Lza upgrade doc ASEA v1.6.1 (#1251)

* documentation updates

* CHANGELOG for v1.6.1

* changelog entry for flowlogs dynamic partition

reference-artifacts/Custom-Scripts/lza-upgrade/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.6.1] - 2025-02-14
+
+### Added
+- feat(tools): Add detection of modified route entries in network drift detection script
+- feat(convert-config): Handle conversion of VPC Flow Logs log group pattern in dynamic partition
+
+### Changed
+- fix(resource-mapping): Use pagination to list stacks and improve nested stacks lookup
+- fix(convert-config): Removed inaccurate warnings for SSM Document sharing with nested OUs
+- fix(asea-prep): asea-prep command now disables ASEA EventBridge rule that adds the subscription filters to new Log Groups. A new rule is created by LZA during the installation.
+
 ## [1.6.0] - 2025-01-17
 
 ### Added

src/mkdocs/README.md

@@ -17,7 +17,7 @@ Make sure you have configured a virtual environment.
 
 ```bash
 python -m venv venv
-source venv/bin/active
+source venv/bin/activate
 pip install --upgrade pip && pip install -r requirements.txt
 ```
 

src/mkdocs/docs/lza-upgrade/faq.md

@@ -65,4 +65,23 @@ logging:
 
 ```
 
-This is because for upgraded environment, there is already an existing organizational trail configured by ASEA or ControlTower that will continue to be used. We don't recommend changing this to `true` as this will instruct LZA to create a new trail in addition to the existing one created by ASEA.
+This is because for upgraded environment, there is already an existing organizational trail configured by ASEA or ControlTower that will continue to be used. We don't recommend changing this to `true` as this will instruct LZA to create a new trail in addition to the existing one created by ASEA.
+
+## Which Service Quotas should be monitored for the upgrade?
+
+Depending on your configuration, the LZA installation can create over 500 IAM Roles in each account. If you already have several IAM Roles in your accounts and using the default limit of 1000, the installation could be blocked by this service quota.
+
+You can make an AWS Config query using the organization aggregator to list the current number of IAM Roles in each account, and request a limit increase proactively.
+```
+SELECT
+  accountId,
+  COUNT(*)
+WHERE
+  resourceType = 'AWS::IAM::Role'
+GROUP BY
+  accountId
+ORDER BY
+  COUNT(*) DESC
+```
+
+For more information about LZA related Quotas, refer to the [LZA Documentation about Quotas](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/quotas.html) as well as this note about [CodeBuild concurrency](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html#update-codebuild-conncurrency-quota)

src/mkdocs/docs/lza-upgrade/known-issues.md

@@ -44,45 +44,51 @@ ASEA-NetworkAssociationsStack-xxxxxx-ca-central-1 failed: Error: The stack named
 ## Landing Zone Accelerator known issues
 The following issues will not prevent a successful upgrade from ASEA to LZA, but can impact functionalities and operations in the upgraded Landing Zone.
 
-### Error adding a new route targeting firewall instance
 
-**Description:** After a successful upgrade, you try to add in `network-config.yaml` a route entry that targets ENI 0 of a firewall appliance using the lookup variable `${ACCEL_LOOKUP::EC2:ENI_0:Firewall_azA:Id}`
+### Removal of interface endpoints fails in ImportAseaResources stage
 
-**Symptom or error message:** Error in the NetworkAssociationsStack after adding a route targeting ENI 0 of a firewall appliance.
+**Description:** Failure when attempting to remove an interface endpoint that was deployed by ASEA prior to LZA upgrade.
+
+**Symptom or error message:** Failure in ImportAseaResources
 
