awslabs · richardkeit · Aug 5, 2024 · Aug 8, 2024 · Aug 8, 2024 · Jul 31, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.10.1] - 11-18-2024
+
+### Fixed
+
+- fix(metadata): accelerator metadata lambda times out without error
+- fix(docs): resolve broken links in mkdocs
+- fix(route53): fix hosted zone DNS for Sagemaker VPC Endpoints 
+- fix(route53): fix hosted zone DNS for EKS-Auth VPC Endpoints
+- fix(pipeline): bootstrap stage failed silently
+- fix(organizations): fix enabled controls cfn throttling
+
 ## [1.10.0] - 10-16-2024
 
 ### Added
@@ -23,6 +34,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - fix(bootstrap): batched bootstrap checks
+- fix(control-tower): skip existing ct identifier check when ct is not enabled
 - fix(control-tower): updated boolean logic to get LZ identifier
 - fix(custom-stacks): loaded replacement values during custom stack deployment
 - fix(diff): parse error during diff

diff --git a/source/mkdocs/docs/user-guide/config.md b/source/mkdocs/docs/user-guide/config.md
diff --git a/source/mkdocs/mkdocs.yml b/source/mkdocs/mkdocs.yml
@@ -20,6 +20,7 @@ nav:
       - Architecture and Design Philosophy: developer-guide/design.md
       - Feature Development: developer-guide/features.md
       - Documentation Guidelines: developer-guide/doc-guidelines.md
+      - JSON Schema: developer-guide/json-schema.md
   - Sample Configurations:
       - sample-configurations/index.md
       - Standard:

diff --git a/source/package.json b/source/package.json
@@ -1,6 +1,6 @@
 {
   "name": "landing-zone-accelerator-on-aws",
-  "version": "1.10.0",
+  "version": "1.10.1",
   "private": true,
   "description": "Landing Zone Accelerator on AWS",
   "license": "Apache-2.0",

diff --git a/source/packages/@aws-accelerator/accelerator/lib/asea-resources/firewall-resources.ts b/source/packages/@aws-accelerator/accelerator/lib/asea-resources/firewall-resources.ts
@@ -56,7 +56,15 @@ export class FirewallResources extends AseaResource {
       const firewallInstance = this.stack.getResource(
         existingFirewallInstance.logicalResourceId,
       ) as cdk.aws_ec2.CfnInstance;
+      const enis = firewallInstance.networkInterfaces as cdk.aws_ec2.CfnInstance.NetworkInterfaceProperty[];
 
+      for (const eni of enis ?? []) {
+        this.scope.addSsmParameter({
+          logicalId: pascalCase(`SsmParam${pascalCase(firewallInstanceName)}Eni${eni.deviceIndex}`),
+          parameterName: this.scope.getSsmPath(SsmResourceType.FIREWALL_ENI, [firewallInstanceName, eni.deviceIndex]),
+          stringValue: eni.networkInterfaceId!,
+        });
+      }
       //Leaving as temporary placeholder for deletion handler
       firewallInstanceConfig;
       firewallInstance;

diff --git a/source/packages/@aws-accelerator/accelerator/lib/asea-resources/iam-roles.ts b/source/packages/@aws-accelerator/accelerator/lib/asea-resources/iam-roles.ts
@@ -15,6 +15,7 @@ import * as cdk from 'aws-cdk-lib';
 
 import {
   AccountPrincipal,
+  ArnPrincipal,
   CfnInstanceProfile,
   CfnManagedPolicy,
   Effect,
@@ -83,7 +84,7 @@ export class Roles extends AseaResource {
   private getAssumeRolePolicy(roleItem: RoleConfig) {
     const statements: PolicyStatement[] = [];
     for (const assumedByItem of roleItem.assumedBy ?? []) {
-      if (assumedByItem.type === 'service') {
+      if (assumedByItem.type === 'service' || assumedByItem.type === 'account') {
         statements.push(
           new PolicyStatement({
             actions: ['sts:AssumeRole'],
@@ -92,7 +93,16 @@ export class Roles extends AseaResource {
           }),
         );
       }
-      if (assumedByItem.type === 'account') {
+      if (assumedByItem.type === 'principalArn') {
+        statements.push(
+          new PolicyStatement({
+            actions: ['sts:AssumeRole'],
+            effect: Effect.ALLOW,
+            principals: [new ArnPrincipal(assumedByItem.principal)],
+          }),
+        );
+      }
+      if (assumedByItem.type === 'account' && assumedByItem.principal) {
         const partition = this.props.partition;
         const accountIdRegex = /^\d{12}$/;
         const accountArnRegex = new RegExp('^arn:' + partition + ':iam::(\\d{12}):root$');

