Merge pull request #32 from aws-samples/feature/refactor-extras

Refactoring extras to align with contributing guidelines

Author: andywick-aws

extras/aws-control-tower/helper-scripts/list-config-recorder-status.py

@@ -3,8 +3,9 @@
 # SPDX-License-Identifier: MIT-0
 ########################################################################
 import boto3
-from botocore.exceptions import ClientError
 import logging
+from botocore.exceptions import ClientError
+from concurrent.futures import ThreadPoolExecutor, as_completed
 
 """
 The purpose of this script is to check if AWS Config is enabled in each AWS account and region within an AWS Control
@@ -17,17 +18,21 @@
 python3 list-config-recorder-status.py 
 """
 
-# Setup Default Logger
-logger = logging.getLogger(__name__)
-logger.setLevel(logging.INFO)
+# Logging Settings
+LOGGER = logging.getLogger()
+logging.getLogger("boto3").setLevel(logging.CRITICAL)
+logging.getLogger("botocore").setLevel(logging.CRITICAL)
+logging.getLogger("s3transfer").setLevel(logging.CRITICAL)
+logging.getLogger("urllib3").setLevel(logging.CRITICAL)
 
 SESSION = boto3.Session()
 STS_CLIENT = boto3.client('sts')
 AWS_PARTITION = "aws"
 ASSUME_ROLE_NAME = "AWSControlTowerExecution"
+MAX_THREADS = 16
 
 
-def assume_role(aws_account_number, role_name, session_name):
+def assume_role(aws_account_number: str, role_name: str, session_name: str):
     """
     Assumes the provided role in the provided account and returns a session
     :param aws_account_number: AWS Account Number
@@ -46,12 +51,12 @@ def assume_role(aws_account_number, role_name, session_name):
             aws_secret_access_key=response["Credentials"]["SecretAccessKey"],
             aws_session_token=response["Credentials"]["SessionToken"],
         )
-        logger.debug(f"Assumed session for {aws_account_number}")
+        LOGGER.debug(f"...Assumed session for {aws_account_number}")
 
         return session
     except Exception as exc:
-        print(f"Unexpected error: {exc}")
-        raise ValueError("Error assuming role")
+        LOGGER.error(f"Unexpected error: {exc}")
+        exit(1)
 
 
 def get_all_organization_accounts(account_info: bool, exclude_account_id: str):
@@ -76,11 +81,11 @@ def get_all_organization_accounts(account_info: bool, exclude_account_id: str):
                     accounts.append(account_record)
                     account_ids.append(acct["Id"])
     except ClientError as ce:
-        print(f"get_all_organization_accounts error: {ce}")
+        LOGGER.error(f"get_all_organization_accounts error: {ce}")
         raise ValueError("Error getting accounts")
     except Exception as exc:
-        print(f"get_all_organization_accounts error: {exc}")
-        raise ValueError("Unexpected error getting accounts")
+        LOGGER.error(f"get_all_organization_accounts error: {exc}")
+        exit(1)
 
     if account_info:
         return accounts
@@ -100,13 +105,14 @@ def is_region_available(region):
         return True
     except ClientError as error:
         if "InvalidClientTokenId" in str(error):
-            print(f"Region: {region} is not available")
+            LOGGER.error(f"Region: {region} is not available")
             return False
         else:
-            print(f"{error}")
+            LOGGER.error(f"{error}")
 
 
-def get_available_service_regions(user_regions: str, aws_service: str, control_tower_regions_only: bool = False) -> list:
+def get_available_service_regions(user_regions: str, aws_service: str,
+                                  control_tower_regions_only: bool = False) -> list:
     """
     Get the available regions for the AWS service
     :param: user_regions
@@ -115,9 +121,10 @@ def get_available_service_regions(user_regions: str, aws_service: str, control_t
     :return: available region list
     """
     available_regions = []
+    service_regions = []
     try:
         if user_regions.strip():
-            print(f"USER REGIONS: {str(user_regions)}")
+            LOGGER.info(f"USER REGIONS: {user_regions}")
             service_regions = [value.strip() for value in user_regions.split(",") if value != '']
         elif control_tower_regions_only:
             cf_client = SESSION.client('cloudformation')
@@ -130,19 +137,17 @@ def get_available_service_regions(user_regions: str, aws_service: str, control_t
                     region_set.add(summary["Region"])
             service_regions = list(region_set)
         else:
-            service_regions = boto3.session.Session().get_available_regions(
-                aws_service
-            )
-        print(f"SERVICE REGIONS: {service_regions}")
+            service_regions = boto3.session.Session().get_available_regions(aws_service)
+        LOGGER.info(f"SERVICE REGIONS: {service_regions}")
     except ClientError as ce:
-        print(f"get_available_service_regions error: {ce}")
-        raise ValueError("Error getting service regions")
+        LOGGER.error(f"get_available_service_regions error: {ce}")
+        exit(1)
 
     for region in service_regions:
         if is_region_available(region):
             available_regions.append(region)
 
