Merge branch 'main' into update-resource-handler-table

Author: archikierstead

reference-artifacts/Custom-Scripts/lza-upgrade/src/assets/cloudformation/AlbIpForwardingStack.template.json

@@ -748,7 +748,7 @@ export class ConvertAseaConfig {
         organizationTrail: true,
         organizationTrailSettings: {
           multiRegionTrail: true,
-          globalServiceEvents: false,
+          globalServiceEvents: true,
           managementEvents: false,
           s3DataEvents: true,
           lambdaDataEvents: false,
@@ -2049,7 +2049,7 @@ export class ConvertAseaConfig {
         });
       }
       const policyJson = JSON.parse(policyData);
-      if (scpName.includes('Guardrails-Part-1') || scpName.includes('Guardrails-Part-0')) {
+      if (scpName.includes('Part-1') || scpName.includes('Part-0')) {
         const newStatements = policyJson.Statement.map((stmt: any) => {
           if (stmt.Sid === 'SSM' || stmt.Sid === 'S3' || (stmt.Condition && stmt.Condition['ForAnyValue:StringLike'])) {
             console.log('Adding Org admin role to scp');
@@ -2804,7 +2804,7 @@ export class ConvertAseaConfig {
           };
         } else if (route['target-vpn']) {
           return {
-            vpnConnectionName: route['target-vpn'],
+            vpnConnectionName: route['target-vpn']['name'],
           };
         } else if (route['target-tgw']) {
           if (tgwConfig['tgw-attach'] && tgwConfig['tgw-attach']['associate-to-tgw'] === route['target-tgw']) {

reference-artifacts/Custom-Scripts/lza-upgrade/src/convert-config.ts

@@ -25,6 +25,7 @@ export class Snapshot {
   private readonly aseaConfigRepositoryName: string;
   private readonly localConfigFilePath: string | undefined;
   private readonly preMigrationSnapshot: boolean;
+  private readonly parametersTableName: string;
 
   constructor(config: Config) {
     this.aseaPrefix = config.aseaPrefix ?? 'ASEA-';
@@ -34,6 +35,7 @@ export class Snapshot {
     this.aseaConfigRepositoryName = config.repositoryName;
     this.localConfigFilePath = config.localConfigFilePath;
     this.preMigrationSnapshot = false;
+    this.parametersTableName = config.parametersTableName;
   }
 
   async pre() {
@@ -50,6 +52,7 @@ export class Snapshot {
       this.aseaPrefix,
       true,
       aseaConfig,
+      this.parametersTableName
     );
   }
 
@@ -67,6 +70,7 @@ export class Snapshot {
       this.aseaPrefix,
       this.preMigrationSnapshot,
       aseaConfig,
+      this.parametersTableName
     );
   }
 

reference-artifacts/Custom-Scripts/lza-upgrade/src/snapshot.ts

@@ -11,13 +11,15 @@
  *  and limitations under the License.
  */
 
-import { Account, OrganizationsClient, paginateListAccounts } from '@aws-sdk/client-organizations';
+import { Account, AccountStatus, OrganizationsClient, paginateListAccounts } from '@aws-sdk/client-organizations';
 import { AssumeRoleCommand, AssumeRoleCommandOutput, GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';
 import { AwsCredentialIdentity } from '@aws-sdk/types';
 
 import { TableOperations } from './common/dynamodb';
 import { snapshotAccountResources } from './snapshotAccountResources';
 import { snapshotGlobalResources } from './snapshotGlobalResources';
+import { DynamoDB } from '../common/aws/dynamodb';
+import { loadAccounts } from '../common/utils/accounts';
 import { snapshotRegionResources } from './snapshotRegionalResources';
 import { AcceleratorConfig } from '../asea-config';
 
@@ -31,6 +33,7 @@ export async function snapshotConfiguration(
   prefix: string,
   preMigration: boolean,
   aseaConfig: AcceleratorConfig,
+  aseaParametersTableName: string
 ) {
   stsClient = new STSClient({ maxAttempts: 10 });
 
@@ -44,7 +47,8 @@ export async function snapshotConfiguration(
   // process global services
   await snapshotGlobalResources(tableName, homeRegion, currentAccountId!, preMigration, undefined);
 
-  const accounts = await getAccountList();
+  const accounts = await getAccountList(homeRegion, aseaParametersTableName);
+  console.log(`Running snapshot for ${accounts.length} accounts`)
   const regions = aseaConfig['global-options']['supported-regions'];
   // process account services
   const accountPromises = [];
@@ -112,7 +116,40 @@ export async function getCredentials(accountId: string, roleName: string): Promi
   }
 }
 
