fix(core): PhZ-resolver-rules

src/deployments/cdk/package.json

@@ -81,6 +81,8 @@
     "@aws-accelerator/custom-resource-ssm-session-manager-document": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-vpc-default-security-group": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-associate-hosted-zones": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-associate-resolver-rules": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-create-resolver-rule": "workspace:^0.0.1",
     "@aws-cdk/aws-accessanalyzer": "1.46.0",
     "@aws-cdk/aws-autoscaling": "1.46.0",
     "@aws-cdk/aws-budgets": "1.46.0",

src/deployments/cdk/src/apps/phase--1.ts

@@ -91,4 +91,10 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts }: Pha
     accountStacks,
     accounts,
   });
+
+  // Creates role for Resource cleanup custom resource
+  await globalRoles.createCentralEndpointDeploymentRole({
+    accountStacks,
+    config: acceleratorConfig,
+  });
 }

src/deployments/cdk/src/apps/phase-4.ts

@@ -2,7 +2,6 @@ import { PhaseInput } from './shared';
 import * as securityHub from '../deployments/security-hub';
 import * as cloudWatchDeployment from '../deployments/cloud-watch';
 import * as centralEndpoints from '../deployments/central-endpoints';
-import { Context } from '@aws-cdk/aws-stepfunctions';
 
 export interface RdgwArtifactsOutput {
   accountKey: string;

src/deployments/cdk/src/deployments/central-endpoints/outputs.ts

@@ -1,3 +1,5 @@
 import { HostedZoneOutput } from '@aws-accelerator/common-outputs/src/hosted-zone';
+import { StaticResourcesOutput } from '@aws-accelerator/common-outputs/src/static-resource';
 import { createCfnStructuredOutput } from '../../common/structured-output';
 export const CfnHostedZoneOutput = createCfnStructuredOutput(HostedZoneOutput);
+export const CfnStaticResourcesOutput = createCfnStructuredOutput(StaticResourcesOutput);

src/deployments/cdk/src/deployments/central-endpoints/step-3.ts

@@ -1,8 +1,19 @@
 import { AccountStacks } from '../../common/account-stacks';
 import { getStackJsonOutput, ResolversOutput, StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
+import { AssociateResolverRules } from '@aws-accelerator/custom-resource-associate-resolver-rules';
 import * as c from '@aws-accelerator/common-config';
-import * as route53resolver from '@aws-cdk/aws-route53resolver';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 import { VpcOutputFinder } from '@aws-accelerator/common-outputs/src/vpc';
+import {
+  StaticResourcesOutput,
+  StaticResourcesOutputFinder,
+} from '@aws-accelerator/common-outputs/src/static-resource';
+import { CfnStaticResourcesOutput } from './outputs';
+
+// Changing these values will lead to redeploying all Phase-4 RuleAssociation stacks
+const MAX_RESOURCES_IN_STACK = 190;
+const RESOURCE_TYPE = 'ResolverRulesAssociation';
+const STACK_COMMON_SUFFIX = 'RulesAsscociation';
 
 export interface CentralEndpointsStep3Props {
   accountStacks: AccountStacks;
@@ -16,7 +27,28 @@ export interface CentralEndpointsStep3Props {
 export async function step3(props: CentralEndpointsStep3Props) {
   const { accountStacks, config, outputs } = props;
   const allVpcConfigs = config.getVpcConfigs();
-  const accountRulesCounter: { [accountKey: string]: number } = {};
+
+  const allStaticResources: StaticResourcesOutput[] = StaticResourcesOutputFinder.findAll({
+    outputs,
+  }).filter(sr => sr.resourceType === RESOURCE_TYPE);
+
+  // Initiate previous stacks to handle deletion of previously deployed stack if there are no resources
+  for (const sr of allStaticResources) {
+    accountStacks.tryGetOrCreateAccountStack(sr.accountKey, sr.region, `RulesAssc-${sr.suffix}`);
+  }
+
+  const accountStaticResourcesConfig: { [accountKey: string]: StaticResourcesOutput[] } = {};
+  const accountRegionExistingResources: {
+    [accountKey: string]: {
+      [region: string]: string[];
+    };
+  } = {};
+  const accountRegionMaxSuffix: {
+    [accountKey: string]: {
+      [region: string]: number;
+    };
+  } = {};
+
   for (const { accountKey, vpcConfig } of allVpcConfigs) {
     const centralPhzConfig = config['global-options'].zones.find(zc => zc.region === vpcConfig.region);
     if (!vpcConfig['use-central-endpoints']) {
@@ -75,29 +107,126 @@ export async function step3(props: CentralEndpointsStep3Props) {
       continue;
     }
 
