Update to version v5.3.5

### Updated - removal of ElasticSearchUpdate custom resource to prevent CFNLambda recursion alert (Lambda Recursion Detection causing failed deployments on new accounts #618). - Security patches for pip packages.
aws-solutions · Jul 13, 2023 · 19ba7bc · 19ba7bc
2 parents e91a823 + 53bb482
commit 19ba7bc
Show file tree

Hide file tree

Showing 11 changed files with 42 additions and 147 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.3.5] - 2023-07-12
+
+### Updated
+
+- removal of ElasticSearchUpdate custom resource to prevent CFNLambda recursion alert (#618)
+- Security patches for pip packages
+
 ## [5.3.4] - 2023-05-19
 
 ### Updated

diff --git a/lambda/cfn/index.js b/lambda/cfn/index.js
@@ -15,7 +15,6 @@ const targets={
     CognitoLogin:require('./lib/CognitoLogin'),
     CognitoRole:require('./lib/CognitoRole'),
     CognitoUrl:require('./lib/CognitoUrl'),
-    ElasticSearchUpdate:require('./lib/ElasticSearchUpdate'),
     ESCognitoClient:require('./lib/ESCognitoClient'),
     LambdaVersion:require('./lib/LambdaVersion'),
     Kibana:require('./lib/base'),  // Kibana custom resource deprecated.. preserve entry here to avoid resource delete failure on stack upgrade.

diff --git a/lambda/cfn/lib/ElasticSearchUpdate.js b/lambda/cfn/lib/ElasticSearchUpdate.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "qnabot-on-aws",
-  "version": "5.3.4",
+  "version": "5.3.5",
   "engines": {
     "node": ">=12.16.1",
     "npm": ">=7.8.0"

diff --git a/source/requirements-test.txt b/source/requirements-test.txt
@@ -2,7 +2,7 @@ docker==6.1.2
 moto==4.1.0
 openapi-spec-validator==0.5.1
 pytest==7.2.0
-pytest-cov==4.0.0
+pytest-cov==4.1.0
 pytest-env==0.8.1
-pytest-mock==3.10.0
+pytest-mock==3.11.1
 pyyaml==6.0
diff --git a/templates/examples/extensions/py_lambda_hooks/CanvasLMSHook/requirements.txt b/templates/examples/extensions/py_lambda_hooks/CanvasLMSHook/requirements.txt
@@ -1,7 +1,7 @@
 python-dateutil==2.8.1
 urllib3==1.26.5
-canvasapi==3.1.0
+canvasapi==3.2.0
 idna==2.10
 pytz==2021.1
-requests==2.26.0
+requests==2.31.0
 beautifulsoup4==4.12.0
diff --git a/templates/master/cognito/index.js b/templates/master/cognito/index.js
@@ -55,7 +55,7 @@ module.exports={
     },
     "User":{
         "Type" : "AWS::Cognito::UserPoolUser",
-        "DependsOn":["SignupPermision","MessagePermision","OpensearchDomainUpdate","KibanaRoleAttachment","RoleAttachment"],
+        "DependsOn":["SignupPermision","MessagePermision","KibanaRoleAttachment","RoleAttachment"],
         "Properties" : {
             "DesiredDeliveryMediums":["EMAIL"],
             "UserAttributes":[{
@@ -184,7 +184,6 @@ module.exports={
     },
     "KibanaClient":{
         "Type": "Custom::ESCognitoClient",
-        "DependsOn":["OpensearchDomainUpdate"],
         "Properties": {
             "ServiceToken": { "Fn::GetAtt" : ["CFNLambda", "Arn"] },
             "UserPool":{"Ref":"UserPool"},

diff --git a/templates/master/elasticsearch/es.js b/templates/master/elasticsearch/es.js
@@ -1,7 +1,12 @@
 const util = require('../../util');
 
 var properties={
-
+    "CognitoOptions":{
+        "Enabled": true,
+        "IdentityPoolId": {"Ref":"KibanaIdPool"},
+        "RoleArn":{"Fn::GetAtt":["ESCognitoRole","Arn"]},
+        "UserPoolId": {"Ref":"UserPool"}
+    },
     "ClusterConfig": {
        "DedicatedMasterEnabled": false,
        "InstanceCount": {"Ref":"ElasticSearchNodeCount"},
@@ -44,34 +49,6 @@ module.exports={
         "Condition":"CreateDomain",
         "Properties":properties
     },
-    "OpensearchDomainUpdate": {
-         "Type": "Custom::ElasticSearchUpdate",
-         "DependsOn":["CognitoDomain"],
-         "Properties":{
-            "ServiceToken": { "Fn::GetAtt" : ["CFNLambda", "Arn"] },
-            "DomainName":{"Fn::GetAtt":["ESVar","ESDomain"]},
-            "CognitoOptions":{
-                Enabled: true ,
-                IdentityPoolId: {"Ref":"KibanaIdPool"},
-                RoleArn:{"Fn::GetAtt":["ESCognitoRole","Arn"]},
-                UserPoolId: {"Ref":"UserPool"}
-            },
-            "AccessPolicies": {"Fn::Sub":JSON.stringify({
-               "Version": "2012-10-17",
-               "Statement": [
-                  {
-                     "Sid": "CognitoAuth",
-                     "Principal": {
-                        "AWS":"${KibanaRole.Arn}"
-                     },
-                     "Effect": "Allow",
-                     "Action": "es:ESHttp*",
-                     "Resource":"${ESVar.ESArn}/*"
-                  }
-               ]
-            })},
-        }
-    },
     "ESCognitoRole": {
       "Type": "AWS::IAM::Role",
       "Properties": {

diff --git a/templates/master/importstack.js b/templates/master/importstack.js
@@ -1,7 +1,7 @@
 module.exports={
     "ImportStack":{
         "Type" : "AWS::CloudFormation::Stack",
-        "DependsOn":["PreUpgradeExport","OpensearchDomainUpdate"],
+        "DependsOn":["PreUpgradeExport"],
         "Properties" : {
             "TemplateURL" :{"Fn::Sub":"https://${BootstrapBucket}.s3.${AWS::Region}.amazonaws.com/${BootstrapPrefix}/templates/import.json"},
             "Parameters" :{
@@ -33,15 +33,15 @@ module.exports={
                 "EmbeddingsLambdaArn": {"Ref": "EmbeddingsLambdaArn"},
                 "EmbeddingsSagemakerEndpoint": {
                     "Fn::If": [
-                        "EmbeddingsSagemaker", 
-                        {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpoint"] }, 
+                        "EmbeddingsSagemaker",
+                        {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpoint"] },
                         ""
                     ]
                 },
                 "EmbeddingsSagemakerEndpointArn": {
                     "Fn::If": [
-                        "EmbeddingsSagemaker", 
-                        {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpointArn"] }, 
+                        "EmbeddingsSagemaker",
+                        {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpointArn"] },
                         ""
                     ]
                   }

diff --git a/templates/master/roles.json b/templates/master/roles.json
@@ -20,7 +20,22 @@
           ]
         },
         "Path": "/",
-        "Policies":[]
+        "Policies":[
+          {
+            "PolicyName": "KibanaOpenSearchAccessPolicy",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement":[
+                {
+                  "Sid":"CognitoAuth",
+                  "Effect":"Allow",
+                  "Action":"es:ESHttp*",
+                  "Resource": {"Fn::Sub": "${ESVar.ESArn}/*"}
+                }
+              ]
+            }
+          }
+        ]
       }
     },
     "AdminRole": {