New IdentityStore APIs (#7)

Author: jplock

Diff for: Makefile

@@ -1,7 +1,7 @@
 .PHONY: setup build deploy format create-signing-profile clean
 
 setup:
-	python3 -m venv .venv
+	python3.9 -m venv .venv
 	.venv/bin/python3 -m pip install -U pip
 	.venv/bin/python3 -m pip install -r requirements-dev.txt
 	.venv/bin/python3 -m pip install -r dependencies/requirements.txt

Diff for: dependencies/requirements.txt

@@ -1 +1 @@
-aws-lambda-powertools==1.25.1
+aws-lambda-powertools==1.29.2

Diff for: requirements-dev.txt

@@ -1 +1 @@
-black==22.1.0
+black==22.8.0

Diff for: src/account/account_setup/resources/sts.py

@@ -27,6 +27,8 @@
 logger = Logger(child=True)
 tracer = Tracer()
 EXECUTION_ROLE_NAME = os.environ["EXECUTION_ROLE_NAME"]
+AWS_PARTITION = os.environ["AWS_PARTITION"]
+
 
 __all__ = ["STS"]
 
@@ -43,7 +45,7 @@ def assume_role(
         Assume the AWSControlTowerExecution role in an account
         """
 
-        role_arn = f"arn:aws:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
+        role_arn = f"arn:{AWS_PARTITION}:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
 
         logger.info(f"Assuming role {EXECUTION_ROLE_NAME} in {account_id}")
         response = self.client.assume_role(

Diff for: src/regional/account_setup/resources/ec2.py

@@ -36,7 +36,7 @@ def __init__(self, session: boto3.Session, region: str) -> None:
         self.region_name = region
 
     def get_default_vpc_id(self) -> Optional[str]:
-        params = {"Filters": [{"Name": "is-default", "Values": ["true"]}]}
+        params = {"Filters": [{"Name": "isDefault", "Values": ["true"]}]}
 
         response = self.client.describe_vpcs(**params)
         for vpc in response.get("Vpcs", []):
@@ -72,7 +72,19 @@ def delete_vpc(self, vpc_id: str) -> None:
                 interface.delete()
             subnet.delete()
 
-        # Delete vpc
+        # Network ACLs
+        for nacl in vpc.network_acls.all():
+            if not nacl.is_default:
+                nacl.delete()
+
+        # DHCP Options
+        if vpc.dhcp_options:
+            vpc.associate_dhcp_options(
+                DhcpOptionsId="default"
+            )  # associate no DHCP options
+            vpc.dhcp_options.delete()
+
+        # Delete VPC
         self.client.delete_vpc(VpcId=vpc_id)
         logger.info(f"VPC {vpc_id} and associated resources has been deleted.")
 

Diff for: src/regional/account_setup/resources/sts.py

@@ -26,6 +26,7 @@
 
 logger = Logger(child=True)
 EXECUTION_ROLE_NAME = os.environ["EXECUTION_ROLE_NAME"]
+AWS_PARTITION = os.environ["AWS_PARTITION"]
 
 __all__ = ["STS"]
 
@@ -41,7 +42,7 @@ def assume_role(
         Assume the AWSControlTowerExecution role in an account
         """
 
-        role_arn = f"arn:aws:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
+        role_arn = f"arn:{AWS_PARTITION}:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
 
         logger.info(f"Assuming role {EXECUTION_ROLE_NAME} in {account_id}")
         response = self.client.assume_role(

Diff for: src/service_catalog_portfolio/account_setup/resources/sts.py

@@ -24,6 +24,7 @@
 import boto3
 
 EXECUTION_ROLE_NAME = os.environ["EXECUTION_ROLE_NAME"]
+AWS_PARTITION = os.environ["AWS_PARTITION"]
 