-    if (accountRulesCounter[`${accountKey}-${vpcConfig.region}`]) {
-      accountRulesCounter[`${accountKey}-${vpcConfig.region}`] = ++accountRulesCounter[
-        `${accountKey}-${vpcConfig.region}`
-      ];
-    } else {
-      accountRulesCounter[`${accountKey}-${vpcConfig.region}`] = 1;
+    let suffix: number;
+    let stackSuffix: string;
+    let newResource = true;
+
+    // Load all account stacks to object
+    if (!accountStaticResourcesConfig[accountKey]) {
+      accountStaticResourcesConfig[accountKey] = allStaticResources.filter(sr => sr.accountKey === accountKey);
+    }
+    if (!accountRegionMaxSuffix[accountKey]) {
+      accountRegionMaxSuffix[accountKey] = {};
+    }
+
+    // Load Max suffix for each region of account to object
+    if (!accountRegionMaxSuffix[accountKey][vpcConfig.region]) {
+      const localSuffix = accountStaticResourcesConfig[accountKey]
+        .filter(sr => sr.region === vpcConfig.region)
+        .flatMap(r => r.suffix);
+      accountRegionMaxSuffix[accountKey][vpcConfig.region] = localSuffix.length === 0 ? 1 : Math.max(...localSuffix);
+    }
+
+    if (!accountRegionExistingResources[accountKey]) {
+      const localRegionalResources = accountStaticResourcesConfig[accountKey]
+        .filter(sr => sr.region === vpcConfig.region)
+        .flatMap(sr => sr.resources);
+      accountRegionExistingResources[accountKey] = {};
+      accountRegionExistingResources[accountKey][vpcConfig.region] = localRegionalResources;
+    } else if (!accountRegionExistingResources[accountKey][vpcConfig.region]) {
+      const localRegionalResources = accountStaticResourcesConfig[accountKey]
+        .filter(sr => sr.region === vpcConfig.region)
+        .flatMap(sr => sr.resources);
+      accountRegionExistingResources[accountKey][vpcConfig.region] = localRegionalResources;
     }
 
-    // Includes max of 50 VPCs, since we need 3 resource per VPC.
-    const stackSuffix = `RulesAssc-${Math.ceil(accountRulesCounter[`${accountKey}-${vpcConfig.region}`] / 50)}`;
+    suffix = accountRegionMaxSuffix[accountKey][vpcConfig.region];
+    stackSuffix = `${STACK_COMMON_SUFFIX}-${suffix}`;
+    const constructName = `${STACK_COMMON_SUFFIX}-${vpcConfig.name}`;
+    if (accountRegionExistingResources[accountKey][vpcConfig.region].includes(constructName)) {
+      newResource = false;
+      const regionStacks = accountStaticResourcesConfig[accountKey].filter(sr => sr.region === vpcConfig.region);
+      for (const rs of regionStacks) {
+        if (rs.resources.includes(constructName)) {
+          stackSuffix = `${STACK_COMMON_SUFFIX}-${rs.suffix}`;
+          break;
+        }
+      }
+    } else {
+      const existingResources = accountStaticResourcesConfig[accountKey].find(
+        sr => sr.region === vpcConfig.region && sr.suffix === suffix,
+      );
+      if (existingResources && existingResources.resources.length >= MAX_RESOURCES_IN_STACK) {
+        accountRegionMaxSuffix[accountKey][vpcConfig.region] = ++suffix;
+      }
+      stackSuffix = `${STACK_COMMON_SUFFIX}-${suffix}`;
+    }
 