 ```
-Resource handler returned message: "Invalid id: "${ACCEL_LOOKUP::EC2:ENI_0:Firewall_azA:Id}" (expecting "eni-...")
+ASEA-SharedNetwork-Phase2-VpcEndpoints1 failed: Error [ValidationError]: Template format error: Unresolved resource dependencies [SsmParamEndpointVpccodecommitDns] in the Resources block of the template
 ```
 
 **Resolution or workaround:** A fix will be available in a future version of LZA.
 
 
-### Some AWS Config Rules do not evaluate after the upgrade
+### Resources are not deleted after being removed from configuration file
 
-**Description:** Some AWS Config Rules deployed by LZA do not evaluate (i.e Last successful detective evaluation appears as 'Not Available' in the console). The equivalent ASEA Config Rule evaluates correctly.
+**Description:** You attempt to remove a resource that was deployed by ASEA from the LZA configuration file and it is not removed after a successful LZA pipeline run.
 
-**Symptom or error message:** The scope of changes of Config Rule is set to an empty list of Resource types instead of scoped to **All changes** as in ASEA.
+**Symptom or error message:** The LZA pipeline runs with success, but the resource is not deleted.
 
-**Resolution or workaround:** A fix will be available in a future version of LZA. Manually changing the Scope of changes to "All resources" can be a short-term remediation. Alternatively you can opt-out of removing the ASEA Config Rules in the post-upgrade phase. (this will result in duplicate rules being evaluated)
+**Resolution or workaround:** Not all ASEA resources support deletion through the LZA configuration and pipeline. Review the [ASEA Resource Handlers](./asea-resource-handlers.md) page for the current state of supported handlers.
 
+# Fixed Issues
 
-### Removal of interface endpoints fails in ImportAseaResources stage
+## Fixed in LZA v1.11.1
 
-**Description:** Failure when attempting to remove an interface endpoint that was deployed by ASEA prior to LZA upgrade.
+The following issued were fixed as part of LZA v1.11.1 release.
 
-**Symptom or error message:** Failure in ImportAseaResources
+### Error adding a new route targeting firewall instance
+
+**Description:** After a successful upgrade, you try to add in `network-config.yaml` a route entry that targets ENI 0 of a firewall appliance using the lookup variable `${ACCEL_LOOKUP::EC2:ENI_0:Firewall_azA:Id}`
+
+**Symptom or error message:** Error in the NetworkAssociationsStack after adding a route targeting ENI 0 of a firewall appliance.
 
