63,19 @@ export class SecurityGroup extends cdk.Construct { constructor(parent: cdk.Construct, name: string, props: SecurityGroupProps) { super(parent, name); - const { securityGroups, accountKey, vpcId, vpcConfigs, vpcName } = props; + const { securityGroups, accountKey, vpcId, vpcConfigs, vpcName, installerVersion, sharedAccountKey } = props; + + const isUpdateDescription = + sv.clean(installerVersion) === null ? sv.satisfies('1.2.1', installerVersion) : sv.gte(installerVersion, '1.2.1'); + const accountKeySgDescription = !sharedAccountKey ? accountKey : sharedAccountKey; + // const securityGroups = vpcConfig['security-groups']; // Create all security groups for (const securityGroup of securityGroups || []) { const groupName = `${securityGroup.name}_sg`; - const groupDescription = `${accountKey} ${vpcName} Mgmt Security Group`; + const groupDescription = isUpdateDescription + ? `${accountKeySgDescription} ${vpcName} Security Group` + : `${accountKey} ${vpcName} Mgmt Security Group`; const sg = new ec2.CfnSecurityGroup(this, securityGroup.name, { vpcId, groupDescription, diff --git a/src/deployments/cdk/src/common/vpc.ts b/src/deployments/cdk/src/common/vpc.ts index a45cfd986..c6943f171 100644 --- a/src/deployments/cdk/src/common/vpc.ts +++ b/src/deployments/cdk/src/common/vpc.ts @@ -47,8 +47,6 @@ export interface VpcCommonProps { * List of account stacks in the organization. */ accountStacks: AccountStacks; - - installerVersion: string; } export interface AzSubnet extends constructs.Subnet { @@ -98,6 +96,7 @@ export class AzSubnets { export interface VpcProps extends VpcCommonProps { outputs: StackOutput[]; acceleratorName: string; + installerVersion: string; } export class VpcStack extends NestedStack { @@ -527,7 +526,6 @@ export class Vpc extends cdk.Construct implements constructs.Vpc { subnets: this.azSubnets, limiter, vpc: vpcObj, - installerVersion, }); const vpcSecurityGroup = new VpcDefaultSecurityGroup(this, 'VpcDefaultSecurityGroup', { diff --git a/src/deployments/cdk/test/apps/unsupported-changes.mocks.ts b/src/deployments/cdk/test/apps/unsupported-changes.mocks.ts index f0abf0eaf..d05aabc7e 100644 --- a/src/deployments/cdk/test/apps/unsupported-changes.mocks.ts +++ b/src/deployments/cdk/test/apps/unsupported-changes.mocks.ts @@ -138,6 +138,7 @@ export function createPhaseInput(): Omit { configRepositoryName: '', defaultRegion: 'ca-central-1', configRootFilePath: '', + installerVersion: '0.0.0', }; const limiter = new Limiter([]); diff --git a/src/deployments/cdk/test/common/vpc.spec.ts b/src/deployments/cdk/test/common/vpc.spec.ts index 66df14e45..170a9a3ef 100644 --- a/src/deployments/cdk/test/common/vpc.spec.ts +++ b/src/deployments/cdk/test/common/vpc.spec.ts @@ -24,6 +24,7 @@ const testStacks = new AccountStacks({ configRepositoryName: 'repo', defaultRegion: 'test', configRootFilePath: 'config.json', + installerVersion: '0.0.0', }, }); @@ -118,6 +119,7 @@ test('the VPC creation should create the correct amount of subnets', () => { accountStacks: testStacks, outputs: [], acceleratorName: 'test', + installerVersion: '0.0.0', }); // Convert the stack to a CloudFormation template @@ -238,6 +240,7 @@ test('the VPC creation should throw an error when a subnet uses a route table th accountStacks: testStacks, outputs: [], acceleratorName: 'test', + installerVersion: '0.0.0', }); }); }); @@ -265,6 +268,7 @@ test('the VPC creation should create the internet gateway', () => { accountStacks: testStacks, outputs: [], acceleratorName: 'test', + installerVersion: '0.0.0', }); // Convert the stack to a CloudFormation template @@ -300,6 +304,7 @@ test('the VPC creation should create the VPN gateway', () => { accountStacks: testStacks, outputs: [], acceleratorName: 'test', + installerVersion: '0.0.0', }); // Convert the stack to a CloudFormation template @@ -418,6 +423,7 @@ test('the VPC creation should create the NAT gateway', () => { accountStacks: testStacks, outputs: [], acceleratorName: 'test', + installerVersion: '0.0.0', }); // Convert the stack to a CloudFormation template From 52911168d85810e4972b85b82013dff4439a7262 Mon Sep 17 00:00:00 2001 From: nachundu Date: Tue, 8 Sep 2020 14:05:50 +0530 Subject: [PATCH 5/5] fixed code review comment --- src/deployments/cdk/src/common/security-group.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/deployments/cdk/src/common/security-group.ts b/src/deployments/cdk/src/common/security-group.ts index d7286ae5c..9636c59f3 100644 --- a/src/deployments/cdk/src/common/security-group.ts +++ b/src/deployments/cdk/src/common/security-group.ts @@ -67,14 +67,13 @@ export class SecurityGroup extends cdk.Construct { const isUpdateDescription = sv.clean(installerVersion) === null ? sv.satisfies('1.2.1', installerVersion) : sv.gte(installerVersion, '1.2.1'); - const accountKeySgDescription = !sharedAccountKey ? accountKey : sharedAccountKey; // const securityGroups = vpcConfig['security-groups']; // Create all security groups for (const securityGroup of securityGroups || []) { const groupName = `${securityGroup.name}_sg`; const groupDescription = isUpdateDescription - ? `${accountKeySgDescription} ${vpcName} Security Group` + ? `${sharedAccountKey || accountKey} ${vpcName} Security Group` : `${accountKey} ${vpcName} Mgmt Security Group`; const sg = new ec2.CfnSecurityGroup(this, securityGroup.name, { vpcId,