Merge pull request #84 from aws-samples/bugfix/single-control-tower-region

Single Control Tower region fix

Author: andywick-aws

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2022-03-16](#2022-03-16)
 - [2022-03-14](#2022-03-14)
 - [2022-01-07](#2022-01-07)
 - [2021-12-16](#2021-12-16)
@@ -21,6 +22,12 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2022-03-16
+
+### Fixed<!-- omit in toc -->
+
+- Fixed the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution to support Control Tower configurations with a single governed region.
+
 ## 2022-03-14
 
 ### Added<!-- omit in toc -->

aws_sra_examples/solutions/common/common_prerequisites/README.md

@@ -51,6 +51,7 @@ reference Systems Manager parameters in your scripts, commands, SSM documents, a
 - Optional parameters are included to create the parameters in all `member accounts` in the same regions that are enabled in the `management account`.
   - This allows for common SSM parameters to be resolved in the `member accounts` for future SRA solutions, and customer workload solutions.
 - Common parameters created will be retained even if the CloudFormation stacks from this solution are deleted.
+- Empty parameters will get set with `NONE` as the value. For example the '/sra/regions/customer-control-tower-regions-without-home-region' parameter will get set to `NONE` when only one region is governed by Control Tower.
 
 #### 1.6 Staging S3 Bucket<!-- omit in toc -->
 

aws_sra_examples/solutions/common/common_prerequisites/lambda/src/app.py

@@ -51,6 +51,7 @@
     "/sra/regions/customer-control-tower-regions-without-home-region",
 ]
 UNEXPECTED = "Unexpected!"
+EMPTY_VALUE = "NONE"
 
 # Initialize the helper
 helper = CfnResource(json_logging=True, log_level=log_level, boto_level="CRITICAL", sleep_on_delete=120)
@@ -85,6 +86,8 @@ def create_ssm_parameter(ssm_client: SSMClient, name: str, value: str, parameter
         value: SSM parameter value
         parameter_type: SSM parameter type
     """
+    if not value:
+        value = EMPTY_VALUE
     response = ssm_client.put_parameter(Name=name, Value=value, Type=parameter_type, Overwrite=True)
     LOGGER.debug({"API_Call": "ssm:PutParameter", "API_Response": response})
 

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml

@@ -8,7 +8,7 @@ Description:
   repo, https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: 1.1
+    Version: 1.2
     Entry: Parameters for deploying solution resolving SSM parameters
     Order: 1
   AWS::CloudFormation::Interface:
@@ -137,7 +137,10 @@ Parameters:
     ConstraintDescription:
       Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
     Default: /sra/regions/enabled-regions
-    Description: SSM Parameter for Enabled regions
+    Description:
+      SSM Parameter for Enabled regions. Regions that are enabled within all accounts in the AWS Organization. This list should include all enabled
+      regions and not just the Control Tower governed regions. For example, it is recommended to enable GuardDuty in all active regions, which might
+      include regions not governed by Control Tower.
     Type: AWS::SSM::Parameter::Value<List<String>>
   pEnabledRegionsWithoutHomeRegion:
     AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
@@ -197,8 +200,8 @@ Parameters:
     Description: The SRA solution name. The Description value is the folder name of the solution
     Type: String
   pSRASolutionVersion:
-    AllowedValues: [v1.1]
-    Default: v1.1
+    AllowedValues: [v1.2]
+    Default: v1.2
     Description: The SRA solution version. Used to trigger updates on the nested StackSets.
     Type: String
   pSRAStagingS3BucketNamePrefix:
@@ -213,6 +216,7 @@ Conditions:
   cCreateSRAStagingS3BucketInMemberAccounts: !Equals [!Ref pCreateSRAStagingS3BucketInMemberAccounts, 'true']
   cCreateSSMParametersInMemberAccounts: !Equals [!Ref pCreateSSMParametersInMemberAccounts, 'true']
   cCreateAWSControlTowerExecutionRole: !Equals [!Ref pCreateAWSControlTowerExecutionRole, 'true']
+  cMoreThanOneControlTowerGovernedRegion: !Not [!Equals [!Join [',', !Ref pCustomerControlTowerRegionsWithoutHomeRegion], 'NONE']]
 
 Resources:
   rControlTowerExecutionRoleStack:
@@ -282,6 +286,7 @@ Resources:
           ParameterValue: !Ref pRootOrganizationalUnitId
 
   rStagingS3BucketManagementAccountStackSet:
+    Condition: cMoreThanOneControlTowerGovernedRegion
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-staging-s3-bucket-management-account-regions