diff --git a/...ges/@aws-accelerator/accelerator/lib/asea-resources/route-53-query-logging-association.ts b/...ges/@aws-accelerator/accelerator/lib/asea-resources/route-53-query-logging-association.ts
@@ -37,7 +37,9 @@ export class Route53ResolverQueryLoggingAssociation extends AseaResource {
       if (!vpcItem.vpcRoute53Resolver?.queryLogs) {
         continue;
       }
-      const associationLogicalId = `RqlAssoc${vpcItem.name}`.replace('_vpc', '');
+      const associationLogicalIdWithReplacedVpc = `RqlAssoc${vpcItem.name}`.replace('_vpc', '');
+      const associationLogicalId = `${associationLogicalIdWithReplacedVpc}`.replace(/-/g, '');
+
       const importResource = this.scope.importStackResources.getResourceByLogicalId(associationLogicalId);
       const cfnResolverQueryLoggingAssociation = this.scope.getResource(
         associationLogicalId,

diff --git a/source/packages/@aws-accelerator/accelerator/lib/asea-resources/shared-security-groups.ts b/source/packages/@aws-accelerator/accelerator/lib/asea-resources/shared-security-groups.ts
@@ -2,10 +2,13 @@ import { AseaResourceType, VpcConfig, VpcTemplatesConfig } from '@aws-accelerato
 import { SsmResourceType } from '@aws-accelerator/utils/lib/ssm-parameter-path';
 import { AseaResource, AseaResourceProps } from './resource';
 import { ImportAseaResourcesStack, LogLevel } from '../stacks/import-asea-resources-stack';
+import { AcceleratorStage } from '../accelerator-stage';
 import { pascalCase } from 'pascal-case';
 
 const enum RESOURCE_TYPE {
   SECURITY_GROUP = 'AWS::EC2::SecurityGroup',
+  SECURITY_GROUP_EGRESS = 'AWS::EC2::SecurityGroupEgress',
+  SECURITY_GROUP_INGRESS = 'AWS::EC2::SecurityGroupIngress',
 }
 
