Merge pull request #80 from aws-ia/sra-mig

Support Non-Control Tower environments
aws-ia · Dec 19, 2023 · 38ad1f1 · 38ad1f1
2 parents c2d3dac + 58ac00f
commit 38ad1f1
Show file tree

Hide file tree

Showing 8 changed files with 121 additions and 23 deletions.
diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh
@@ -5,23 +5,46 @@
 # managed and local tasks always use these variables for the project and project type path
 PROJECT_PATH=${BASE_PATH}/project
 PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
+NON_CT_ENV="039084729647"
 
 cd ${PROJECT_PATH}
 
-regions=(us-east-1 us-east-2 us-west-2 us-west-1)
-for region in ${regions[@]}
-do
-    echo "Cleanup running in region: $region"
-    export AWS_DEFAULT_REGION=$region
+cleanup_region() {
+    echo "Cleanup running in region: $1"
+    export AWS_DEFAULT_REGION=$1
     python3 scripts/cleanup_config.py -C scripts/cleanup_config.json
-done
-
-echo $AWS_DEFAULT_REGION
-unset AWS_DEFAULT_REGION
-
-echo $AWS_DEFAULT_REGION
+}
+
+cleanup_all_regions() {
+    export AWS_DEFAULT_REGION=us-east-1
+    regions=($(aws ec2 describe-regions --query "Regions[*].RegionName" --output text))
+    for region in ${regions[@]}
+    do
+        cleanup_region ${region}
+    done
+}
+
+run_test() {
+    echo "Running e2e test: $1"
+    cleanup_all_regions
+    echo $AWS_DEFAULT_REGION
+    unset AWS_DEFAULT_REGION
+    echo $AWS_DEFAULT_REGION
+    taskcat test run -t $1
+}
+
+acct_id=$(aws sts get-caller-identity --output text --query 'Account')
+
+# if account id is xxxx do this
+if [ "$acct_id" == ${NON_CT_ENV} ]; then
+    run_test "launch-partner-solution-nonct"
+else
+    run_test "launch-partner-solution"
+fi
 # Run taskcat e2e test
-taskcat test run
+#run_test "launch-partner-solution"
+
+#run_test "launch-partner-solution-nonct"
 
 ## Executing ash tool
 

diff --git a/.taskcat.yml b/.taskcat.yml
@@ -17,6 +17,19 @@ tests:
       - us-east-1
     template: templates/abi-enable-partner1-securityhub-integration.yaml
 
+  launch-partner-solution-nonct:
+    parameters:
+      pSRASourceS3BucketName: $[taskcat_autobucket]
+      pSRAStagingS3Key: $[taskcat_project_name]
+      pProductArn: arn:aws:securityhub:$[taskcat_current_region]::product/cloud-custodian/cloud-custodian
+      pControlTower: "false"
+      pGovernedRegions: "us-east-1,us-west-1"
+      pSecurityAccountId: "809545598792"
+      pLogArchiveAccountId: "866786363886"
+      pCreateAWSControlTowerExecutionRole: "true"
+    regions:
+      - us-east-1
+    template: templates/abi-enable-partner1-securityhub-integration.yaml
 #  sample:
 #    parameters:
 #      Param1: 'Inputs to Stack'
@@ -33,4 +46,4 @@ tests:
 #      #
 #    regions:
 #    - us-east-1
-#    template: templates/sample-workload.template.yaml
+#    template: templates/sample-workload.template.yaml
diff --git a/guide/content/deployment-options.md b/guide/content/deployment-options.md
@@ -20,6 +20,13 @@ Launch the CloudFormation template provided as part <project-root>/templates/ in
 
