aws-ia · gcasilva · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024 · Mar 6, 2024
diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh
@@ -5,11 +5,12 @@
 # managed and local tasks always use these variables for the project and project type path
 PROJECT_PATH=${BASE_PATH}/project
 PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
-
+export REGION=$(grep -A1 regions: .taskcat.yml | awk '/ - / {print $NF}' |sort | uniq -c |sort -k1| head -1 |awk '{print $NF}')
 cd ${PROJECT_PATH}
-
+NON_CT_ENV="211125739641"
 # Retrieve the AWS account ID and store it in a variable
 AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+echo "Account ID: $AWS_ACCOUNT_ID"
 
 cleanup_region() {
     echo "Cleanup running in region: $1"
@@ -18,7 +19,7 @@ cleanup_region() {
 }
 
 cleanup_all_regions() {
-    export AWS_DEFAULT_REGION=us-east-1
+    export AWS_DEFAULT_REGION=$REGION
     regions=($(aws ec2 describe-regions --query "Regions[*].RegionName" --output text))
     for region in ${regions[@]}
     do
@@ -35,8 +36,16 @@ run_test() {
     taskcat test run -n -t $1
     .project_automation/functional_tests/scoutsuite/scoutsuite.sh
 }
-# Run taskcat e2e test
-run_test "cfn-abi-lacework-polygraph-multi-org-multi-sub-mapping"
+
+# if account id is xxxx do this
+if [ "$AWS_ACCOUNT_ID" == ${NON_CT_ENV} ]; then
+    # Run taskcat e2e test for Non-Control Tower environment
+    run_test "cfn-abi-lacework-polygraph-non-controltower"
+else
+    # Run taskcat e2e test for Control Tower environment
+    echo "Account ID: $AWS_ACCOUNT_ID"
+    run_test "cfn-abi-lacework-polygraph-multi-org-multi-sub-mapping"
+fi
 
 ## Executing ash tool
 

diff --git a/.project_automation/functional_tests/scoutsuite/scoutsuite.sh b/.project_automation/functional_tests/scoutsuite/scoutsuite.sh
@@ -19,7 +19,7 @@ run_scoutsuite() {
     # Upload Scoutsuite security scan results to S3 bucket named scoutsuite-results-aws-AWS-ACCOUNT-ID
     python3 .project_automation/functional_tests/scoutsuite/process-scoutsuite-report.py
     # Delete taskcat e2e test resources
-    taskcat test clean ALL
+    taskcat test clean ALL -w -r $REGION
     process_scoutsuite_report
 }
 

diff --git a/.taskcat.yml b/.taskcat.yml
@@ -8,7 +8,7 @@ project:
 tests:
   cfn-abi-lacework-polygraph-multi-org-multi-sub-mapping:
     regions:
-      - us-east-1 # Control Tower Home region for Pilot
+      - us-east-1 
     template: templates/cfn-abi-lacework-polygraph.template.yaml
     parameters:
       pSRAStagingS3KeyPrefix: $[taskcat_project_name]
@@ -17,4 +17,30 @@ tests:
       LaceworkURL: laceworkalliances.lacework.net
       LaceworkAccessKeyID: $[taskcat_ssm_/lacework/LaceworkAccessKeyID]
       LaceworkSecretKey: $[taskcat_ssm_/lacework/LaceworkSecretKey]
-      pDisableGuardDuty: 'Yes'
+      pDisableGuardDuty: 'Yes'
+      KMSKeyIdentifierARN: $[taskcat_ssm_/lacework/CloudTrailKMSARN]
+  cfn-abi-lacework-polygraph-non-controltower:
+    regions:
+      - us-east-1
+    template: templates/cfn-abi-lacework-polygraph.template.yaml
+    parameters:
+      pSRAStagingS3KeyPrefix: $[taskcat_project_name]
+      pSRASourceS3BucketName: $[taskcat_autobucket]
+      pSRAS3BucketRegion: $[taskcat_current_region]
+      LaceworkURL: laceworkalliances.lacework.net
+      LaceworkAccessKeyID: $[taskcat_ssm_/lacework/LaceworkAccessKeyID]
+      LaceworkSecretKey: $[taskcat_ssm_/lacework/LaceworkSecretKey]
+      pDisableGuardDuty: 'Yes'
+      pControlTower: 'false'
+      pLogArchiveAccountId: $[taskcat_ssm_/nonct/log-archive-account-id]
+      pSecurityAccountId: $[taskcat_ssm_/nonct/audit-account-id]
+      pGovernedRegions: 'us-east-1'
+      pAdminRoleName: 'AWSCloudFormationStackSetAdministrationRole'
+      pExecRoleName: 'AWSCloudFormationStackSetExecutionRole'
+      LaceworkAccount: 'laceworkalliances'
+      OrganizationID: 'o-5py8cuszlp'
+      OrganizationalUnit: 'ou-aty9-5t69fbhr'
+      ResourceNamePrefix: 'lw-stackset'
+      ExistingCloudTrail: 'organization-trail'
+      KMSKeyIdentifierARN: $[taskcat_ssm_/lacework/CloudTrailKMSARN]
+      LogAccountName: 'Log Archive'
diff --git a/scripts/cleanup_config.json b/scripts/cleanup_config.json
@@ -65,12 +65,7 @@
     },
     {
         "Type" : "SSM_PARAMETER",
-        "Filter" : "/sra/"
-    },
-    {
-        "Type" : "S3_BUCKET",
-        "Filter" : "sra-guardduty-org-delivery-",
-        "Account" : "log_account"
+        "Filter" : "/sra/staging-s3-bucket-name"
     },
     {
         "Type" : "S3_BUCKET",
@@ -89,11 +84,6 @@
         "Filter": "sra-org-trail-logs-",
         "Account": "log_account"
     },
-    {
-        "Type" : "S3_BUCKET",
-        "Filter" : "sra-guardduty-org-delivery-",
-        "Account" : "log_account"
-    },
     {
         "Type" : "S3_BUCKET",
         "Filter" : "cfn-abi-amazon-guardduty-"
@@ -174,6 +164,18 @@
         "Type" : "STACK_SET",
         "Filter" : "sra-stackset-execution-role"
     },
+    {
+        "Type" : "STACK_SET",
+        "Filter" : "sra-staging-s3-bucket-management-account-regions"
+    },
+    {
+        "Type" : "STACK_SET",
+        "Filter" : "sra-guardduty-org-delivery-s3-bucket"
+    },
+    {
+        "Type" : "STACK_SET",
+        "Filter" : "sra-guardduty-org-delivery-kms-key"
+    },
     {
         "Type" : "STACK",
         "Filter" : "sra-common-prerequisites-staging-s3-bucket"