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml

@@ -8,7 +8,7 @@ Description:
   https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: 1.1
+    Version: 1.2
     Entry: Parameters for deploying solution without resolving SSM parameters
     Order: 1
   AWS::CloudFormation::Interface:
@@ -124,18 +124,23 @@ Parameters:
     Description: Customer Control Tower regions (2+ regions, separate by commas)
     Type: String
   pCustomerControlTowerRegionsWithoutHomeRegion:
-    AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
     ConstraintDescription:
       Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas without
       spaces. (e.g. us-east-1,ap-southeast-2)
-    Description: Customer Control Tower regions without Home Region (2+ regions, separate by commas)
+    Description:
+      Customer Control Tower regions without Home Region (2+ regions, separate by commas). Leave blank when only one region is governed by Control
+      Tower.
     Type: String
   pEnabledRegions:
     AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
     ConstraintDescription:
       Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas without
       spaces. (e.g. us-east-1,ap-southeast-2)
-    Description: Enabled regions (2+ regions, separate by commas)
+    Description:
+      Enabled regions (2+ regions, separate by commas). Regions that are enabled within all accounts in the AWS Organization. This list should include
+      all enabled regions and not just the Control Tower governed regions. For example, it is recommended to enable GuardDuty in all active regions,
+      which might include regions not governed by Control Tower.
     Type: String
   pEnabledRegionsWithoutHomeRegion:
     AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
@@ -187,8 +192,8 @@ Parameters:
     Description: The SRA solution name. The Description value is the folder name of the solution
     Type: String
   pSRASolutionVersion:
-    AllowedValues: [v1.1]
-    Default: v1.1
+    AllowedValues: [v1.2]
+    Default: v1.2
     Description: The SRA solution version. Used to trigger updates on the nested StackSets.
     Type: String
   pSRAStagingS3BucketNamePrefix:
@@ -203,6 +208,7 @@ Conditions:
   cCreateSRAStagingS3BucketInMemberAccounts: !Equals [!Ref pCreateSRAStagingS3BucketInMemberAccounts, 'true']
   cCreateSSMParametersInMemberAccounts: !Equals [!Ref pCreateSSMParametersInMemberAccounts, 'true']
   cCreateAWSControlTowerExecutionRole: !Equals [!Ref pCreateAWSControlTowerExecutionRole, 'true']
+  cMoreThanOneControlTowerGovernedRegion: !Not [!Equals [!Ref pCustomerControlTowerRegionsWithoutHomeRegion, '']]
 
 Resources:
   rControlTowerExecutionRoleStack:
@@ -215,8 +221,6 @@ Resources:
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
-      Parameters:
-        pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
 
   rSSMParametersMemberAccountsStackSet:
     Condition: cCreateSSMParametersInMemberAccounts
@@ -257,7 +261,7 @@ Resources:
         - ParameterKey: pCustomerControlTowerRegions
           ParameterValue: !Ref pCustomerControlTowerRegions
         - ParameterKey: pCustomerControlTowerRegionsWithoutHomeRegion
-          ParameterValue: !Ref pCustomerControlTowerRegionsWithoutHomeRegion
+          ParameterValue: !If [cMoreThanOneControlTowerGovernedRegion, !Split [',', pCustomerControlTowerRegionsWithoutHomeRegion], 'NONE']
         - ParameterKey: pEnabledRegions
           ParameterValue: !Ref pEnabledRegions
         - ParameterKey: pEnabledRegionsWithoutHomeRegion
@@ -274,6 +278,7 @@ Resources:
           ParameterValue: !Ref pRootOrganizationalUnitId
 
   rStagingS3BucketManagementAccountStackSet:
+    Condition: cMoreThanOneControlTowerGovernedRegion
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-staging-s3-bucket-management-account-regions

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-member-account-parameters.yaml

@@ -9,7 +9,7 @@ Description:
   https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: 1.0
+    Version: 1.1
     Order: 5
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -71,7 +71,7 @@ Parameters:
     Description: Customer Control Tower regions (2+ regions, separate by commas)
     Type: String
   pCustomerControlTowerRegionsWithoutHomeRegion:
-    AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    AllowedPattern: '^([a-zA-Z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
     ConstraintDescription:
       Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
       us-east-1,ap-southeast-2)

pyproject.toml

@@ -1,13 +1,13 @@
 [tool.poetry]
 name = "aws_sra_examples"
-version = "2.0.0"
+version = "2.0.1"
 description = "AWS Security Reference Architecture Examples"
 authors = ["Amazon Web Services <no_reply@amazon.com>"]
 
 [tool.poetry.dependencies]
 python = "^3.9"
 boto3 = "^1.18.42"
-crhelper = "^2.0.10"
+crhelper = "^2.0.1"
 
 [tool.poetry.dev-dependencies]
 pytest = "^6.2.5"