Added update logic to the common register delegated admin solution.

Updated README files

Author: andywick-aws

solutions/common/register-delegated-administrator/README.md

@@ -118,6 +118,9 @@ The services that support a delegated administrator account can be configured an
 
 # Implementation Instructions
 
+### [AWS Control Tower](./aws-control-tower)
+### CloudFormation StackSets
+
 1. Create new or use an existing S3 bucket within the deployment region owned by the Organization Management Account
    * Example bucket name: lambda-zips-[Management Account ID]-[AWS region]
    * [Example CloudFormation Template](../../../extras/lambda-s3-buckets.yaml)

solutions/common/register-delegated-administrator/aws-control-tower/README.md

@@ -0,0 +1,68 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+----
+   
+# Implementation Instructions
+
+1. Make sure the required [prerequisites](../../../../extras/aws-control-tower/prerequisites/README.md) are completed
+2. Package and upload the common-register-delegated-administrator Lambda function
+   ```shell
+    export AWS_ACCESS_KEY_ID=INSERT_AWS_ACCESS_KEY_ID
+    export AWS_SECRET_ACCESS_KEY=INSERT_AWS_SECRET_ACCESS_KEY
+    export AWS_SESSION_TOKEN=INSERT_AWS_SESSION_TOKEN
+   
+    export BUCKET=lambda-zips-CHANGE_ME_ACCOUNT_ID-CHANGE_ME_REGION
+    sh ~/aws-security-reference-architecture-examples/extras/packaging-scripts/package-lambda.sh \
+    --file_name common-register-delegated-admin.zip \
+    --bucket $BUCKET \
+    --src_dir ~/aws-security-reference-architecture-examples/solutions/common/register-delegated-admninistrator/code/src
+   ```
+3. Copy the files to the Customizations for AWS Control Tower configuration 
+   1. customizations-for-control-tower-configuration
+       1. [manifest.yaml](manifest.yaml) -> manifest.yaml 
+       2. [common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json](../../../common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json) 
+          -> parameters/common-register-delegated-administrator.json
+       3. [common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml](../../../common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml) 
+          -> templates/common-register-delegated-administrator.yaml
+4. Add service principals to the pServicePrincipalList parameter in the 
+   parameters/common-register-delegated-administrator.json
+5. Add the [common/register-delegated-administrator/aws-control-tower/manifest.yaml](../../../common/register-delegated-administrator/aws-control-tower)
+   resource configuration to your manifest.yaml file.
+   ```yaml
+   ...
+   cloudformation_resources:
+   # -----------------------------------------------------------------------------
+   # Common Register Delegated Administrator
+   # -----------------------------------------------------------------------------
+   - name: CommonRegisterDelegatedAdmin
+     template_file: templates/common-register-delegated-administrator.yaml
+     parameter_file: parameters/common-register-delegated-administrator.json
+     deploy_method: stack_set
+     deploy_to_account:
+       - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
+   ...
+   ```
+6. Update the manifest.yaml file with your account names and SSM parameters
+7. Deploy the Customizations for AWS Control Tower configuration
+8. How to verify after the pipeline completes?
+   1. Export the management account credentials in your local terminal and run the following script:
+      ```shell
+       for accountId in $(aws organizations list-delegated-administrators --query 'DelegatedAdministrators[*].Id' \
+       --output text); do echo -e "$accountId\n Service Principals: " \
+       $(aws organizations list-delegated-services-for-account --account-id $accountId \
+       --query 'DelegatedServices[*].ServicePrincipal'); done
+      ```
+   2. Verify that the service principals are listed for the delegated administrator account
+      
+# Delete Instructions
+
+1. Verify that all solutions related to the service principals are removed before deleting the solution
+2. Within the Customizations for AWS Control Tower configuration
+   1. Remove the Common Register Delegated Administrator configuration from the manifest.yaml file
+   2. (Optional) Delete the parameter and template files for the Common Register Delegated Administrator solution
+3. Deploy the Customizations for AWS Control Tower configuration
+4. After the pipeline completes, log into the Management account and navigate to the CloudFormation StackSet page
+   1. Delete the Stack Instance from the CustomControlTower-CommonRegisterDelegatedAdmin CloudFormation StackSet
+   2. After the Stack Instance deletes, delete the CustomControlTower-CommonRegisterDelegatedAdmin CloudFormation 
+      StackSet
+   

