Release: 1.7.0

Author: AWS

VERSION

@@ -1 +1 @@
-1.6.7
+1.7.0

main.tf

@@ -196,8 +196,6 @@ module "aft_ssm_parameters" {
   request_processor_function_arn                              = module.aft_account_request_framework.request_processor_function_arn
   control_tower_event_logger_function_arn                     = module.aft_account_request_framework.control_tower_event_logger_function_arn
   invoke_aft_account_provisioning_framework_function_arn      = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_function_arn
-  validate_request_function_arn                               = module.aft_account_provisioning_framework.validate_request_function_arn
-  get_account_info_function_arn                               = module.aft_account_provisioning_framework.get_account_info_function_arn
   create_role_function_arn                                    = module.aft_account_provisioning_framework.create_role_function_arn
   tag_account_function_arn                                    = module.aft_account_provisioning_framework.tag_account_function_arn
   persist_metadata_function_arn                               = module.aft_account_provisioning_framework.persist_metadata_function_arn

modules/aft-account-provisioning-framework/iam.tf

@@ -3,56 +3,6 @@
 #
 ######### invoke_aft_account_provisioning_framework #########
 
-# Validate Request Lambda Permissions
-resource "aws_iam_role" "aft_lambda_aft_account_provisioning_framework_validate_request" {
-  name               = "aft-account-provisioning-framework-validate-request-lambda-role"
-  assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
-}
-
-resource "aws_iam_role_policy_attachment" "aft_account_provisioning_framework_validate_request" {
-  count      = length(local.lambda_managed_policies)
-  role       = aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request.name
-  policy_arn = local.lambda_managed_policies[count.index]
-}
-
-resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_validate_request" {
-  name = "aft-lambda-invoke-aft-account-provisioning-framework-validate-request-policy"
-  role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request.id
-  policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
-    data_aws_partition_current_partition               = data.aws_partition.current.partition
-    data_aws_region_aft-management_name                = data.aws_region.aft_management.name
-    data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
-    aft_sns_topic_arn                                  = var.aft_sns_topic_arn
-    aft_failure_sns_topic_arn                          = var.aft_failure_sns_topic_arn
-    aws_kms_key_aft_arn                                = var.aft_kms_key_arn
-  })
-}
-
-# Get Account Info Lambda Permissions
-resource "aws_iam_role" "aft_lambda_aft_account_provisioning_framework_get_account_info" {
-  name               = "aft-account-provisioning-framework-lambda-get-account-info-role"
-  assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
-}
-
-resource "aws_iam_role_policy_attachment" "aft_account_provisioning_framework_get_account_info" {
-  count      = length(local.lambda_managed_policies)
-  role       = aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info.name
-  policy_arn = local.lambda_managed_policies[count.index]
-}
-
-resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework_get_account_info" {
-  name = "aft-lambda-invoke-aft-account-provisioning-framework-get-account-info-policy"
-  role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info.id
-  policy = templatefile("${path.module}/iam/role-policies/lambda-aft-account-provisioning-framework.tpl", {
-    data_aws_partition_current_partition               = data.aws_partition.current.partition
-    data_aws_region_aft-management_name                = data.aws_region.aft_management.name
-    data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft_management.account_id
-    aft_sns_topic_arn                                  = var.aft_sns_topic_arn
-    aft_failure_sns_topic_arn                          = var.aft_failure_sns_topic_arn
-    aws_kms_key_aft_arn                                = var.aft_kms_key_arn
-  })
-}
-
 # Create Role Lambda Permissions
 resource "aws_iam_role" "aft_lambda_aft_account_provisioning_framework_create_role" {
   name               = "aft-account-provisioning-framework-lambda-create-role-role"