-export async function getAccountList(): Promise<Account[]> {
+export async function getAccountList(homeRegion: string, parametersTableName: string): Promise<Account[]> {
+  // Get accounts from DynamoDB (ASEA managed accounts)
+  const dynamodb = new DynamoDB(undefined, homeRegion);
+  const aseaAccounts = await loadAccounts(parametersTableName, dynamodb);
+
+  if (aseaAccounts.length === 0) {
+      console.warn(`No accounts found in DynamoDB table ${parametersTableName}.`);
+      return [];
+  }
+
+  console.log(`Retrieved ${aseaAccounts.length} accounts from DynamoDB table ${parametersTableName}`);
+
+  // Get all accounts from Organizations to get their current status
+  const orgAccounts = await getAccountListFromOrganizations();
+  console.log(`Retrieved ${orgAccounts.length} accounts from AWS Organizations`);
+
+  // Create a map of account IDs to their Organization status
+  const accountStatusMap = new Map<string, AccountStatus>();
+  for (const orgAccount of orgAccounts) {
+      if (orgAccount.Id) {
+          accountStatusMap.set(orgAccount.Id, orgAccount.Status || AccountStatus.SUSPENDED);
+      }
+  }
+
+  // Return only accounts from DynamoDB but with status from Organizations
+  return aseaAccounts.map(account => ({
+      Id: account.id,
+      Name: account.key,
+      Email: account.email || '',
+      Status: accountStatusMap.get(account.id) || AccountStatus.SUSPENDED // Default to SUSPENDED if not found in Organizations
+  }));
+}
+
+async function getAccountListFromOrganizations(): Promise<Account[]> {
   const organizationsClient = new OrganizationsClient({ region: 'us-east-1', maxAttempts: 10 });
 
   const accounts: Account[] = [];

reference-artifacts/Custom-Scripts/lza-upgrade/src/snapshot/snapshotConfiguration.ts

@@ -627,13 +627,11 @@ def compare_route_table(crt, drt):
                         {"Route": cr['destination'], "Reason": "Not matched to firewall instance"})
             else:
                 logger.error(f"Route target {cr['target']} is not supported!")
-                drift.append({"Route": cr['destination'], "Reason": f"Route target {
-                             cr['target']} is not supported!"})
+                drift.append({"Route": cr['destination'], "Reason": f"Route target {cr['target']} is not supported!"})  # nopep8
         else:
             # this should not be possible!
             logger.error(f"More than one route with destination {cr['destination']} is deployed!")  # nopep8
-            drift.append({"Route": cr['destination'], "Reason": f"More than one route with destination {
-                         cr['destination']} found"})
+            drift.append({"Route": cr['destination'], "Reason": f"More than one route with destination {cr['destination']} found"})  # nopep8
 
     # check if there are route entries deployed that are not in the config
     for dr in dRoutes:
@@ -642,8 +640,7 @@ def compare_route_table(crt, drt):
                 f"Route {dr['DestinationCidrBlock']} is a VPC peering route. Skipping check")
             continue
 
-        cr = [r for r in cRoutes if r['destination']
-              == dr['DestinationCidrBlock']]
+        cr = [r for r in cRoutes if r['destination'] == dr['DestinationCidrBlock']]
         if len(cr) == 0:
             logger.warning(f"Route {dr['DestinationCidrBlock']} exists in deployed route table but not found in config")  # nopep8
             drift.append(

reference-artifacts/Custom-Scripts/lza-upgrade/tools/network-drift-detection/lza-upgrade-check.py

@@ -1,7 +1,7 @@
-boto3==1.35.40
-botocore==1.35.40
+boto3==1.38.1
+botocore==1.38.2
 jmespath==1.0.1
 python-dateutil==2.9.0.post0
-s3transfer==0.10.3
-six==1.16.0
-urllib3==2.2.3
+s3transfer==0.12.0
+six==1.17.0
+urllib3==2.4.0

reference-artifacts/Custom-Scripts/lza-upgrade/tools/network-drift-detection/requirements.txt

@@ -16,7 +16,7 @@ mainSteps:
   - name: attachPolicy
     action: 'aws:executeScript'
     inputs:
-      Runtime: python3.7
+      Runtime: python3.11
       Handler: script_handler
       Script: |-
         import boto3

reference-artifacts/ssm-documents/attach-iam-role-policy.yaml

@@ -16,7 +16,7 @@ mainSteps:
   - name: LookupRole
     action: 'aws:executeScript'
     inputs:
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: getRoleName
       InputPayload:
         roleId: '{{RoleId}}'

reference-artifacts/ssm-documents/ssm-patching-role-tagging.yaml

@@ -1,6 +1,6 @@
 {
   "name": "@aws-accelerator/accelerator",
-  "version": "1.6.2",
+  "version": "1.6.3",
   "scripts": {
     "bootstrap": "pnpx cdk bootstrap",
     "deploy": "pnpx cdk deploy",

src/core/cdk/package.json

@@ -51,5 +51,12 @@ async function createRole(stack: AccountStack) {
       resources: ['*'],
     }),
   );
+
+  role.addToPrincipalPolicy(
+    new iam.PolicyStatement({
+      actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:GenerateDataKey'],
+      resources: ['*'],
+    }),
+  );
   return role;
 }