 1. Login to your Management Account to deploy this ABI package.
 2. Choose [Launch Stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/new?stackName=launch-abi-sample-partner-integration&templateURL=https://aws-abi.s3.us-east-1.amazonaws.com/cfn-abi-aws-reference-guide/templates/abi-enable-partner1-securityhub-integration.yaml) and change the AWS Region to your AWS Control Tower home region.
+
+  > **Note:** If you are **NOT** using **AWS Control Tower** in the environment where your are launching this solution, fill-in following parameters:
+  >  1. **pControlTower:** `false`
+  >  2. **pGovernedRegions:** `us-east-1,us-west-1` (comma separated *list of regions*)
+  >  3. **pSecurityAccountId:** `XXXXXXXXXXXX` (AWS Account Id of the *Security/Audit* Account)
+  >  4. **pLogArchiveAccountId:** `XXXXXXXXXXXX` (AWS Account Id of the *Log Archive* Account)
+
 3. Choose **Next**.
 4. Type value to **ARN of partner integration to turn on in AWS Security Hub:** `arn:aws:securityhub:$[taskcat_current_region]::product/cloud-custodian/cloud-custodian` and leave the remaining values default.
 5. Choose both the **Capabilities** and select **Submit** to launch the stack.

diff --git a/guide/content/overview.md b/guide/content/overview.md
@@ -4,7 +4,7 @@ title: AWS Built-in Overview
 description: 
 ---
 
-[AWS Built-in](https://aws.amazon.com/partners/built-in-partner-solutions/) (ABI) is a validated program awarded to ISV Partners to help customers deploy third-party software integrated with AWS native services. Target customers prefer to buy a turnkey solution versus installing, securing, and configuring AWS Native Services themselves in order to realize the full benefits of 3rd party software. Partner owned Built-in offerings provide deployment packages where partner solutions are integrated with AWS services via IaC, which reduces the time customers spend from weeks to minutes and helps increase customer efficiency by optimizing the time to deploy new initiatives.
+[AWS Built-in](https://aws.amazon.com/partners/built-in-partner-solutions/) (ABI) is a validated program awarded to ISV Partners to help customers deploy third-party software integrated with AWS native services. Customers prefer to buy a turnkey solution versus installing, securing, and configuring AWS native services themselves in order to realize the full benefits of third-party party software. Partner owned Built-in offerings provide deployment packages where partner solutions are integrated with AWS services via IaC. This reduces the time customers spend from weeks to hours and helps increase customer efficiency by optimizing the time to deploy new initiatives.
 
 AWS built-in partner solutions install, configure, and integrate with key foundational AWS services using a well-architected Modular Code Repository (MCR) in an automated deployment package validated by AWS experts, increasing time to value. This automated integration is independently verified by AWS and saves hours, days, or even weeks of vendor integration testing.
 

diff --git a/guide/content/things-to-know.md b/guide/content/things-to-know.md
@@ -8,13 +8,15 @@ This section provides information on things that you need to know about AWS Buil
 
 The following steps are applicable for both partners and customers. Partners who are building the solution should follow guidelines when deploying an ABI package in any AWS environment. In addition, include these in the repository documentation.
 
-* For the current release, the existing modules are expected to operate only in AWS Control Tower environments. Hence, the modules provided as part of ABI should be deployed only in the ***Management Account*** within the ***Home Region of AWS Control Tower***.
+* _[Updated Dec 2023]_ ~~For the current release, the existing modules are expected to operate only in AWS Control Tower environments~~. The modules provided as part of ABI package should be deployed only in the ***Management Account*** (within the ***Home Region of AWS Control Tower*** when it is used).
+
 * Follow the instructions in this [link](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) to enable trusted access for AWS CloudFormation StackSets with AWS Organizations via AWS CloudFormation StackSets console.
 
 The guidelines below don't apply to customers; they only apply to the partners who are building the solution.
 
-* Granting write permissions to GitHub repository is disabled by ABP when you add external contributors. This is required by AWS Security. Hence, the external contributors will not be able to create branches or merge the code to the main branch. Work with your AWS PSA contact to get the code merged to the main branch.
-* The GitHub repositories remain private until completion of the initial release.  Any GitHub IDs need to added manually to get access to the repository. Work with your AWS PSA contact to get access to the repository.
+* Granting write permissions to GitHub repository is disabled for external contributors (non-AWS builders). This is required by AWS Security. Hence, the external contributors will not be able to create branches or merge the code to the main branch. Instead, fork the repo and submit the PR. Work with your AWS PSA contact to get additional support if needed.
+
+* The GitHub repositories remain private until completion of the initial release. The GitHub IDs need to added manually to get access to the repository. Work with your AWS PSA contact to get access to the repository.
 