modules/aft-account-provisioning-framework/lambda.tf

@@ -1,56 +1,6 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
-### VALIDATE REQUEST FUNCTION
-
-resource "aws_lambda_function" "validate_request" {
-  filename         = var.provisioning_framework_archive_path
-  function_name    = "aft-account-provisioning-framework-validate-request"
-  description      = "AFT account provisioning framework - validate_request"
-  role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request.arn
-  handler          = "aft_account_provisioning_framework_validate_request.lambda_handler"
-  source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
-  layers           = [var.aft_common_layer_arn]
-
-  vpc_config {
-    subnet_ids         = var.aft_vpc_private_subnets
-    security_group_ids = var.aft_vpc_default_sg
-  }
-}
-
-resource "aws_cloudwatch_log_group" "validate_request" {
-  name              = "/aws/lambda/${aws_lambda_function.validate_request.function_name}"
-  retention_in_days = var.cloudwatch_log_group_retention
-}
-
-### GET ACCOUNT INFO FUNCTION
-
-
-resource "aws_lambda_function" "get_account_info" {
-  filename         = var.provisioning_framework_archive_path
-  function_name    = "aft-account-provisioning-framework-get-account-info"
-  description      = "AFT account provisioning framework - get_account_info"
-  role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info.arn
-  handler          = "aft_account_provisioning_framework_get_account_info.lambda_handler"
-  source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
-  layers           = [var.aft_common_layer_arn]
-
-  vpc_config {
-    subnet_ids         = var.aft_vpc_private_subnets
-    security_group_ids = var.aft_vpc_default_sg
-  }
-}
-
-resource "aws_cloudwatch_log_group" "get_account_info" {
-  name              = "/aws/lambda/${aws_lambda_function.get_account_info.function_name}"
-  retention_in_days = var.cloudwatch_log_group_retention
-}
 
 ###  CREATE ROLE FUNCTION
 

modules/aft-account-provisioning-framework/outputs.tf

@@ -5,12 +5,6 @@ output "state_machine_arn" {
   value = aws_sfn_state_machine.aft_account_provisioning_framework_sfn.arn
 }
 
-output "validate_request_function_arn" {
-  value = aws_lambda_function.validate_request.arn
-}
-output "get_account_info_function_arn" {
-  value = aws_lambda_function.get_account_info.arn
-}
 output "create_role_function_arn" {
   value = aws_lambda_function.create_role.arn
 }

modules/aft-account-provisioning-framework/states.tf

@@ -5,8 +5,6 @@ locals {
   state_machine_source = "${path.module}/states/aft_account_provisioning_framework.asl.json"
   replacements_map = {
     current_partition                                                 = data.aws_partition.current.partition
-    validate_request_function_name                                    = aws_lambda_function.validate_request.function_name
-    get_account_info_function_name                                    = aws_lambda_function.get_account_info.function_name
     create_role_function_name                                         = aws_lambda_function.create_role.function_name
     tag_account_function_name                                         = aws_lambda_function.tag_account.function_name
     persist_metadata_function_name                                    = aws_lambda_function.persist_metadata.function_name

modules/aft-account-provisioning-framework/states/aft_account_provisioning_framework.asl.json

@@ -1,48 +1,6 @@
 {
-  "StartAt": "aft_account_provisioning_framework_validate",
+  "StartAt": "aft_account_provisioning_framework_persist_metadata",
   "States": {
-    "aft_account_provisioning_framework_validate": {
-      "Next": "aft_account_provisioning_framework_get_account_info",
-      "Type": "Task",
-      "Resource": "arn:${current_partition}:states:::lambda:invoke",
-      "ResultPath": "$.validated",
-      "ResultSelector": {"Success.$":"$.Payload"},
-      "Parameters": {
-        "FunctionName": "${validate_request_function_name}",
-        "Payload": {
-          "job_name.$": "$$.Execution.Name",
-          "payload.$": "$",
-          "action": "validate"
-        }
-      },
-      "Catch": [
-        {
-          "ErrorEquals": ["States.ALL"],
-          "Next": "aft_account_provisioning_framework_notify_error"
-        }
-      ]
-    },
-    "aft_account_provisioning_framework_get_account_info": {
-      "Next": "aft_account_provisioning_framework_persist_metadata",
-      "Type": "Task",
-      "Resource": "arn:${current_partition}:states:::lambda:invoke",
-      "ResultPath": "$.account_info",
-      "ResultSelector": {"account.$":"$.Payload"},
-      "Parameters": {
-        "FunctionName": "${get_account_info_function_name}",
-        "Payload": {
-          "job_name.$": "$$.Execution.Name",
-          "payload.$": "$",
-          "action": "get_account_info"
-        }
-      },
-      "Catch": [
-        {
-          "ErrorEquals": ["States.ALL"],
-          "Next": "aft_account_provisioning_framework_notify_error"
-        }
-      ]
-    },
     "aft_account_provisioning_framework_persist_metadata": {
       "Next": "aft_account_provisioning_framework_create_role",
       "Type": "Task",

modules/aft-code-repositories/buildspecs/ct-aft-account-provisioning-customizations.yml

