diff --git a/reference-artifacts/master-config-sample-snippets/sample_snippets.md b/reference-artifacts/master-config-sample-snippets/sample_snippets.md index c5b526266..f5ef08d78 100644 --- a/reference-artifacts/master-config-sample-snippets/sample_snippets.md +++ b/reference-artifacts/master-config-sample-snippets/sample_snippets.md @@ -4,18 +4,6 @@ --- -- Added an option to exclude the alb deployment on a specific workload account - -``` - "workload-account-configs": { - "fun-acct": { - "exclude-ou-albs": true - } - } -``` - ---- - - Update Central Logging Kinesis stream shard count as accounts are added ``` @@ -194,14 +182,16 @@ "fun-acct": { "account-name": "TheFunAccount", "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", - "ou": "Sandbox" + "ou": "Sandbox", + "exclude-ou-albs": true }, "mydevacct1": { "account-name": "MyDev1", "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", "ou": "Dev", "share-mad-from": "operations", - "enable-s3-public-access": true + "enable-s3-public-access": true, + "keep-default-vpc-regions": [] } } ``` diff --git a/src/core/runtime/src/delete-default-vpc/delete.ts b/src/core/runtime/src/delete-default-vpc/delete.ts index fc914076c..3d9873809 100644 --- a/src/core/runtime/src/delete-default-vpc/delete.ts +++ b/src/core/runtime/src/delete-default-vpc/delete.ts @@ -1,8 +1,9 @@ import { EC2 } from '@aws-accelerator/common/src/aws/ec2'; import { LoadConfigurationInput } from '../load-configuration-step'; -import { Account } from '@aws-accelerator/common-outputs/src/accounts'; import { STS } from '@aws-accelerator/common/src/aws/sts'; import { loadAcceleratorConfig } from '@aws-accelerator/common-config/src/load'; +import { Organizations } from '@aws-accelerator/common/src/aws/organizations'; +import { equalIgnoreCase } from '@aws-accelerator/common/src/util/common'; interface DeleteVPCInput extends LoadConfigurationInput { accountId: string; @@ -21,6 +22,7 @@ const CustomErrorMessage = [ ]; const sts = new STS(); +const organizations = new Organizations(); export const handler = async (input: DeleteVPCInput): Promise => { console.log(`Deleting Default VPC in account ...`); console.log(JSON.stringify(input, null, 2)); @@ -32,11 +34,25 @@ export const handler = async (input: DeleteVPCInput): Promise => { filePath: configFilePath, commitId: configCommitId, }); + const awsAccount = await organizations.getAccount(accountId); + if (!awsAccount) { + // This will never happen unless it is called explicitly with invalid AccountId + throw new Error(`Unable to retrieve account info from Organizations API for "${accountId}"`); + } + let excludeWorkloadRegions: string[] | undefined; + const accountConfig = acceleratorConfig + .getWorkloadAccountConfigs() + .find(([_, a]) => equalIgnoreCase(a.email, awsAccount.Email!)); + if (accountConfig) { + excludeWorkloadRegions = accountConfig[1]['keep-default-vpc-regions']; + } const supportedRegions = acceleratorConfig['global-options']['supported-regions']; const excludeRegions = acceleratorConfig['global-options']['keep-default-vpc-regions']; - const regions = supportedRegions.filter(r => !excludeRegions.includes(r)); + const regions = supportedRegions + .filter(r => !excludeRegions.includes(r)) + .filter(w => !`${excludeWorkloadRegions || []}`.includes(w)); console.log(`${accountId}: Excluding Deletion of Default VPC for regions from account "${accountId}"...`); - console.log(`${accountId}: ${JSON.stringify(excludeRegions, null, 2)}`); + console.log(`${accountId}: ${JSON.stringify(excludeRegions.concat(`${excludeWorkloadRegions || []}`), null, 2)}`); const errors: string[] = []; const credentials = await sts.getCredentialsForAccountAndRole(accountId, assumeRoleName); for (const region of regions) { diff --git a/src/lib/common-config/src/index.ts b/src/lib/common-config/src/index.ts index b96c8d2e9..621dbff44 100644 --- a/src/lib/common-config/src/index.ts +++ b/src/lib/common-config/src/index.ts @@ -553,6 +553,7 @@ export const MandatoryAccountConfigType = t.interface({ deleted: fromNullable(t.boolean, false), 'src-filename': t.string, 'exclude-ou-albs': optional(t.boolean), + 'keep-default-vpc-regions': fromNullable(t.array(t.string), []), }); export type MandatoryAccountConfig = t.TypeOf;