 const ASEA_PHASE_NUMBER = '2';
@@ -22,6 +25,9 @@ export class SharedSecurityGroups extends AseaResource {
     }
     const vpcsInScope = this.scope.sharedVpcs;
     this.updateSecurityGroups(vpcsInScope);
+    if (this.props.stage === AcceleratorStage.POST_IMPORT_ASEA_RESOURCES) {
+      this.deleteSharedSecurityGroups(vpcsInScope);
+    }
   }
   private updateSecurityGroups(vpcItems: (VpcConfig | VpcTemplatesConfig)[]) {
     if (vpcItems.length === 0) {
@@ -65,4 +71,124 @@ export class SharedSecurityGroups extends AseaResource {
     }
     return;
   }
+
+  private deleteSharedSecurityGroups(vpcItems: (VpcConfig | VpcTemplatesConfig)[]) {
+    if (vpcItems.length === 0) {
+      return;
+    }
+    for (const vpcItem of vpcItems) {
+      const vpcStackInfo = this.getSecurityGroupResourceByVpc(vpcItem.name);
+      if (!vpcStackInfo) {
+        continue;
+      }
+      const existingSecurityGroups = vpcStackInfo.nestedStackResources.getResourcesByType(RESOURCE_TYPE.SECURITY_GROUP);
+
+      const existingSecurityGroupIngressRules = vpcStackInfo.nestedStackResources.getResourcesByType(
+        RESOURCE_TYPE.SECURITY_GROUP_INGRESS,
+      );
+      const existingSecurityGroupEgressRules = vpcStackInfo.nestedStackResources.getResourcesByType(
+        RESOURCE_TYPE.SECURITY_GROUP_EGRESS,
+      );
+
+      for (const existingSecurityGroup of existingSecurityGroups) {
+        const existingSecurityGroupName = existingSecurityGroup.resourceMetadata['Properties']['GroupName'];
+        const securityGroupConfig = vpcItem.securityGroups?.find(
+          (securityGroupItem: { name: string }) => securityGroupItem.name === existingSecurityGroupName,
+        );
+        // if the security group is still configured skip
+        if (securityGroupConfig) continue;
+
+        // lookup security group by tag name
+        // if unable to locate, warn and then skip
+        const securityGroupResource = vpcStackInfo.nestedStackResources.getResourceByTag(existingSecurityGroupName);
+        if (!securityGroupResource) {
+          this.scope.addLogs(
+            LogLevel.WARN,
+            `Could not locate shared security group resouce by tag name : ${existingSecurityGroupName}, for vpc ${vpcItem.name}`,
+          );
+          continue;
+        }
+
+        // remove security group from template
+        this.scope.addLogs(LogLevel.WARN, `Deleting Shared Security Group: ${existingSecurityGroup.logicalResourceId}`);
+        this.scope.addDeleteFlagForNestedResource(
+          vpcStackInfo.nestedStackResources.getStackKey(),
+          securityGroupResource.logicalResourceId,
+        );
+
+        const ssmResource = vpcStackInfo.nestedStackResources.getSSMParameterByName(
+          this.scope.getSsmPath(SsmResourceType.SECURITY_GROUP, [
+            vpcItem.name,
+            existingSecurityGroup.resourceMetadata['Properties'].GroupName,
+          ]),
+        );
+        if (ssmResource) {
+          this.scope.addLogs(LogLevel.WARN, `Deleting SSM Parameter: ${ssmResource.logicalResourceId}`);
+          this.scope.addDeleteFlagForNestedResource(
+            vpcStackInfo.nestedStackResources.getStackKey(),
+            ssmResource.logicalResourceId,
+          );
+        }
+
+        for (const ingressRule of existingSecurityGroupIngressRules) {
+          try {
+            if (ingressRule.resourceMetadata['Properties'].GroupId['Ref'] === existingSecurityGroup.logicalResourceId) {
+              this.scope.addLogs(LogLevel.WARN, `Deleting Ingress Rule: ${ingressRule.logicalResourceId}`);
+              this.scope.addDeleteFlagForNestedResource(
+                vpcStackInfo.nestedStackResources.getStackKey(),
+                ingressRule.logicalResourceId,
+              );
+            }
+          } catch (error) {
+            // continue the ref may not exits
+          }
+
+          try {
+            if (
+              ingressRule.resourceMetadata['Properties'].SourceSecurityGroupId['Ref'] ===
+              existingSecurityGroup.logicalResourceId
+            ) {
+              this.scope.addLogs(LogLevel.WARN, `Deleting Ingress Rule: ${ingressRule.logicalResourceId}`);
+              this.scope.addDeleteFlagForNestedResource(
+                vpcStackInfo.nestedStackResources.getStackKey(),
+                ingressRule.logicalResourceId,
+              );
+            }
+          } catch (error) {
+            // the ref may not exist
+          }
+
+          for (const egressRule of existingSecurityGroupEgressRules) {
+            try {
+              if (
+                egressRule.resourceMetadata['Properties'].GroupId['Ref'] === existingSecurityGroup.logicalResourceId
+              ) {
+                this.scope.addLogs(LogLevel.WARN, `Deleting Egress Rule: ${egressRule.logicalResourceId}`);
+                this.scope.addDeleteFlagForNestedResource(
+                  vpcStackInfo.nestedStackResources.getStackKey(),
+                  egressRule.logicalResourceId,
+                );
+              }
+            } catch (error) {
+              // continue the ref may not exist
+            }
+            try {
+              if (
+                egressRule.resourceMetadata['Properties'].DestinationSecurityGroupId['Ref'] ===
+                existingSecurityGroup.logicalResourceId
+              ) {
+                this.scope.addLogs(LogLevel.WARN, `Deleting Egress Rule: ${egressRule.logicalResourceId}`);
+                this.scope.addDeleteFlagForNestedResource(
+                  vpcStackInfo.nestedStackResources.getStackKey(),
+                  egressRule.logicalResourceId,
+                );
+              }
+            } catch (error) {
+              // continue the ref may not exist
+            }
+          }
+        }
+      }
+    }
+  }
 }