From 2b137e75f1563bc8be4f90e9c1d0fdcbe4b95215 Mon Sep 17 00:00:00 2001 From: Javy de Koning Date: Sun, 3 Apr 2022 15:22:11 +0200 Subject: [PATCH 1/6] fix: #242 ensuring alias is set or raise error. --- .../account_processing/configure_account_alias.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/lambda_codebase/account_processing/configure_account_alias.py b/src/lambda_codebase/account_processing/configure_account_alias.py index 81fe95e15..6a330166f 100644 --- a/src/lambda_codebase/account_processing/configure_account_alias.py +++ b/src/lambda_codebase/account_processing/configure_account_alias.py @@ -22,8 +22,12 @@ def create_account_alias(account, iam_client): ) try: iam_client.create_account_alias(AccountAlias=account.get("alias")) - except iam_client.exceptions.EntityAlreadyExistsException: - pass + except iam_client.exceptions.EntityAlreadyExistsException as error: + LOGGER.error( + 'The account alias security already exists. ' + + 'The account alias must be unique across all Amazon Web Services products. ' + + 'Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#AboutAccountAlias') + raise error return account @@ -40,4 +44,4 @@ def lambda_handler(event, _): LOGGER.info( f"Account: {event.get('account_full_name')} does not need an alias" ) - return event + return event \ No newline at end of file From 27eabbeb3842e0018787c960f92a819f208a99ef Mon Sep 17 00:00:00 2001 From: Javy de Koning Date: Sun, 3 Apr 2022 15:25:46 +0200 Subject: [PATCH 2/6] Ensuring the readme.md file clearly states that a non-unique alias will raise an error --- .../initial_commit/bootstrap_repository/adf-accounts/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md index 9665c1b83..20755b129 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md @@ -38,7 +38,7 @@ The OU name is the name of the direct parent of the account. If you want to move - `support_level`: `basic|enterprise` ADF will raise a ticket to add the account to an existing AWS support subscription when an account is created. Currently only supports basic or enterprise. **NB: This is for activating enterprise support on account creation only. As a prerequisite your organization master account must already have enterprise support activated** -- `alias`: AWS account alias. Must be unique globally otherwise cannot be created. Check [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) for further details. If the account alias is not created or already exists, in the Federation login page, no alias will be presented +- `alias`: AWS account alias. Must be unique globally otherwise cannot be created. Check [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) for further details. If the account alias is not created or already exists, in the Federation login page, no alias will be presented. This needs to be unique across all customers, if the alias is already taken the AccountManagementStateMachine will stop and raise an error. - `tags`: list of tags associate to the account. ### Examples From 5417713356c7fd8afd183f7d89cb731655db461d Mon Sep 17 00:00:00 2001 From: Javy de Koning Date: Sun, 3 Apr 2022 16:00:28 +0200 Subject: [PATCH 3/6] Adding final new line to satisfy pylint --- .../account_processing/configure_account_alias.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lambda_codebase/account_processing/configure_account_alias.py b/src/lambda_codebase/account_processing/configure_account_alias.py index 6a330166f..a420b4b7a 100644 --- a/src/lambda_codebase/account_processing/configure_account_alias.py +++ b/src/lambda_codebase/account_processing/configure_account_alias.py @@ -44,4 +44,4 @@ def lambda_handler(event, _): LOGGER.info( f"Account: {event.get('account_full_name')} does not need an alias" ) - return event \ No newline at end of file + return event From 44353515d4b88eee4d22d97e34e87e65335e620f Mon Sep 17 00:00:00 2001 From: Javy de Koning Date: Sun, 3 Apr 2022 16:09:12 +0200 Subject: [PATCH 4/6] Adding changing to multiline string to satisfy pylint --- .../account_processing/configure_account_alias.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lambda_codebase/account_processing/configure_account_alias.py b/src/lambda_codebase/account_processing/configure_account_alias.py index a420b4b7a..1461e2807 100644 --- a/src/lambda_codebase/account_processing/configure_account_alias.py +++ b/src/lambda_codebase/account_processing/configure_account_alias.py @@ -24,9 +24,10 @@ def create_account_alias(account, iam_client): iam_client.create_account_alias(AccountAlias=account.get("alias")) except iam_client.exceptions.EntityAlreadyExistsException as error: LOGGER.error( - 'The account alias security already exists. ' + - 'The account alias must be unique across all Amazon Web Services products. ' + - 'Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#AboutAccountAlias') + """The account alias security already exists. + The account