solutions/common/register-delegated-administrator/code/src/app.py

@@ -82,7 +82,9 @@ def register_delegated_administrator(account_id: str, service_principal: str):
 
     try:
         # Register the delegated administrator
-        ORGANIZATIONS_CLIENT.register_delegated_administrator(AccountId=account_id, ServicePrincipal=service_principal)
+        ORGANIZATIONS_CLIENT.register_delegated_administrator(AccountId=account_id,
+                                                              ServicePrincipal=service_principal)
+
         # Get the delegated administrators
         delegated_administrators = ORGANIZATIONS_CLIENT.list_delegated_administrators(
             ServicePrincipal=service_principal)
@@ -91,7 +93,9 @@ def register_delegated_administrator(account_id: str, service_principal: str):
         if not delegated_administrators:
             logger.info(f"The delegated administrator {service_principal} was not registered")
             raise ValueError("Error registering the delegated administrator account")
-    except ClientError as error:
+    except ORGANIZATIONS_CLIENT.exceptions.AccountAlreadyRegisteredException:
+        logger.debug(f"Account: {account_id} already registered for {service_principal}")
+    except Exception as error:
         logger.error(f"register_delegated_administrator error: {error}")
         raise ValueError("Error registering the delegated administrator account")
 
@@ -117,8 +121,9 @@ def deregister_delegated_administrator(account_id: str, service_principal: str):
 
         if not delegated_administrators:
             logger.info(f"The deregister was successful for the {service_principal} delegated administrator")
-
-    except ClientError as error:
+    except ORGANIZATIONS_CLIENT.exceptions.AccountNotRegisteredException:
+        logger.debug(f"Account: {account_id} not registered for {service_principal}")
+    except Exception as error:
         logger.error(f"deregister_delegated_administrator error: {error}")
         raise ValueError("Error trying to deregister delegated administrator account")
 
@@ -169,7 +174,8 @@ def create(event, _):
     :param _:
     :return: DelegatedAdminResourceId
     """
-    logger.info(f"Create Event: {event}")
+    request_type = event["RequestType"]
+    logger.info(f"{request_type} Event")
     try:
         check_parameters(event)
         params = event.get("ResourceProperties")
@@ -188,6 +194,42 @@ def create(event, _):
     return "DelegatedAdminResourceId"
 
 
+@helper.update
+def update(event, _):
+    """
+    CloudFormation Update Event
+    :param event:
+    :param _:
+    :return:
+    """
+    logger.info(f"Update Event: {event}")
+    try:
+        check_parameters(event)
+        params = event.get("ResourceProperties")
+        aws_service_principal_list = [value.strip() for value in params.get("AWS_SERVICE_PRINCIPAL_LIST", "")
+                                      if value != '']
+        check_service_principals(aws_service_principal_list)
+
+        old_params = event.get("OldResourceProperties")
+        old_aws_service_principal_list = [value.strip() for value in old_params.get("AWS_SERVICE_PRINCIPAL_LIST", "")
+                                          if value != '']
+        add_list = list(set(aws_service_principal_list) - set(old_aws_service_principal_list))
+        remove_list = list(set(old_aws_service_principal_list) - set(aws_service_principal_list))
+
+        if add_list:
+            for aws_service_principal in add_list:
+                enable_aws_service_access(aws_service_principal)
+                register_delegated_administrator(params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), aws_service_principal)
+
+        if remove_list:
+            for aws_service_principal in remove_list:
+                deregister_delegated_administrator(params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), aws_service_principal)
+                disable_aws_service_access(aws_service_principal)
+    except Exception as error:
+        logger.error(f"Exception: {error}")
+        raise ValueError("Error updating delegated administrators")
+
+
 @helper.delete
 def delete(event, _):
     """
@@ -201,7 +243,7 @@ def delete(event, _):
         check_parameters(event)
         params = event.get("ResourceProperties")
 
-        aws_service_principal_list = [value.strip() for value in params.get("AWS_SERVICE_PRINCIPAL_LIST", "").split(",")
+        aws_service_principal_list = [value.strip() for value in params.get("AWS_SERVICE_PRINCIPAL_LIST", "")
                                       if value != '']
         check_service_principals(aws_service_principal_list)
 