 __all__ = ["STS"]
 
@@ -38,7 +39,7 @@ def assume_role(self, account_id: str, role_session_name: str) -> boto3.Session:
         """
         Assume a role and return a new boto3 session
         """
-        role_arn = f"arn:aws:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
+        role_arn = f"arn:{AWS_PARTITION}:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
 
         response = self.client.assume_role(
             RoleArn=role_arn,

Diff for: src/sso_assignment/account_setup/lambda_handler.py

@@ -26,15 +26,14 @@
 import boto3
 
 from .resources import Organizations, IdentityStore, SSO
-from .utils import parse_group, get_env_list
+from .utils import parse_group
+from .constants import GROUP_ORG_PREFIX
 
 tracer = Tracer()
 logger = Logger()
 
-ORGANIZATION_GROUPS = get_env_list("ORGANIZATION_GROUPS")
 
-
-@tracer.capture_method
+@tracer.capture_method(capture_response=False)
 def create_group_event(event: Dict[str, Any]) -> None:
     """
     Assign the new group to an account and permission set
@@ -91,7 +90,7 @@ def create_group_event(event: Dict[str, Any]) -> None:
         logger.warn(f"Permission Set '{permission_set_name}' not found")
 
 
-@tracer.capture_lambda_handler
+@tracer.capture_lambda_handler(capture_response=False)
 @logger.inject_lambda_context(log_event=True)
 def handler(event: Dict[str, Any], context: LambdaContext) -> None:
 
@@ -116,15 +115,12 @@ def handler(event: Dict[str, Any], context: LambdaContext) -> None:
         identity_store_id = instance["IdentityStoreId"]
 
         identity_store = IdentityStore(session, identity_store_id)
-        identity_store.clear_groups()
+        organizational_groups = identity_store.get_groups_by_prefix(GROUP_ORG_PREFIX)
 
-        for group_name in ORGANIZATION_GROUPS:
-            _, permission_set_name = parse_group(group_name)
+        logger.info(f"Found organizational groups: {organizational_groups}")
 
-            group_id = identity_store.get_group_id(group_name)
-            if not group_id:
-                logger.error(f"Group '{group_name}' not found, skipping")
-                continue
+        for group_id, group_name in organizational_groups.items():
+            _, permission_set_name = parse_group(group_name)
 
             permission_set_arn = sso.get_permission_set_arn(
                 instance_arn=instance_arn, name=permission_set_name

Diff for: src/sso_assignment/account_setup/resources/identity_store.py

@@ -19,8 +19,7 @@
 * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 """
 
-from functools import lru_cache
-from typing import Optional
+from typing import Dict
 
 import boto3
 
@@ -32,16 +31,22 @@ def __init__(self, session: boto3.Session, identity_store_id: str) -> None:
         self.client = session.client("identitystore")
         self._identity_store_id = identity_store_id
 
-    @lru_cache
-    def get_group_id(self, name: str) -> Optional[str]:
-        response = self.client.list_groups(
+    def get_groups_by_prefix(self, prefix: str) -> Dict[str, str]:
+        """
+        Return all of the groups that match a given prefix
+        """
+        paginator = self.client.get_paginator("list_groups")
+        page_iterator = paginator.paginate(
             IdentityStoreId=self._identity_store_id,
-            Filters=[{"AttributePath": "DisplayName", "AttributeValue": name}],
+            PaginationConfig={
+                "PageSize": 100,
+            },
         )
-        for group in response.get("Groups", []):
-            return group["GroupId"]
 
-        return None
+        groups: Dict[str, str] = {}
+        for page in page_iterator:
+            for group in page.get("Groups", []):
+                if group["DisplayName"].startswith(prefix):
+                    groups[group["GroupId"]] = group["DisplayName"]
 
-    def clear_groups(self) -> None:
-        self.get_group_id.cache_clear()
+        return groups

Diff for: src/sso_assignment/account_setup/resources/organizations.py

@@ -29,7 +29,12 @@
 
 class Organizations:
     def __init__(self, session: boto3.Session) -> None:
-        self.client = session.client("organizations")
+        # @see https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/organizations.html
+        self.client = session.client(
+            "organizations",
+            region_name="us-east-1",
+            endpoint_url="https://organizations.us-east-1.amazonaws.com",
+        )
 
     @lru_cache
     def get_account_id(self, name: str) -> Optional[str]:

