Skip to content

Commit 89e4b77

Browse files
cyphronixcyphronix
authored
cfct template update for issue 137 (#144)
1 parent 050854c commit 89e4b77

File tree

4 files changed

+56
-24
lines changed

4 files changed

+56
-24
lines changed

CHANGELOG.md

+8
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
## Table of Contents<!-- omit in toc -->
44

55
- [Introduction](#introduction)
6+
- [2023-05-12](#2023-05-12)
67
- [2023-05-05](#2023-05-05)
78
- [2023-04-10](#2023-04-10)
89
- [2023-01-19](#2023-01-19)
@@ -35,6 +36,13 @@
3536
All notable changes to this project will be documented in this file.
3637

3738
---
39+
40+
## 2023-05-12
41+
42+
### Changed<!-- omit in toc -->
43+
44+
- Updated [CfCT template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to resolve issue #137.
45+
3846
## 2023-05-05
3947

4048
### Changed<!-- omit in toc -->

aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template

+42-18
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
# permissions and limitations under the License.
1313

1414
AWSTemplateFormatVersion: '2010-09-09'
15-
Description: '(SO0089) - customizations-for-aws-control-tower Solution. Version: v2.5.2'
15+
Description: '(SO0089) - customizations-for-aws-control-tower Solution. Version: v2.5.3'
1616

1717
Parameters:
1818
PipelineApprovalStage:
@@ -127,7 +127,7 @@ Mappings:
127127
SourceBucketName:
128128
Name: control-tower-cfct-assets-prod
129129
SourceKeyName:
130-
Name: customizations-for-aws-control-tower/v2.5.2/custom-control-tower-configuration.zip
130+
Name: customizations-for-aws-control-tower/v2.5.3/custom-control-tower-configuration.zip
131131
CustomControlTowerPipelineS3TriggerKey:
132132
Name: custom-control-tower-configuration.zip
133133
CustomControlTowerPipelineS3NonTriggerKey:
@@ -145,7 +145,7 @@ Mappings:
145145
SolutionID: 'SO0089'
146146
MetricsURL: 'https://metrics.awssolutionsbuilder.com/generic'
147147
Data:
148-
AddonTemplate: 'https://s3.amazonaws.com/control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.2/custom-control-tower-initiation.template'
148+
AddonTemplate: 'https://s3.amazonaws.com/control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.3/custom-control-tower-initiation.template'
149149
AWSControlTower:
150150
ExecutionRole:
151151
Name: "AWSControlTowerExecution"
@@ -283,7 +283,31 @@ Resources:
283283
Effect: Deny
284284
Principal: "*"
285285
Action: s3:DeleteBucket
286-
Resource: !Sub arn:${AWS::Partition}:s3:::${CustomControlTowerS3AccessLogsBucket}
286+
Resource: !Sub "arn:${AWS::Partition}:s3:::${CustomControlTowerS3AccessLogsBucket}"
287+
- Sid: EnableS3AccessLoggingForPipelineS3Bucket
288+
Effect: Allow
289+
Principal:
290+
Service: logging.s3.amazonaws.com
291+
Action:
292+
- s3:PutObject
293+
Resource: !Sub "arn:${AWS::Partition}:s3:::${CustomControlTowerS3AccessLogsBucket}/*"
294+
Condition:
295+
ArnLike:
296+
"aws:SourceArn": !Sub "arn:${AWS::Partition}:s3:::${CustomControlTowerPipelineS3Bucket}"
297+
StringEquals:
298+
"aws:SourceAccount": !Ref AWS::AccountId
299+
- Sid: EnableS3AccessLoggingForPipelineArtifactS3Bucket
300+
Effect: Allow
301+
Principal:
302+
Service: logging.s3.amazonaws.com
303+
Action:
304+
- s3:PutObject
305+
Resource: !Sub "arn:${AWS::Partition}:s3:::${CustomControlTowerS3AccessLogsBucket}/*"
306+
Condition:
307+
ArnLike:
308+
"aws:SourceArn": !Sub "arn:${AWS::Partition}:s3:::${CustomControlTowerPipelineArtifactS3Bucket}"
309+
StringEquals:
310+
"aws:SourceAccount": !Ref AWS::AccountId
287311