alias must be unique across all Amazon Web Services products. + Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#AboutAccountAlias""" + ) raise error return account From 86937fc3d96fea69dcbd4df03edecaaa9c6d39eb Mon Sep 17 00:00:00 2001 From: Javy de Koning Date: Thu, 7 Apr 2022 12:13:18 +0200 Subject: [PATCH 5/6] Adding tests for account_alias --- .../tests/test_account_alias.py | 47 ++++++++++++++----- 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/src/lambda_codebase/account_processing/tests/test_account_alias.py b/src/lambda_codebase/account_processing/tests/test_account_alias.py index 30271e732..56bf0ae96 100644 --- a/src/lambda_codebase/account_processing/tests/test_account_alias.py +++ b/src/lambda_codebase/account_processing/tests/test_account_alias.py @@ -2,24 +2,47 @@ Tests the account alias configuration lambda """ +import unittest import boto3 from botocore.stub import Stubber +from botocore.exceptions import ClientError from aws_xray_sdk import global_sdk_config from ..configure_account_alias import create_account_alias global_sdk_config.set_sdk_enabled(False) -# pylint: disable=W0106 -def test_account_alias(): - test_account = {"account_id": 123456789012, "alias": "MyCoolAlias"} - iam_client = boto3.client("iam") - stubber = Stubber(iam_client) - create_alias_response = {} - stubber.add_response( - "create_account_alias", create_alias_response, {"AccountAlias": "MyCoolAlias"} - ), - stubber.activate() +class SuccessTestCase(unittest.TestCase): + # pylint: disable=W0106 + def test_account_alias(self): + test_account = {"account_id": 123456789012, "alias": "MyCoolAlias"} + iam_client = boto3.client("iam") + stubber = Stubber(iam_client) + create_alias_response = {} + stubber.add_response( + "create_account_alias", create_alias_response, {"AccountAlias": "MyCoolAlias"} + ), + stubber.activate() - response = create_account_alias(test_account, iam_client) + response = create_account_alias(test_account, iam_client) - assert response == test_account + self.assertEqual(response, test_account) + +class FailureTestCase(unittest.TestCase): + # pylint: disable=W0106 + def test_account_alias_when_nonunique(self): + test_account = {"account_id": 123456789012, "alias": "nonunique"} + iam_client = boto3.client("iam") + stubber = Stubber(iam_client) + stubber.add_client_error( + 'create_account_alias', + 'EntityAlreadyExistsException', + 'An error occurred (EntityAlreadyExists) when calling the CreateAccountAlias operation: The account alias nonunique already exists.' + ) + stubber.activate() + + with self.assertRaises(ClientError) as _error: + create_account_alias(test_account, iam_client) + self.assertRegex( + str(_error.exception), + r'.*The account alias nonunique already exists.*' + ) From 3ef86e3ed946a600df585d4283f77aaafec8271b Mon Sep 17 00:00:00 2001 From: Javy de Koning Date: Tue, 24 May 2022 08:36:58 +0200 Subject: [PATCH 6/6] fix: removing hardcoded account alias in error message and updating test --- .../account_processing/configure_account_alias.py | 6 +++--- .../account_processing/tests/test_account_alias.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lambda_codebase/account_processing/configure_account_alias.py b/src/lambda_codebase/account_processing/configure_account_alias.py index 1461e2807..b1c681b4b 100644 --- a/src/lambda_codebase/account_processing/configure_account_alias.py +++ b/src/lambda_codebase/account_processing/configure_account_alias.py @@ -24,9 +24,9 @@ def create_account_alias(account, iam_client): iam_client.create_account_alias(AccountAlias=account.get("alias")) except iam_client.exceptions.EntityAlreadyExistsException as error: LOGGER.error( - """The account alias security already exists. - The account alias must be unique across all Amazon Web Services products. - Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#AboutAccountAlias""" + f"The account alias {account.get('alias')} already exists." + "The account alias must be unique across all Amazon Web Services products." + "Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#AboutAccountAlias" ) raise error return account diff --git a/src/lambda_codebase/account_processing/tests/test_account_alias.py b/src/lambda_codebase/account_processing/tests/test_account_alias.py index 56bf0ae96..9143cb6ae 100644 --- a/src/lambda_codebase/account_processing/tests/test_account_alias.py +++ b/src/lambda_codebase/account_processing/tests/test_account_alias.py @@ -36,7 +36,7 @@ def test_account_alias_when_nonunique(self): stubber.add_client_error( 'create_account_alias', 'EntityAlreadyExistsException', - 'An error occurred (EntityAlreadyExists) when calling the CreateAccountAlias operation: The account alias nonunique already exists.' + f"An error occurred (EntityAlreadyExists) when calling the CreateAccountAlias operation: The account alias {test_account.get('alias')} already exists." ) stubber.activate()