@@ -210,7 +252,7 @@ def delete(event, _):
             disable_aws_service_access(aws_service_principal)
     except Exception as error:
         logger.error(f"Exception: {error}")
-        raise ValueError("Error disabling the admin account")
+        raise ValueError("Error disabling delegated administrators")
 
 
 def lambda_handler(event, context):

solutions/config/aggregator-org/aws-control-tower/README.md

@@ -5,21 +5,52 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 # Implementation Instructions
 
 1. Make sure the required [prerequisites](../../../../extras/aws-control-tower/prerequisites/README.md) are completed
-2. Copy the files to the Customizations for AWS Control Tower configuration 
+2. Package and upload the common-register-delegated-administrator Lambda function from the 
+   [Common Register Delegated Administrator Solution](../../../common/register-delegated-administrator)
+   ```shell
+    export AWS_ACCESS_KEY_ID=INSERT_AWS_ACCESS_KEY_ID
+    export AWS_SECRET_ACCESS_KEY=INSERT_AWS_SECRET_ACCESS_KEY
+    export AWS_SESSION_TOKEN=INSERT_AWS_SESSION_TOKEN
+   
+    export BUCKET=lambda-zips-CHANGE_ME_ACCOUNT_ID-CHANGE_ME_REGION
+    sh ~/aws-security-reference-architecture-examples/extras/packaging-scripts/package-lambda.sh \
+    --file_name common-register-delegated-admin.zip \
+    --bucket $BUCKET \
+    --src_dir ~/aws-security-reference-architecture-examples/solutions/common/register-delegated-admninistrator/code/src
+   ```
+3. Copy the files to the Customizations for AWS Control Tower configuration 
    1. customizations-for-control-tower-configuration
-       1. [manifest.yaml](manifest.yaml)
-       2. [common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json](../../../common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json)
-       3. [parameters/aggregator-org-configuration.json](parameters/aggregator-org-configuration.json)
-       4. [common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml](../../../common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml)
-       5. [templates/aggregator-org-configuration.yaml](../templates/aggregator-org-configuration.yaml)
+       1. [manifest.yaml](manifest.yaml) -> manifest.yaml 
+       2. [common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json](../../../common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json) 
+          -> parameters/common-register-delegated-administrator.json
+       3. [parameters/aggregator-org-configuration.json](parameters/aggregator-org-configuration.json) 
+          -> parameters/aggregator-org-configuration.json
+       4. [common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml](../../../common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml) 
+          -> templates/common-register-delegated-administrator.yaml
+       5. [templates/aggregator-org-configuration.yaml](../templates/aggregator-org-configuration.yaml) 
+          -> templates/aggregator-org-configuration.yaml
 
-3. Update the parameter files with any specific values for your environment
-4. Use the "config.amazonaws.com" value for the pServicePrincipalList
-5. Add the [common/register-delegated-administrator/aws-control-tower/manifest.yaml](../../../common/register-delegated-administrator/aws-control-tower)
+4. Update the parameter files with any specific values for your environment
+5. Add "access-analyzer.amazonaws.com" to the pServicePrincipalList parameter in the parameters/common-register-delegated-administrator.json
+6. Add the [common/register-delegated-administrator/aws-control-tower/manifest.yaml](../../../common/register-delegated-administrator/aws-control-tower)
    resource configuration to your manifest.yaml file.
-6. Update the manifest.yaml file with your account names and SSM parameters
-7. Deploy the Customizations for AWS Control Tower configuration
-8. How to verify after the pipeline completes?
+   ```yaml
+   ...
+   cloudformation_resources:
+   # -----------------------------------------------------------------------------
+   # Common Register Delegated Administrator
+   # -----------------------------------------------------------------------------
+   - name: CommonRegisterDelegatedAdmin
+     template_file: templates/common-register-delegated-administrator.yaml
+     parameter_file: parameters/common-register-delegated-administrator.json
+     deploy_method: stack_set
+     deploy_to_account:
+       - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
+   ...
+   ```
+7. Update the manifest.yaml file with your account names and SSM parameters
+8. Deploy the Customizations for AWS Control Tower configuration
+9. How to verify after the pipeline completes?
    1. Log into the Audit account and navigate to the AWS Config page
       1. Verify the correct AWS Config Aggregator configurations have been applied
       2. Verify all existing accounts have been enabled (This can take a few minutes to complete)