 
 #### List of available ABI / SRA modules

diff --git a/scripts/cleanup_config.json b/scripts/cleanup_config.json
@@ -37,17 +37,17 @@
     },
     {
         "Type" : "SSM_PARAMETER",
-        "Filter" : "/sra/control-tower/",
-        "Account" : "log_account"
+        "Filter" : "/sra/staging-s3-bucket-name"
     },
     {
         "Type" : "SSM_PARAMETER",
-        "Filter" : "/sra/regions/",
+        "Filter" : "/sra/control-tower/",
         "Account" : "log_account"
     },
     {
         "Type" : "SSM_PARAMETER",
-        "Filter" : "/sra/"
+        "Filter" : "/sra/regions/",
+        "Account" : "log_account"
     },
     {
         "Type" : "S3_BUCKET",

diff --git a/scripts/cleanup_config.py b/scripts/cleanup_config.py
@@ -292,7 +292,7 @@ def establish_remote_session(account):
 
     return result
 
-def get_log_archive_account(parameter_name='/sra/gd/control-tower/log-archive-account-id'):
+def get_log_archive_account(parameter_name='/sra/control-tower/log-archive-account-id'):
     '''
     Get log archive account ID
     '''
@@ -390,6 +390,7 @@ def delete_detector():
                 print('Deleting GuardDuty Detector in %s', account['Id'])
                 gd_client.delete_detector(DetectorId=det_id)
 
+
 def list_cb_projects():
     '''
     List all CodeBuild projects

diff --git a/templates/abi-enable-partner1-securityhub-integration.yaml b/templates/abi-enable-partner1-securityhub-integration.yaml
@@ -14,11 +14,18 @@ Metadata:
           - pSRAAlarmEmail
           - pRepoURL
           - pRepoBranch
+      - Label:
+          default: Landing Zone
+        Parameters:
+          - pControlTower
+          - pGovernedRegions
+          - pSecurityAccountId
+          - pLogArchiveAccountId
+          - pCreateAWSControlTowerExecutionRole
       - Label:
           default: Partner Integration details
         Parameters:
           - pProductArn
-
       - Label:
           default: SecurityHub Configuration Properties
         Parameters:
@@ -79,6 +86,16 @@ Metadata:
         default: URL of the AWS SRA Repository
       pRepoBranch:
         default: A tag version to use with in the SRA repository
+      pControlTower:
+        default: pControlTower
+      pGovernedRegions:
+        default: pGovernedRegions
+      pSecurityAccountId:
+        default: pSecurityAccountId
+      pLogArchiveAccountId:
+        default: pLogArchiveAccountId
+      pCreateAWSControlTowerExecutionRole:
+        default: Create AWS Control Tower Execution Role
 Parameters:
   pRepoURL:
     Default: "https://github.com/aws-samples/aws-security-reference-architecture-examples.git"
@@ -177,6 +194,36 @@ Parameters:
     AllowedPattern: ^[a-z][a-z]-[a-z]*-[0-9]*$
     Type: String
     Default: us-east-1
+  pControlTower:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description:
+      Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
+    Type: String
+  pGovernedRegions:
+    AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
+    ConstraintDescription:
+      For AWS Control Tower, set to ct-regions (default).  If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
+    Default: ct-regions
+    Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
+    Type: String
+  pSecurityAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 111111111111
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
+    Type: String
+  pLogArchiveAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 222222222222
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
+    Type: String
+  pCreateAWSControlTowerExecutionRole:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Indicates whether the AWS Control Tower Execution role should be created. (AWS Control Tower landing zone must be deployed and 'pControlTower' must be set to 'true')
+    Type: String
 
 Resources:
   rSecurityHubEnableInOrg:
@@ -200,6 +247,11 @@ Resources:
         pLambdaLogLevel: !Ref pLambdaLogLevel
         pRegionLinkingMode: !Ref pRegionLinkingMode
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        pControlTower: !Ref pControlTower
+        pGovernedRegions: !Ref pGovernedRegions
+        pSecurityAccountId: !Ref pSecurityAccountId
+        pLogArchiveAccountId: !Ref pLogArchiveAccountId
+        pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
       Tags:
         - Key: sra-solution
           Value: !Ref pSRAStagingS3KeyPrefix