Skip to content

Commit 6b5a43b

Browse files
igirardiigirardi
authored
Update code and documentation for apg publication (#2)
Update code and documentation for apg publication.
1 parent 311fa16 commit 6b5a43b

File tree

7 files changed

+301
-110
lines changed

7 files changed

+301
-110
lines changed

README.md

Lines changed: 233 additions & 60 deletions
Large diffs are not rendered by default.

constants.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727

2828

2929
ACCOUNT_ID = "111111111111"
30+
ROLE_ARN = ""
3031
AWS_CONTROL_TOWER_REGION = "eu-west-1"
3132

3233
# pylint: disable=duplicate-code

img/ctc-architecture.png

42.8 KB
Loading

package.json

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,5 @@
11
{
2-
"scripts": {
3-
"preinstall": "/usr/bin/env gem install cfn-nag"
4-
},
5-
"dependencies": {
6-
"aws-cdk": "^2.84.0"
7-
}
8-
}
2+
"dependencies": {
3+
"aws-cdk": "^2.84.0"
4+
}
5+
}

requirements/requirements-dev.txt

Lines changed: 36 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -4,41 +4,41 @@
44
#
55
# pip-compile requirements/requirements-dev.in
66
#
7-
astroid==2.15.5
7+
astroid==2.15.6
88
# via pylint
99
bandit==1.7.5
10-
# via -r requirements-dev.in
10+
# via -r requirements/requirements-dev.in
1111
black==22.12.0
12-
# via -r requirements-dev.in
12+
# via -r requirements/requirements-dev.in
1313
certifi==2023.7.22
1414
# via requests
15-
charset-normalizer==3.1.0
15+
charset-normalizer==3.2.0
1616
# via requests
17-
click==8.1.3
17+
click==8.1.6
1818
# via
1919
# black
2020
# safety
2121
colorama==0.4.6
2222
# via radon
2323
coverage==7.2.7
24-
# via -r requirements-dev.in
25-
dill==0.3.6
24+
# via -r requirements/requirements-dev.in
25+
dill==0.3.7
2626
# via pylint
27-
dparse==0.6.2
27+
dparse==0.6.3
2828
# via safety
2929
flake8==3.9.2
30-
# via -r requirements-dev.in
30+
# via -r requirements/requirements-dev.in
3131
future==0.18.3
3232
# via radon
3333
gitdb==4.0.10
3434
# via gitpython
35-
gitpython==3.1.31
35+
gitpython==3.1.32
3636
# via bandit
3737
idna==3.4
3838
# via requests
3939
isort==5.12.0
4040
# via
41-
# -r requirements-dev.in
41+
# -r requirements/requirements-dev.in
4242
# pylint
4343
lazy-object-proxy==1.9.0
4444
# via astroid
@@ -52,8 +52,8 @@ mccabe==0.6.1
5252
# pylint
5353
mdurl==0.1.2
5454
# via markdown-it-py
55-
mypy==1.3.0
56-
# via -r requirements-dev.in
55+
mypy==1.4.1
56+
# via -r requirements/requirements-dev.in
5757
mypy-extensions==1.0.0
5858
# via
5959
# black
@@ -62,64 +62,70 @@ packaging==21.3
6262
# via
6363
# dparse
6464
# safety
65-
pathspec==0.11.1
65+
pathspec==0.11.2
6666
# via black
6767
pbr==5.11.1
6868
# via stevedore
69-
platformdirs==3.6.0
69+
platformdirs==3.10.0
7070
# via
7171
# black
7272
# pylint
7373
pycodestyle==2.7.0
7474
# via flake8
7575
pyflakes==2.3.1
7676
# via flake8
77-
pygments==2.15.1
77+
pygments==2.16.1
7878
# via rich
79-
pylint==2.17.4
80-
# via -r requirements-dev.in
81-
pyparsing==3.1.0
79+
pylint==2.17.5
80+
# via -r requirements/requirements-dev.in
81+
pyparsing==3.1.1
8282
# via packaging
83-
pyyaml==6.0
83+
pyyaml==6.0.1
8484
# via
8585
# bandit
8686
# xenon
8787
radon==5.1.0
8888
# via
89-
# -r requirements-dev.in
89+
# -r requirements/requirements-dev.in
9090
# xenon
9191
requests==2.31.0
9292
# via
9393
# safety
9494
# xenon
95-
rich==13.4.2
95+
rich==13.5.2
9696
# via bandit
9797
ruamel-yaml==0.17.32
9898
# via safety
9999
ruamel-yaml-clib==0.2.7
100100
# via ruamel-yaml
101101
safety==2.3.5
102-
# via -r requirements-dev.in
102+
# via -r requirements/requirements-dev.in
103103
six==1.16.0
104104
# via mando
105105
smmap==5.0.0
106106
# via gitdb
107107
stevedore==5.1.0
108108
# via bandit
109-
toml==0.10.2
110-
# via dparse
111-
tomlkit==0.11.8
109+
tomli==2.0.1
110+
# via
111+
# black
112+
# dparse
113+
# mypy
114+
# pylint
115+
tomlkit==0.12.1
112116
# via pylint
113-
typing-extensions==4.6.3
114-
# via mypy
117+
typing-extensions==4.7.1
118+
# via
119+
# astroid
120+
# mypy
115121
urllib3==1.26.16
116122
# via
117-
# -c requirements.in
123+
# -c requirements/requirements.in
118124
# requests
119125
wrapt==1.15.0
120126
# via astroid
121127
xenon==0.9.0
122-
# via -r requirements-dev.in
128+
# via -r requirements/requirements-dev.in
123129