     const accountStack = accountStacks.tryGetOrCreateAccountStack(accountKey, vpcConfig.region, stackSuffix);
     if (!accountStack) {
       console.error(`Cannot find account stack ${accountKey}: ${vpcConfig.region}, while Associating Resolver Rules`);
       continue;
     }
 
+    const roleOutput = IamRoleOutputFinder.tryFindOneByName({
+      outputs,
+      accountKey,
+      roleKey: 'CentralEndpointDeployment',
+    });
+    if (!roleOutput) {
+      continue;
+    }
+
     const ruleIds = [...resolverRegionoutputs.rules?.madRules!, ...resolverRegionoutputs.rules?.onPremRules!];
-    for (const ruleId of ruleIds) {
-      new route53resolver.CfnResolverRuleAssociation(accountStack, `Rule-Association-${ruleId}-${vpcConfig.name}`, {
-        resolverRuleId: ruleId,
-        vpcId: vpcOutput.vpcId,
-      });
+    new AssociateResolverRules(accountStack, constructName, {
+      resolverRuleIds: ruleIds,
+      roleArn: roleOutput.roleArn,
+      vpcId: vpcOutput.vpcId,
+    });
+
+    if (newResource) {
+      const currentSuffixIndex = allStaticResources.findIndex(
+        sr => sr.region === vpcConfig.region && sr.suffix === suffix && sr.accountKey === accountKey,
+      );
+      const currentAccountSuffixIndex = accountStaticResourcesConfig[accountKey].findIndex(
+        sr => sr.region === vpcConfig.region && sr.suffix === suffix,
+      );
+      if (currentSuffixIndex === -1) {
+        const currentResourcesObject = {
+          accountKey,
+          id: `${STACK_COMMON_SUFFIX}-${vpcConfig.region}-${accountKey}-${suffix}`,
+          region: vpcConfig.region,
+          resourceType: RESOURCE_TYPE,
+          resources: [constructName],
+          suffix,
+        };
+        allStaticResources.push(currentResourcesObject);
+        accountStaticResourcesConfig[accountKey].push(currentResourcesObject);
+      } else {
+        const currentResourcesObject = allStaticResources[currentSuffixIndex];
+        const currentAccountResourcesObject = accountStaticResourcesConfig[accountKey][currentAccountSuffixIndex];
+        if (!currentResourcesObject.resources.includes(constructName)) {
+          currentResourcesObject.resources.push(constructName);
+        }
+        if (!currentAccountResourcesObject.resources.includes(constructName)) {
+          currentAccountResourcesObject.resources.push(constructName);
+        }
+        allStaticResources[currentSuffixIndex] = currentResourcesObject;
+        accountStaticResourcesConfig[accountKey][currentAccountSuffixIndex] = currentAccountResourcesObject;
+      }
+    }
+  }
+  for (const sr of allStaticResources) {
+    const accountStack = accountStacks.tryGetOrCreateAccountStack(
+      sr.accountKey,
+      sr.region,
+      `${STACK_COMMON_SUFFIX}-${sr.suffix}`,
+    );
+    if (!accountStack) {
+      throw new Error(
+        `Not able to get or create stack for ${sr.accountKey}: ${sr.region}: ${STACK_COMMON_SUFFIX}-${sr.suffix}`,
+      );
     }
+    new CfnStaticResourcesOutput(accountStack, `StaticResourceOutput-${sr.suffix}`, sr);
   }
 }