288312
CustomControlTowerCodeCommit:
289313
Type: AWS::CodeCommit::Repository
@@ -296,7 +320,7 @@ Resources:
296320
Code:
297321
S3:
298322
Bucket: control-tower-cfct-assets-prod
299-
Key: !Sub customizations-for-aws-control-tower/v2.5.2/custom-control-tower-configuration-${AWS::Region}.zip
323+
Key: !Sub customizations-for-aws-control-tower/v2.5.3/custom-control-tower-configuration-${AWS::Region}.zip
300324

301325
# SSM Parameter to store the git repository name
302326
CustomControlTowerRepoNameParameter:
@@ -559,7 +583,7 @@ Resources:
559583
- {KMSKeyName: !FindInMap [KMS, Alias, Name]}
560584
Source:
561585
Type: CODEPIPELINE
562-
BuildSpec: "version: 0.2\nphases:\n install:\n runtime-versions:\n python: 3.8\n ruby: 2.6\n commands:\n - export current=$(pwd)\n - if [ -f manifest.yaml ];then export current=$(pwd);else if [ -f custom-control-tower-configuration/manifest.yaml ]; then export current=$(pwd)/custom-control-tower-configuration; else echo 'manifest.yaml does not exist at the root level of custom-control-tower-configuration.zip or inside custom-control-tower-configuration folder, please check the ZIP file'; exit 1; fi; fi;\n - apt-get -q update 1> /dev/null\n - apt-get -q install zip wget python3-pip libyaml-dev -y 1>/dev/null\n - export LC_ALL='en_US.UTF-8'\n - locale-gen en_US en_US.UTF-8\n - dpkg-reconfigure locales --frontend noninteractive\n pre_build:\n commands:\n - cd $current\n - echo 'Download CustomControlTower Scripts'\n - aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.2/custom-control-tower-scripts.zip $current\n - unzip -q -o $current/custom-control-tower-scripts.zip -d $current\n - cp codebuild_scripts/* .\n - bash install_stage_dependencies.sh $STAGE_NAME\n build:\n commands:\n - echo 'Starting build $(date) in $(pwd)'\n - echo 'bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES'\n - bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES \n - echo 'Running build scripts completed $(date)'\n post_build:\n commands:\n - echo 'Starting post build $(date) in $(pwd)'\n - echo 'build completed on $(date)'\n\nartifacts:\n files:\n - '**/*'\n\n"
586+
BuildSpec: "version: 0.2\nphases:\n install:\n runtime-versions:\n python: 3.8\n ruby: 2.6\n commands:\n - export current=$(pwd)\n - if [ -f manifest.yaml ];then export current=$(pwd);else if [ -f custom-control-tower-configuration/manifest.yaml ]; then export current=$(pwd)/custom-control-tower-configuration; else echo 'manifest.yaml does not exist at the root level of custom-control-tower-configuration.zip or inside custom-control-tower-configuration folder, please check the ZIP file'; exit 1; fi; fi;\n - apt-get -q update 1> /dev/null\n - apt-get -q install zip wget python3-pip libyaml-dev -y 1>/dev/null\n - export LC_ALL='en_US.UTF-8'\n - locale-gen en_US en_US.UTF-8\n - dpkg-reconfigure locales --frontend noninteractive\n pre_build:\n commands:\n - cd $current\n - echo 'Download CustomControlTower Scripts'\n - aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.3/custom-control-tower-scripts.zip $current\n - unzip -q -o $current/custom-control-tower-scripts.zip -d $current\n - cp codebuild_scripts/* .\n - bash install_stage_dependencies.sh $STAGE_NAME\n build:\n commands:\n - echo 'Starting build $(date) in $(pwd)'\n - echo 'bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES'\n - bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES \n - echo 'Running build scripts completed $(date)'\n post_build:\n commands:\n - echo 'Starting post build $(date) in $(pwd)'\n - echo 'build completed on $(date)'\n\nartifacts:\n files:\n - '**/*'\n\n"