-    print(f"AVAILABLE REGIONS: {available_regions}")
+    LOGGER.info(f"AVAILABLE REGIONS: {available_regions}")
     return available_regions
 
 
@@ -167,29 +172,84 @@ def get_service_client(aws_service: str, aws_region: str, session=None):
     return service_client
 
 
-if __name__ == "__main__":
-    account_ids = get_all_organization_accounts(False, "")
-    available_regions = get_available_service_regions("", "config", True)
-    account_set = set()
-    for account_id in account_ids:
-        try:
-            session = assume_role(account_id, ASSUME_ROLE_NAME, "ConfigRecorderCheck")
-        except Exception as error:
-            print(f"Unable to assume {ASSUME_ROLE_NAME} in {account_id} {error}")
-            continue
-
-        for region in available_regions:
-            try:
-                session_config = get_service_client("config", region, session)
-                response = session_config.describe_configuration_recorders()
-                if "ConfigurationRecorders" in response and response["ConfigurationRecorders"]:
-                    # print(f"{account_id} {region} - CONFIG ENABLED")
+def get_account_config(account_id, regions):
+    """
+    get_account_config
+    :param account_id:
+    :param regions:
+    :return:
+    """
+    region_count = 0
+    config_recorder_count = 0
+    all_regions_enabled = False
+    enabled_regions = []
+    not_enabled_regions = []
+
+    session = assume_role(account_id, ASSUME_ROLE_NAME, "ConfigRecorderCheck")
+
+    for region in regions:
+        region_count += 1
+        session_config = get_service_client("config", region, session)
+        config_recorders = session_config.describe_configuration_recorders()
+
+        if config_recorders.get("ConfigurationRecorders", ""):
+            LOGGER.debug(f"{account_id} {region} - CONFIG ENABLED")
+            config_recorder_count += 1
+            enabled_regions.append(region)
+        else:
+            LOGGER.debug(f"{account_id} {region} - CONFIG NOT ENABLED")
+            not_enabled_regions.append(region)
+
+    if region_count == config_recorder_count:
+        all_regions_enabled = True
+
+    return account_id, all_regions_enabled, enabled_regions, not_enabled_regions
+
+
+def get_config_recorder_status():
+    """
+    get_config_recorder_status
+    :return:
+    """
+    try:
+        account_ids = get_all_organization_accounts(False, "")
+        available_regions = get_available_service_regions("", "config", True)
+        account_set = set()
+        processes = []
+
+        if MAX_THREADS > len(account_ids):
+            thread_cnt = len(account_ids) - 2
+        else:
+            thread_cnt = MAX_THREADS
+
+        with ThreadPoolExecutor(max_workers=thread_cnt) as executor:
+            for account_id in account_ids:
+                try:
+                    processes.append(executor.submit(
+                        get_account_config,
+                        account_id,
+                        available_regions
+                    ))
+                except Exception as error:
+                    LOGGER.error(f"{error}")
                     continue
-                else:
-                    print(f"{account_id} {region} - CONFIG NOT ENABLED")
-                    account_set.add(account_id)
-            except ClientError as error:
-                print(f"Client Error - {error}")
-    print(f'Accounts to exclude from Organization Conformance Pack: {",".join(list(account_set))}')
 
+        for task in as_completed(processes, timeout=300):
+            account_id, all_regions_enabled, enabled_regions, not_enabled_regions = task.result()
+            LOGGER.info(f"Account ID: {account_id}")
+            LOGGER.info(f"Regions Enabled = {enabled_regions}")
+            LOGGER.info(f"Regions Not Enabled = {not_enabled_regions}\n")
+            if not all_regions_enabled:
+                account_set.add(account_id)
+
+        LOGGER.info(f'!!! Accounts to exclude from Organization Conformance Packs: {",".join(list(account_set))}')
+    except Exception as error:
+        LOGGER.error(f"{error}")
+        exit(1)
+
+
+if __name__ == "__main__":
+    # Set Log Level
+    logging.basicConfig(level=logging.INFO, format="%(message)s")
 