Diff for: template.yml

@@ -7,10 +7,6 @@ Transform: "AWS::Serverless-2016-10-31"
 Description: New account provisioning automation
 
 Parameters:
-  OrganizationGroups:
-    Type: CommaDelimitedList
-    Description: List of AWS SSO groups that should have access to all accounts
-    Default: ""
   ExecutionRoleName:
     Type: String
     Description: Execution IAM role name
@@ -42,6 +38,7 @@ Globals:
         POWERTOOLS_METRICS_NAMESPACE: AccountSetup
         EXECUTION_ROLE_NAME: !Ref ExecutionRoleName
         LOG_LEVEL: INFO
+        AWS_PARTITION: !Ref "AWS::Partition"
     Handler: lambda_handler.handler
     Layers:
       - !Ref DependencyLayer
@@ -80,6 +77,11 @@ Resources:
     Type: "AWS::Logs::LogGroup"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: "Ignoring KMS key"
     Properties:
       LogGroupName: !Sub "/aws/lambda/${AccountFunction}"
       RetentionInDays: 3
@@ -124,6 +126,13 @@ Resources:
 
   AccountFunction:
     Type: "AWS::Serverless::Function"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: "Ignoring CloudWatch Logs"
+          - id: W89
+            reason: "Ignoring VPC"
     Properties:
       CodeSigningConfigArn: !Ref CodeSigningConfig
       CodeUri: src/account
@@ -139,6 +148,11 @@ Resources:
     Type: "AWS::Logs::LogGroup"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: "Ignoring KMS key"
     Properties:
       LogGroupName: !Sub "/aws/lambda/${RegionalFunction}"
       RetentionInDays: 3
@@ -183,6 +197,13 @@ Resources:
 
   RegionalFunction:
     Type: "AWS::Serverless::Function"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: "Ignoring CloudWatch Logs"
+          - id: W89
+            reason: "Ignoring VPC"
     Properties:
       CodeSigningConfigArn: !Ref CodeSigningConfig
       CodeUri: src/regional
@@ -198,12 +219,22 @@ Resources:
     Type: "AWS::Logs::LogGroup"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: "Ignoring KMS key"
     Properties:
       LogGroupName: !Sub "/aws/lambda/${SSOAssignmentFunction}"
       RetentionInDays: 3
 
   SSOAssignmentFunctionRole:
     Type: "AWS::IAM::Role"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: "Ignoring wildcard resource"
     Properties:
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
@@ -221,6 +252,7 @@ Resources:
               - Effect: Allow
                 Action:
                   - "organizations:ListAccounts"
+                  - "identitystore:GetGroupId"
                   - "identitystore:ListGroups"
                   - "sso:CreateAccountAssignment"
                   - "sso:DescribePermissionSet"
@@ -257,14 +289,20 @@ Resources:
 
   SSOAssignmentFunction:
     Type: "AWS::Serverless::Function"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: "Ignoring CloudWatch Logs"
+          - id: W89
+            reason: "Ignoring VPC"
     Properties:
       CodeSigningConfigArn: !Ref CodeSigningConfig
       CodeUri: src/sso_assignment
       Description: DO NOT DELETE - AccountSetup - SSO Assignment
       Environment:
         Variables:
           POWERTOOLS_SERVICE_NAME: sso_assignment
-          ORGANIZATION_GROUPS: !Join [",", !Ref OrganizationGroups]
       Events:
         CreateGroupEvent:
           Type: EventBridgeRule
@@ -287,6 +325,11 @@ Resources:
     Type: "AWS::Logs::LogGroup"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: "Ignoring KMS key"
     Properties:
       LogGroupName: !Sub "/aws/lambda/${ServiceCatalogPortfolioFunction}"
       RetentionInDays: 3
@@ -331,6 +374,13 @@ Resources:
 
   ServiceCatalogPortfolioFunction:
     Type: "AWS::Serverless::Function"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: "Ignoring CloudWatch Logs"
+          - id: W89
+            reason: "Ignoring VPC"
     Properties:
       CodeSigningConfigArn: !Ref CodeSigningConfig
       CodeUri: src/service_catalog_portfolio