563587
Environment:
564588
ComputeType: BUILD_GENERAL1_SMALL
565589
Image: "aws/codebuild/standard:5.0"
@@ -584,7 +608,7 @@ Resources:
584608
- Name: SOLUTION_ID
585609
Value: !FindInMap [ Solution, Metrics, SolutionID ]
586610
- Name: SOLUTION_VERSION
587-
Value: v2.5.2
611+
Value: v2.5.3
588612
Artifacts:
589613
Name: !Sub ${CustomControlTowerPipelineArtifactS3Bucket}-Built
590614
Type: CODEPIPELINE
@@ -687,7 +711,7 @@ Resources:
687711
- {KMSKeyName: !FindInMap [KMS, Alias, Name]}
688712
Source:
689713
Type: CODEPIPELINE
690-
BuildSpec: "version: 0.2\nphases:\n install:\n runtime-versions:\n python: 3.8\n ruby: 2.6\n commands:\n - export current=$(pwd)\n - if [ -f manifest.yaml ];then export current=$(pwd);else if [ -f custom-control-tower-configuration/manifest.yaml ]; then export current=$(pwd)/custom-control-tower-configuration; else echo 'manifest.yaml does not exist at the root level of custom-control-tower-configuration.zip or inside custom-control-tower-configuration folder, please check the ZIP file'; exit 1; fi; fi;\n - apt-get -q update 1> /dev/null\n - apt-get -q install zip wget python3-pip libyaml-dev -y 1> /dev/null \n pre_build:\n commands:\n - cd $current\n - echo 'Download CustomControlTower Scripts'\n - aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.2/custom-control-tower-scripts.zip $current\n - unzip -q -o $current/custom-control-tower-scripts.zip -d $current\n - cp codebuild_scripts/* .\n - bash install_stage_dependencies.sh $STAGE_NAME\n build:\n commands:\n - echo 'Starting build $(date) in $(pwd)'\n - echo 'bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES'\n - bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES\n - echo 'Running build scripts completed $(date)'\n post_build:\n commands:\n - echo 'Starting post build $(date) in $(pwd)'\n - echo 'build completed on $(date)'\n\nartifacts:\n files:\n - '**/*'\n"
714+
BuildSpec: "version: 0.2\nphases:\n install:\n runtime-versions:\n python: 3.8\n ruby: 2.6\n commands:\n - export current=$(pwd)\n - if [ -f manifest.yaml ];then export current=$(pwd);else if [ -f custom-control-tower-configuration/manifest.yaml ]; then export current=$(pwd)/custom-control-tower-configuration; else echo 'manifest.yaml does not exist at the root level of custom-control-tower-configuration.zip or inside custom-control-tower-configuration folder, please check the ZIP file'; exit 1; fi; fi;\n - apt-get -q update 1> /dev/null\n - apt-get -q install zip wget python3-pip libyaml-dev -y 1> /dev/null \n pre_build:\n commands:\n - cd $current\n - echo 'Download CustomControlTower Scripts'\n - aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.3/custom-control-tower-scripts.zip $current\n - unzip -q -o $current/custom-control-tower-scripts.zip -d $current\n - cp codebuild_scripts/* .\n - bash install_stage_dependencies.sh $STAGE_NAME\n build:\n commands:\n - echo 'Starting build $(date) in $(pwd)'\n - echo 'bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES'\n - bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES\n - echo 'Running build scripts completed $(date)'\n post_build:\n commands:\n - echo 'Starting post build $(date) in $(pwd)'\n - echo 'build completed on $(date)'\n\nartifacts:\n files:\n - '**/*'\n"
691715
Environment:
692716
ComputeType: BUILD_GENERAL1_SMALL
693717
Image: "aws/codebuild/standard:5.0"