+    get_config_recorder_status()

extras/aws-control-tower/prerequisites/README.md

@@ -6,22 +6,22 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 
 1. Deploy the [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)
     Solution
-2. Required steps to deploy resources into the AWS Control Tower management account (e.g. Primary Account)
-   1. Create an Organizational Unit (e.g. Management) for the Primary account
+2. Required steps to deploy resources into the AWS Control Tower Management account (e.g. Management Account)
+   1. Create an Organizational Unit (e.g. Management) for the Management account
       1. Review the [Manage Accounts Through AWS Organizations](https://docs.aws.amazon.com/controltower/latest/userguide/organizations.html)
         documentation
-   2. Move the Primary account into the new Organizational Unit
-   3. Create the AWSControlTowerExecution IAM role in the Primary account
+   2. Move the Management account into the new Organizational Unit
+   3. Create the AWSControlTowerExecution IAM role in the Management account
       1. Use the [prereq-controltower-execution-role.yaml](prereq-controltower-execution-role.yaml) template to 
-         create a CloudFormation stack in the Primary account.
+         create a CloudFormation stack in the Management account.
 3. Create an S3 bucket for the Lambda source code
     1. Use the [prereq-lambda-s3-bucket.yaml](prereq-lambda-s3-bucket.yaml) template to create a CloudFormation
-        StackSet in the Primary account for each region that will deploy custom resources.
+        StackSet in the Management account for each region that will deploy custom resources.
 4. Package the Lambda code and required libraries (e.g. solution/code/src) into a zip file and upload it to the
    Lambda source S3 bucket.
    1. Use the [packaging script](../../packaging-scripts/package-lambda.sh) to download the required libraries, 
       create a zip file, and upload it to a provided S3 bucket. Usage details are at the top of the script.
 5. (Optional) Create SSM parameters for the AWS Account IDs and AWS Organizations ID
    1. Use the [prereq-ssm-account-params.yaml](prereq-ssm-account-params.yaml) template to create a CloudFormation
-      stack in the Primary account.
+      stack in the Management account.
 

extras/aws-control-tower/prerequisites/prereq-controltower-execution-role.yaml

@@ -1,3 +1,7 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
 AWSTemplateFormatVersion: 2010-09-09
 Description: AWS Control Tower Execution IAM Role Creation
 
@@ -8,39 +12,51 @@ Metadata:
           default: Control Tower Role Attributes
         Parameters:
           - pAWSControlTowerExecutionRoleName
-          - pOrgPrimaryAccountId
           - pIAMTagKey
           - pIAMTagValue
+          - pOrgPrimaryAccountId
 
     ParameterLabels:
-      pOrgPrimaryAccountId:
-        default: AWS Organizations Primary Account ID
       pAWSControlTowerExecutionRoleName:
         default: AWS Control Tower Execution Role Name
       pIAMTagKey:
         default: IAM Tag Key
       pIAMTagValue:
         default: IAM Tag Value
+      pOrgPrimaryAccountId:
+        default: AWS Organizations Primary Account ID
 
 Parameters:
   pOrgPrimaryAccountId:
-    Type: String
+    AllowedPattern: '^\d{12}$'
+    ConstraintDescription: Must be 12 digits
     Description: Organization primary account ID
+    Type: String
 
   pAWSControlTowerExecutionRoleName:
-    Type: String
-    Description: AWS Control Tower execution role name
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
     Default: AWSControlTowerExecution
+    Description: AWS Control Tower execution role name
+    Type: String
 
   pIAMTagKey:
-    Type: String
+    AllowedPattern: '^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$'
+    ConstraintDescription:
+      The string value can be Unicode characters and cannot be prefixed with "aws:".
+      The string can contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-''
+    Default: cfct
     Description: IAM tag key
-    Default: control-tower
+    Type: String
 
   pIAMTagValue:
-    Type: String
+    AllowedPattern: '^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$'
+    ConstraintDescription:
+      The string value can be Unicode characters.
+      The string can contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-'
+    Default: managed-by-cfct
     Description: IAM tag key value
-    Default: managed-by-control-tower
+    Type: String
 
 Resources:
   rAWSControlTowerRole:
@@ -57,11 +73,12 @@ Resources:
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
         Statement:
-          - Effect: Allow
+          - Action: sts:AssumeRole
+            Effect: Allow
             Principal:
               AWS:
                 - !Sub arn:${AWS::Partition}:iam::${pOrgPrimaryAccountId}:root
-            Action: sts:AssumeRole
+
       Path: "/"
       ManagedPolicyArns:
         - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess