diff --git a/VERSION b/VERSION index ec70f755..400084b1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6.6 +1.6.7 diff --git a/modules/aft-account-request-framework/data.tf b/modules/aft-account-request-framework/data.tf index e25f026d..9d01d79b 100644 --- a/modules/aft-account-request-framework/data.tf +++ b/modules/aft-account-request-framework/data.tf @@ -30,10 +30,13 @@ data "aws_availability_zones" "available" { #### CodeBuild #### data "aws_vpc_endpoint_service" "codebuild" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "codebuild" } data "aws_subnets" "codebuild" { + count = var.aft_vpc_endpoints ? 1 : 0 + filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -46,17 +49,19 @@ data "aws_subnets" "codebuild" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.codebuild.availability_zones + values = data.aws_vpc_endpoint_service.codebuild[0].availability_zones } } #### CodeCommit #### data "aws_vpc_endpoint_service" "codecommit" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "codecommit" } data "aws_subnets" "codecommit" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -69,18 +74,20 @@ data "aws_subnets" "codecommit" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.codecommit.availability_zones + values = data.aws_vpc_endpoint_service.codecommit[0].availability_zones } } #### git-codecommit #### data "aws_vpc_endpoint_service" "git-codecommit" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "git-codecommit" } data "aws_subnets" "git-codecommit" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -93,17 +100,19 @@ data "aws_subnets" "git-codecommit" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.git-codecommit.availability_zones + values = data.aws_vpc_endpoint_service.git-codecommit[0].availability_zones } } #### codepipeline #### data "aws_vpc_endpoint_service" "codepipeline" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "codepipeline" } data "aws_subnets" "codepipeline" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" @@ -117,17 +126,19 @@ data "aws_subnets" "codepipeline" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.codepipeline.availability_zones + values = data.aws_vpc_endpoint_service.codepipeline[0].availability_zones } } #### servicecatalog #### data "aws_vpc_endpoint_service" "servicecatalog" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "servicecatalog" } data "aws_subnets" "servicecatalog" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -140,17 +151,19 @@ data "aws_subnets" "servicecatalog" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.servicecatalog.availability_zones + values = data.aws_vpc_endpoint_service.servicecatalog[0].availability_zones } } #### lambda #### data "aws_vpc_endpoint_service" "lambda" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "lambda" } data "aws_subnets" "lambda" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -162,17 +175,19 @@ data "aws_subnets" "lambda" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.lambda.availability_zones + values = data.aws_vpc_endpoint_service.lambda[0].availability_zones } } #### kms #### data "aws_vpc_endpoint_service" "kms" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "kms" } data "aws_subnets" "kms" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -185,18 +200,20 @@ data "aws_subnets" "kms" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.kms.availability_zones + values = data.aws_vpc_endpoint_service.kms[0].availability_zones } } #### logs #### data "aws_vpc_endpoint_service" "logs" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "logs" } data "aws_subnets" "logs" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -208,17 +225,19 @@ data "aws_subnets" "logs" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.logs.availability_zones + values = data.aws_vpc_endpoint_service.logs[0].availability_zones } } #### events #### data "aws_vpc_endpoint_service" "events" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "events" } data "aws_subnets" "events" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -231,17 +250,19 @@ data "aws_subnets" "events" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.events.availability_zones + values = data.aws_vpc_endpoint_service.events[0].availability_zones } } #### states #### data "aws_vpc_endpoint_service" "states" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "states" } data "aws_subnets" "states" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -253,18 +274,20 @@ data "aws_subnets" "states" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.states.availability_zones + values = data.aws_vpc_endpoint_service.states[0].availability_zones } } #### ssm #### data "aws_vpc_endpoint_service" "ssm" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "ssm" } data "aws_subnets" "ssm" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -277,17 +300,19 @@ data "aws_subnets" "ssm" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.ssm.availability_zones + values = data.aws_vpc_endpoint_service.ssm[0].availability_zones } } #### sns #### data "aws_vpc_endpoint_service" "sns" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "sns" } data "aws_subnets" "sns" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -300,17 +325,19 @@ data "aws_subnets" "sns" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.sns.availability_zones + values = data.aws_vpc_endpoint_service.sns[0].availability_zones } } #### sqs #### data "aws_vpc_endpoint_service" "sqs" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "sqs" } data "aws_subnets" "sqs" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -323,17 +350,19 @@ data "aws_subnets" "sqs" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.sqs.availability_zones + values = data.aws_vpc_endpoint_service.sqs[0].availability_zones } } #### sts #### data "aws_vpc_endpoint_service" "sts" { + count = var.aft_vpc_endpoints ? 1 : 0 service = "sts" } data "aws_subnets" "sts" { + count = var.aft_vpc_endpoints ? 1 : 0 filter { name = "vpc-id" values = [aws_vpc.aft_vpc.id] @@ -346,6 +375,6 @@ data "aws_subnets" "sts" { filter { name = "availability-zone" - values = data.aws_vpc_endpoint_service.sts.availability_zones + values = data.aws_vpc_endpoint_service.sts[0].availability_zones } } diff --git a/modules/aft-account-request-framework/vpc.tf b/modules/aft-account-request-framework/vpc.tf index 26ee0f20..f848995a 100644 --- a/modules/aft-account-request-framework/vpc.tf +++ b/modules/aft-account-request-framework/vpc.tf @@ -229,9 +229,9 @@ resource "aws_vpc_endpoint" "codebuild" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.codebuild.service_name + service_name = data.aws_vpc_endpoint_service.codebuild[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.codebuild.ids + subnet_ids = data.aws_subnets.codebuild[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -243,9 +243,9 @@ resource "aws_vpc_endpoint" "codecommit" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.codecommit.service_name + service_name = data.aws_vpc_endpoint_service.codecommit[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.codecommit.ids + subnet_ids = data.aws_subnets.codecommit[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -257,9 +257,9 @@ resource "aws_vpc_endpoint" "git-codecommit" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.git-codecommit.service_name + service_name = data.aws_vpc_endpoint_service.git-codecommit[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.git-codecommit.ids + subnet_ids = data.aws_subnets.git-codecommit[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -271,9 +271,9 @@ resource "aws_vpc_endpoint" "codepipeline" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.codepipeline.service_name + service_name = data.aws_vpc_endpoint_service.codepipeline[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.codepipeline.ids + subnet_ids = data.aws_subnets.codepipeline[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -285,9 +285,9 @@ resource "aws_vpc_endpoint" "servicecatalog" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.servicecatalog.service_name + service_name = data.aws_vpc_endpoint_service.servicecatalog[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.servicecatalog.ids + subnet_ids = data.aws_subnets.servicecatalog[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -299,9 +299,9 @@ resource "aws_vpc_endpoint" "lambda" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.lambda.service_name + service_name = data.aws_vpc_endpoint_service.lambda[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.lambda.ids + subnet_ids = data.aws_subnets.lambda[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -313,9 +313,9 @@ resource "aws_vpc_endpoint" "kms" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.kms.service_name + service_name = data.aws_vpc_endpoint_service.kms[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.kms.ids + subnet_ids = data.aws_subnets.kms[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -327,9 +327,9 @@ resource "aws_vpc_endpoint" "logs" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.logs.service_name + service_name = data.aws_vpc_endpoint_service.logs[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.logs.ids + subnet_ids = data.aws_subnets.logs[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -341,9 +341,9 @@ resource "aws_vpc_endpoint" "events" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.events.service_name + service_name = data.aws_vpc_endpoint_service.events[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.events.ids + subnet_ids = data.aws_subnets.events[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -355,9 +355,9 @@ resource "aws_vpc_endpoint" "states" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.states.service_name + service_name = data.aws_vpc_endpoint_service.states[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.states.ids + subnet_ids = data.aws_subnets.states[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -369,9 +369,9 @@ resource "aws_vpc_endpoint" "ssm" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.ssm.service_name + service_name = data.aws_vpc_endpoint_service.ssm[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.ssm.ids + subnet_ids = data.aws_subnets.ssm[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -383,9 +383,9 @@ resource "aws_vpc_endpoint" "sns" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.sns.service_name + service_name = data.aws_vpc_endpoint_service.sns[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.sns.ids + subnet_ids = data.aws_subnets.sns[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -397,9 +397,9 @@ resource "aws_vpc_endpoint" "sqs" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.sqs.service_name + service_name = data.aws_vpc_endpoint_service.sqs[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.sqs.ids + subnet_ids = data.aws_subnets.sqs[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] @@ -411,9 +411,9 @@ resource "aws_vpc_endpoint" "sts" { count = var.aft_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.aft_vpc.id - service_name = data.aws_vpc_endpoint_service.sts.service_name + service_name = data.aws_vpc_endpoint_service.sts[0].service_name vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.sts.ids + subnet_ids = data.aws_subnets.sts[0].ids security_group_ids = [ aws_security_group.aft_vpc_endpoint_sg.id, ] diff --git a/modules/aft-code-repositories/codebuild.tf b/modules/aft-code-repositories/codebuild.tf index 98c3c9e8..14a2216b 100644 --- a/modules/aft-code-repositories/codebuild.tf +++ b/modules/aft-code-repositories/codebuild.tf @@ -1,6 +1,7 @@ # Copyright Amazon.com, Inc. or its affiliates. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # + data "local_file" "account_request_buildspec" { filename = "${path.module}/buildspecs/ct-aft-account-request.yml" } @@ -54,6 +55,10 @@ resource "aws_codebuild_project" "account_request" { security_group_ids = var.security_group_ids } + lifecycle { + ignore_changes = [project_visibility] + } + } resource "aws_codebuild_project" "account_provisioning_customizations_pipeline" { @@ -103,6 +108,10 @@ resource "aws_codebuild_project" "account_provisioning_customizations_pipeline" security_group_ids = var.security_group_ids } + lifecycle { + ignore_changes = [project_visibility] + } + } resource "aws_cloudwatch_log_group" "account_request" { diff --git a/modules/aft-customizations/codebuild.tf b/modules/aft-customizations/codebuild.tf index 1919e00d..1371fbc8 100644 --- a/modules/aft-customizations/codebuild.tf +++ b/modules/aft-customizations/codebuild.tf @@ -52,6 +52,10 @@ resource "aws_codebuild_project" "aft_global_customizations_terraform" { security_group_ids = var.aft_vpc_default_sg } + lifecycle { + ignore_changes = [project_visibility] + } + } # Maintain this log group for log retention reasons. This is no longer used by AFT @@ -115,6 +119,10 @@ resource "aws_codebuild_project" "aft_account_customizations_terraform" { security_group_ids = var.aft_vpc_default_sg } + lifecycle { + ignore_changes = [project_visibility] + } + } # Maintain this log group for log retention reasons. This is no longer used by AFT @@ -227,6 +235,10 @@ resource "aws_codebuild_project" "aft_create_pipeline" { security_group_ids = var.aft_vpc_default_sg } + lifecycle { + ignore_changes = [project_visibility] + } + } resource "aws_cloudwatch_log_group" "aft_create_pipeline" { diff --git a/modules/aft-iam-roles/service-role/data.tf b/modules/aft-iam-roles/service-role/data.tf new file mode 100644 index 00000000..a4416e60 --- /dev/null +++ b/modules/aft-iam-roles/service-role/data.tf @@ -0,0 +1,5 @@ +# Copyright Amazon.com, Inc. or its affiliates. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 +# + +data "aws_partition" "current" {} diff --git a/modules/aft-iam-roles/service-role/main.tf b/modules/aft-iam-roles/service-role/main.tf index 6bd9d105..97b21dd1 100644 --- a/modules/aft-iam-roles/service-role/main.tf +++ b/modules/aft-iam-roles/service-role/main.tf @@ -35,7 +35,7 @@ resource "aws_iam_role" "role" { resource "aws_iam_role_policy_attachment" "administrator-access-attachment" { role = aws_iam_role.role.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AdministratorAccess" } output "arn" { diff --git a/modules/aft-lambda-layer/codebuild.tf b/modules/aft-lambda-layer/codebuild.tf index 72fcfa7c..cba0667e 100644 --- a/modules/aft-lambda-layer/codebuild.tf +++ b/modules/aft-lambda-layer/codebuild.tf @@ -1,6 +1,7 @@ # Copyright Amazon.com, Inc. or its affiliates. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # + resource "aws_codebuild_project" "codebuild" { name = local.common_name description = "Codebuild project to create lambda layer ${var.lambda_layer_name}" @@ -80,4 +81,8 @@ resource "aws_codebuild_project" "codebuild" { security_group_ids = var.aft_vpc_default_sg } + lifecycle { + ignore_changes = [project_visibility] + } + } diff --git a/sources/aft-lambda-layer/aft_common/auth.py b/sources/aft-lambda-layer/aft_common/auth.py index 1deb99db..7982258d 100644 --- a/sources/aft-lambda-layer/aft_common/auth.py +++ b/sources/aft-lambda-layer/aft_common/auth.py @@ -8,6 +8,7 @@ SSM_PARAM_ACCOUNT_AFT_MANAGEMENT_ACCOUNT_ID, SSM_PARAM_ACCOUNT_CT_MANAGEMENT_ACCOUNT_ID, SSM_PARAM_ACCOUNT_LOG_ARCHIVE_ACCOUNT_ID, + get_aws_partition, get_logger, get_ssm_parameter_value, ) @@ -66,8 +67,8 @@ def _is_aft_management_session(session: Session) -> bool: raise error @staticmethod - def _build_role_arn(account_id: str, role_name: str) -> str: - return f"arn:aws:iam::{account_id}:role/{role_name}" + def _build_role_arn(partition: str, account_id: str, role_name: str) -> str: + return f"arn:{partition}:iam::{account_id}:role/{role_name}" @staticmethod def _get_session( @@ -110,7 +111,9 @@ def _get_hub_session(self, session_duration: int = 900) -> Session: param=AuthClient.SSM_PARAM_AFT_ADMIN_ROLE_NAME, ) role_arn = AuthClient._build_role_arn( - account_id=self.aft_management_account_id, role_name=role_name + partition=get_aws_partition(session=self.aft_management_session), + account_id=self.aft_management_account_id, + role_name=role_name, ) return AuthClient._get_session( session=self.aft_management_session, @@ -151,7 +154,9 @@ def get_target_account_session( ) spoke_role_arn = AuthClient._build_role_arn( - account_id=account_id, role_name=role_name + partition=get_aws_partition(session=self.aft_management_session), + account_id=account_id, + role_name=role_name, ) logger.info(