@@ -49,7 +49,7 @@ phases:
           echo "Installing Terraform"
           curl -o terraform_${TF_VERSION}_linux_amd64.zip https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
           unzip -o terraform_${TF_VERSION}_linux_amd64.zip && mv terraform /usr/bin
-          terraform --version
+          terraform -no-color --version
           cd $DEFAULT_PATH/terraform
           for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D tf_distribution_type=$TF_DISTRIBUTION -D region=$TF_BACKEND_REGION -D provider_region=$CT_MGMT_REGION -D bucket=$TF_S3_BUCKET -D key=$TF_S3_KEY -D dynamodb_table=$TF_DDB_TABLE -D kms_key_id=$TF_KMS_KEY_ID -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN >> ./$(basename $f .jinja).tf; done
           for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
@@ -58,7 +58,7 @@ phases:
           export AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]")
           export AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]")
           export AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]")
-          terraform init
+          terraform init -no-color
         else
           TF_BACKEND_REGION=$(aws ssm get-parameter --name "/aft/config/oss-backend/primary-region" --query "Parameter.Value" --output text)
           TF_ORG_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/org-name" --query "Parameter.Value" --output text)
@@ -78,7 +78,7 @@ phases:
     commands:
       - |
         if [ $TF_DISTRIBUTION = "oss" ]; then
-          terraform apply --auto-approve
+          terraform apply -no-color --auto-approve
         fi
   post_build:
     commands:

modules/aft-code-repositories/buildspecs/ct-aft-account-request.yml

@@ -58,7 +58,7 @@ phases:
           export AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]")
           export AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]")
           export AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]")
-          terraform init
+          terraform init -no-color
         else
           TF_ORG_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/org-name" --query "Parameter.Value" --output text)
           TF_TOKEN=$(aws ssm get-parameter --name "/aft/config/terraform/token" --with-decryption --query "Parameter.Value" --output text)
@@ -77,7 +77,7 @@ phases:
     commands:
       - |
         if [ $TF_DISTRIBUTION = "oss" ]; then
-          terraform apply --auto-approve
+          terraform apply -no-color --auto-approve
         fi
   post_build:
     commands:

modules/aft-customizations/buildspecs/aft-account-customizations-terraform.yml

@@ -106,16 +106,16 @@ phases:
             mkdir -p /opt/aft/bin
             unzip -q -o terraform_${TF_VERSION}_linux_amd64.zip 
             mv terraform /opt/aft/bin
-            /opt/aft/bin/terraform --version
+            /opt/aft/bin/terraform -no-color --version
 
             cd $DEFAULT_PATH/$CUSTOMIZATION/terraform
             for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D tf_distribution_type=$TF_DISTRIBUTION -D provider_region=$CT_MGMT_REGION -D region=$TF_BACKEND_REGION -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN -D target_admin_role_arn=$VENDED_EXEC_ROLE_ARN -D bucket=$TF_S3_BUCKET -D key=$TF_S3_KEY -D dynamodb_table=$TF_DDB_TABLE -D kms_key_id=$TF_KMS_KEY_ID >> ./$(basename $f .jinja).tf; done
             for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
             
             cd $DEFAULT_PATH/$CUSTOMIZATION/terraform
             export AWS_PROFILE=aft-management-admin
-            /opt/aft/bin/terraform init
-            /opt/aft/bin/terraform apply --auto-approve
+            /opt/aft/bin/terraform init -no-color
+            /opt/aft/bin/terraform apply -no-color --auto-approve
           else
             TF_BACKEND_REGION=$(aws ssm get-parameter --name "/aft/config/oss-backend/primary-region" --query "Parameter.Value" --output text)
             TF_ORG_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/org-name" --query "Parameter.Value" --output text)
@@ -140,7 +140,7 @@ phases:
         if [[ ! -z "$CUSTOMIZATION" ]]; then
           export PYTHONPATH="$DEFAULT_PATH/aws-aft-core-framework/sources/aft-lambda-layer:$PYTHONPATH"
           export AWS_PROFILE=aft-management
-          python3 $DEFAULT_PATH/aws-aft-core-framework/sources/aft-lambda-layer/aft_common/report_metrics.py --codebuild-name "aft-account-customizations" --codebuild-status $CODEBUILD_BUILD_SUCCEEDING
+          python3 $DEFAULT_PATH/aws-aft-core-framework/sources/aft-lambda-layer/aft_common/metrics.py --codebuild-name "aft-account-customizations" --codebuild-status $CODEBUILD_BUILD_SUCCEEDING
           unset AWS_PROFILE
         fi
       - |