@@ -708,7 +732,7 @@ Resources:
708732
- Name: SOLUTION_ID
709733
Value: !FindInMap [ Solution, Metrics, SolutionID ]
710734
- Name: SOLUTION_VERSION
711-
Value: v2.5.2
735+
Value: v2.5.3
712736
Artifacts:
713737
Name: !Sub ${CustomControlTowerPipelineArtifactS3Bucket}-Built
714738
Type: CODEPIPELINE
@@ -863,7 +887,7 @@ Resources:
863887
- {KMSKeyName: !FindInMap [KMS, Alias, Name]}
864888
Source:
865889
Type: CODEPIPELINE
866-
BuildSpec: "version: 0.2\nphases:\n install:\n runtime-versions:\n python: 3.8\n ruby: 2.6\n commands:\n - export current=$(pwd)\n - if [ -f manifest.yaml ];then export current=$(pwd);else if [ -f custom-control-tower-configuration/manifest.yaml ]; then export current=$(pwd)/custom-control-tower-configuration; else echo 'manifest.yaml does not exist at the root level of custom-control-tower-configuration.zip or inside custom-control-tower-configuration folder, please check the ZIP file'; exit 1; fi; fi;\n - apt-get -q update 1> /dev/null\n - apt-get -q install zip wget python3-pip libyaml-dev -y 1> /dev/null\n pre_build:\n commands:\n - cd $current\n - echo 'Download CustomControlTower Scripts'\n - aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.2/custom-control-tower-scripts.zip $current\n - unzip -q -o $current/custom-control-tower-scripts.zip -d $current\n - cp codebuild_scripts/* .\n - bash install_stage_dependencies.sh $STAGE_NAME\n build:\n commands:\n - echo 'Starting build $(date) in $(pwd)'\n - echo 'bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES'\n - bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES\n - echo 'Running build scripts completed $(date)'\n post_build:\n commands:\n - echo 'Starting post build $(date) in $(pwd)'\n - echo 'build completed on $(date)'\n\nartifacts:\n files:\n - '**/*'\n"
890+
BuildSpec: "version: 0.2\nphases:\n install:\n runtime-versions:\n python: 3.8\n ruby: 2.6\n commands:\n - export current=$(pwd)\n - if [ -f manifest.yaml ];then export current=$(pwd);else if [ -f custom-control-tower-configuration/manifest.yaml ]; then export current=$(pwd)/custom-control-tower-configuration; else echo 'manifest.yaml does not exist at the root level of custom-control-tower-configuration.zip or inside custom-control-tower-configuration folder, please check the ZIP file'; exit 1; fi; fi;\n - apt-get -q update 1> /dev/null\n - apt-get -q install zip wget python3-pip libyaml-dev -y 1> /dev/null\n pre_build:\n commands:\n - cd $current\n - echo 'Download CustomControlTower Scripts'\n - aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.3/custom-control-tower-scripts.zip $current\n - unzip -q -o $current/custom-control-tower-scripts.zip -d $current\n - cp codebuild_scripts/* .\n - bash install_stage_dependencies.sh $STAGE_NAME\n build:\n commands:\n - echo 'Starting build $(date) in $(pwd)'\n - echo 'bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES'\n - bash execute_stage_scripts.sh $STAGE_NAME $LOG_LEVEL $WAIT_TIME $SM_ARN $ARTIFACT_BUCKET $KMS_KEY_ALIAS_NAME $BOOL_VALUES $NONE_TYPE_VALUES\n - echo 'Running build scripts completed $(date)'\n post_build:\n commands:\n - echo 'Starting post build $(date) in $(pwd)'\n - echo 'build completed on $(date)'\n\nartifacts:\n files:\n - '**/*'\n"
867891
Environment:
868892
ComputeType: BUILD_GENERAL1_SMALL
869893
Image: "aws/codebuild/standard:5.0"
@@ -888,7 +912,7 @@ Resources:
888912
- Name: SOLUTION_ID
889913
Value: !FindInMap [Solution, Metrics, SolutionID]
890914