124130
# The following packages are considered to be unsafe in a requirements file:
125131
# setuptools

requirements/requirements.txt

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -8,40 +8,40 @@ attrs==23.1.0
88
# via
99
# cattrs
1010
# jsii
11-
aws-cdk-asset-awscli-v1==2.2.195
11+
aws-cdk-asset-awscli-v1==2.2.200
1212
# via aws-cdk-lib
1313
aws-cdk-asset-kubectl-v20==2.1.2
1414
# via aws-cdk-lib
15-
aws-cdk-asset-node-proxy-agent-v5==2.0.165
15+
aws-cdk-asset-node-proxy-agent-v5==2.0.166
1616
# via aws-cdk-lib
17-
aws-cdk-lib==2.84.0
17+
aws-cdk-lib==2.90.0
1818
# via
1919
# -r requirements/requirements.in
2020
# cdk-nag
21-
boto3==1.26.155
21+
boto3==1.28.21
2222
# via -r requirements/requirements.in
23-
botocore==1.29.155
23+
botocore==1.31.21
2424
# via
2525
# boto3
2626
# s3transfer
2727
cattrs==23.1.2
2828
# via jsii
29-
cdk-nag==2.27.42
29+
cdk-nag==2.27.93
3030
# via -r requirements/requirements.in
31-
constructs==10.2.54
31+
constructs==10.2.69
3232
# via
3333
# -r requirements/requirements.in
3434
# aws-cdk-lib
3535
# cdk-nag
36-
exceptiongroup==1.1.1
36+
exceptiongroup==1.1.2
3737
# via cattrs
38-
importlib-resources==5.12.0
38+
importlib-resources==6.0.1
3939
# via jsii
4040
jmespath==1.0.1
4141
# via
4242
# boto3
4343
# botocore
44-
jsii==1.84.0
44+
jsii==1.86.1
4545
# via
4646
# aws-cdk-asset-awscli-v1
4747
# aws-cdk-asset-kubectl-v20
@@ -75,7 +75,7 @@ typeguard==2.13.3
7575
# cdk-nag
7676
# constructs
7777
# jsii
78-
typing-extensions==4.6.3
78+
typing-extensions==4.7.1
7979
# via
8080
# cattrs
8181
# jsii

stacks/aws_control_tower_guardrails_stack.py

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,16 @@
1515
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
1616

1717
from typing import Dict, Generator, List
18+
import importlib
1819

1920
import boto3
2021
from aws_cdk import Stack
2122
from aws_cdk.aws_controltower import CfnEnabledControl
2223
from constructs import Construct
2324

24-
from constants import GUARDRAILS_CONFIGURATION
25+
from constants import GUARDRAILS_CONFIGURATION, AWS_CONTROL_TOWER_REGION
26+
27+
ROLE_ARN = getattr(importlib.import_module("constants"), "ROLE_ARN", None)
2528

2629

2730
class AwsControlTowerGuardrailsStack(Stack):
@@ -77,10 +80,21 @@ def get_organizational_unit_arns(
7780
Dict[str, str]: map from organizational unit arn to organizational id
7881
"""
7982

83+
if ROLE_ARN != None and ROLE_ARN != "":
84+
session_name = ROLE_ARN.split("/")[-1][0:64]
85+
response = boto3.client("sts").assume_role(RoleArn=ROLE_ARN, RoleSessionName=session_name)
86+
boto3_session = boto3.session.Session(
87+
aws_access_key_id=response["Credentials"]["AccessKeyId"],
88+
aws_secret_access_key=response["Credentials"]["SecretAccessKey"],
89+
aws_session_token=response["Credentials"]["SessionToken"]
90+
)
91+
client = boto3_session.client("organizations", region_name = AWS_CONTROL_TOWER_REGION)
92+
else:
93+
client = boto3.client("organizations")
94+
8095
organizational_units_arns = {}
8196

8297
for organizational_unit_id in organizational_units_ids:
83-
client = boto3.client("organizations")
8498

8599
response = client.describe_organizational_unit(
86100
OrganizationalUnitId=organizational_unit_id

0 commit comments

Comments
 (0)