 ```
-ASEA-SharedNetwork-Phase2-VpcEndpoints1 failed: Error [ValidationError]: Template format error: Unresolved resource dependencies [SsmParamEndpointVpccodecommitDns] in the Resources block of the template
+Resource handler returned message: "Invalid id: "${ACCEL_LOOKUP::EC2:ENI_0:Firewall_azA:Id}" (expecting "eni-...")
 ```
 
-**Resolution or workaround:** A fix will be available in a future version of LZA.
+**Resolution or workaround:** Fixed in LZA v1.11.1
 
 
-### Resources are not deleted after being removed from configuration file
+### Some AWS Config Rules do not evaluate after the upgrade
 
-**Description:** You attempt to remove a resource that was deployed by ASEA from the LZA configuration file and it is not removed after a successful LZA pipeline run.
+**Description:** Some AWS Config Rules deployed by LZA do not evaluate (i.e Last successful detective evaluation appears as 'Not Available' in the console). The equivalent ASEA Config Rule evaluates correctly.
 
-**Symptom or error message:** The LZA pipeline runs with success, but the resource is not deleted.
+**Symptom or error message:** The scope of changes of Config Rule is set to an empty list of Resource types instead of scoped to **All changes** as in ASEA.
 
-**Resolution or workaround:** Not all ASEA resources support deletion through the LZA configuration and pipeline. Review the [ASEA Resource Handlers](./asea-resource-handlers.md) page for the current state of supported handlers.
+**Resolution or workaround:** Fixed in LZA v1.11.1

src/mkdocs/docs/lza-upgrade/preparation/prereq-config.md

@@ -8,6 +8,7 @@
 - You can run the scripts from your local workstation. If you are filtering egress traffic from your corporate network you need to ensure [outbound connectivity to AWS service endpoints](../troubleshooting.md#network-timeout-or-connectivity-issue-running-the-upgrade-tool).
 - You will need Git, AWS CLI, NodeJS and Yarn installed.
 - We highly recommend having appropriate AWS Support plans on all AWS Accounts of your landing zone. For any issues encountered during the upgrade process you need to open a support case to get assistance and exchange relevant information with AWS staff. At a minimum Developer support is needed on the management account and core landing zones accounts (Logging, Security, Networking and Perimeter) to troubleshoot any cross-account issues. Business support is the minimum recommended tier if you have production workloads in AWS
+- Monitor and manage your service quotas. See the FAQ [Which Service Quotas should be monitored for the upgrade?](../faq.md#which-service-quotas-should-be-monitored-for-the-upgrade)
 - Upgrading your landing zone from ASEA to LZA requires advanced knowledge of configuring and operating ASEA and LZA landing zones. This operation should be led by your most-experienced resources responsible for your current landing zone operations. Review all the documentation in this upgrade guide and Landing Zone Accelerator implementation guide.
 
 

src/mkdocs/docs/lza-upgrade/troubleshooting.md

@@ -37,7 +37,7 @@ Note: this manual change will need to be re-applied every time you upgrade to a
 ### Error in Security Stack - CloudFormation did not receive a response from your Custom Resource
 Cause: Throttling can happen based on the concurrent Lambda execution quota.
 
-Workaround: Disable the Event Bridge rule `ASEA-SecurityHubFindingsImportToCWLs` in the Security account. 
+Workaround: Disable the Event Bridge rule `ASEA-SecurityHubFindingsImportToCWLs` in the Security account.
 
 ### Error in SecurityResource stack - AWS Config rate exceeded error
 Cause: Too many resources are deployed in parallel, leading to rate limiting errors.
@@ -50,6 +50,22 @@ Workaround: Increase the resources allocated to CodeBuild and increase NodeJS `m
 
 Note: this manual change will need to be re-applied every time you upgrade to a new LZA version or re-run the LZA installer pipeline.
 
+### CredentialsProviderError in bootstrap stage
+Bootstrap stage fails with the following error
+
+```
+error | utils-common-functions | {"name":"CredentialsProviderError","tryNextLink":false}
+Could not load credentials from any providers
+```
+
+Workaround: Increase the **Number of retries** in the SDK configuration.
+1. Go to CodeBuild console and locate the `ASEA-ToolkitProject` project
+2. Edit the project, in the Environment variables section:
+  a) add a new environment variable named `NUMBER_OF_RETRIES`
+  b) set the value of the a higher value (default: 12)
+3. Release the accelerator pipeline again
+
+
 ## Use of opt-in region - "InvalidClientTokenId: The security token included in the request is invalid"
 If an AWS opt-in region (e.g. ca-west-1) is enabled in your ASEA environment you need to change the region compatibility of STS session tokens to be valid in all AWS Regions.
 
@@ -105,4 +121,14 @@ You encounter the following error during an LZA pipeline run after adding an opt
 
 > The stack named ASEA-SecurityStack-<account>-ca-west-1 failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: BadRequestException: The request failed because the GuardDuty service principal does not have permission to the KMS key or the resource specified by the destinationArn parameter. Refer to https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html
 
-See information about the [Central Logging bucket CMK](./comparison/kms.md#central-logging-bucket) for more details and how to fix the issue.
+See information about the [Central Logging bucket CMK](./comparison/kms.md#central-logging-bucket) for more details and how to fix the issue.
+
+## Cannot exceed quota for RolesPerAccount error
+You encounter an error similar to this one during LZA installation:
+
+```
+Deployment failed: Error: The stack named ASEA-SecurityResourcesStack-<account>-<region> failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Cannot exceed quota for RolesPerAccount: 1000 (Service: Iam, Status Code: 409, Request ID: )" (RequestToken: , HandlerErrorCode: ServiceLimitExceeded)
+
+```
+
+You need to request a limit increase for the RolesPerAccount Quota. See the FAQ [Which Service Quotas should be monitored for the upgrade?](./faq.md#which-service-quotas-should-be-monitored-for-the-upgrade)