- Name: SOLUTION_VERSION
891-
Value: v2.5.2
915+
Value: v2.5.3
892916
- Name: METRICS_URL
893917
Value: !FindInMap [Solution, Metrics, MetricsURL]
894918
- Name: CONTROL_TOWER_BASELINE_CONFIG_STACKSET
@@ -1021,10 +1045,10 @@ Resources:
10211045
Variables:
10221046
LOG_LEVEL: !FindInMap [LambdaFunction, Logging, Level]
10231047
SOLUTION_ID: !FindInMap [Solution, Metrics, SolutionID]
1024-
SOLUTION_VERSION: v2.5.2
1048+
SOLUTION_VERSION: v2.5.3
10251049
Code:
10261050
S3Bucket: !Sub "control-tower-cfct-assets-prod-${AWS::Region}"
1027-
S3Key: customizations-for-aws-control-tower/v2.5.2/custom-control-tower-config-deployer.zip
1051+
S3Key: customizations-for-aws-control-tower/v2.5.3/custom-control-tower-config-deployer.zip
10281052
FunctionName: CustomControlTowerDeploymentLambda
10291053
Description: Custom Control Tower Deployment Lambda
10301054
Handler: config_deployer.lambda_handler
@@ -1309,14 +1333,14 @@ Resources:
13091333
ADMINISTRATION_ROLE_ARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
13101334
EXECUTION_ROLE_NAME: !FindInMap [AWSControlTower, ExecutionRole, Name]
13111335
SOLUTION_ID: !FindInMap [Solution, Metrics, SolutionID]
1312-
SOLUTION_VERSION: v2.5.2
1336+
SOLUTION_VERSION: v2.5.3
13131337
METRICS_URL: !FindInMap [Solution, Metrics, MetricsURL]
13141338
MAX_CONCURRENT_PERCENT: !Ref MaxConcurrentPercentage
13151339
FAILED_TOLERANCE_PERCENT: !Ref FailureTolerancePercentage
13161340
REGION_CONCURRENCY_TYPE: !Ref RegionConcurrencyType
13171341
Code:
13181342
S3Bucket: !Sub "control-tower-cfct-assets-prod-${AWS::Region}"
1319-
S3Key: customizations-for-aws-control-tower/v2.5.2/custom-control-tower-state-machine.zip
1343+
S3Key: customizations-for-aws-control-tower/v2.5.3/custom-control-tower-state-machine.zip
13201344
FunctionName: CustomControlTowerStateMachineLambda
13211345
Description: Custom Control Tower State Machine Handler
13221346
Handler: state_machine_router.lambda_handler
@@ -2934,10 +2958,10 @@ Resources:
29342958
LOG_LEVEL: !FindInMap [LambdaFunction, Logging, Level]
29352959
CODE_PIPELINE_NAME: !Ref CustomControlTowerCodePipeline
29362960
SOLUTION_ID: !FindInMap [ Solution, Metrics, SolutionID ]
2937-
SOLUTION_VERSION: v2.5.2
2961+
SOLUTION_VERSION: v2.5.3
29382962
Code:
29392963
S3Bucket: !Sub "control-tower-cfct-assets-prod-${AWS::Region}"
2940-
S3Key: customizations-for-aws-control-tower/v2.5.2/custom-control-tower-lifecycle-event-handler.zip
2964+
S3Key: customizations-for-aws-control-tower/v2.5.3/custom-control-tower-lifecycle-event-handler.zip
29412965
Description: Custom Control Tower Lifecyle event Lambda to handle lifecycle events
29422966
Handler: lifecycle_event_handler.lambda_handler
29432967
MemorySize: 512
@@ -3108,6 +3132,6 @@ Outputs:
31083132
Value: !Ref CustomControlTowerPipelineS3Bucket
31093133
CustomControlTowerSolutionVersion:
31103134
Description: Version Number
3111-
Value: "v2.5.2"
3135+
Value: "v2.5.3"
31123136
Export:
31133137
Name: Custom-Control-Tower-Version

aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ Description:
88
https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2a)
99
Metadata:
1010
SRA:
11-
Version: 1.3
11+
Version: 1.2
1212
Entry: Parameters for deploying CFCT solution without resolving SSM parameters
1313
Order: 1
1414
cfn-lint:
@@ -162,4 +162,4 @@ Resources:
162162
Outputs:
163163
CustomControlTowerSolutionVersion:
164164
Description: Version Number
165-
Value: 'v2.5.2'
165+
Value: 'v2.5.3'

0 commit comments

Comments
 (0)