fixes from init testing

Author: Justin

aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/app.py

@@ -159,7 +159,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
         parameter_pattern_validator(
             "RESOURCES_TO_PROTECT",
             os.environ.get("RESOURCES_TO_PROTECT"),
-            pattern=r"arn:aws:[a-z0-9-]+:([a-z0-9-]+:){0,2}[0-9]{12}:.+",
+            pattern=r"arn:aws:([a-z0-9-]+:+([a-z0-9-]+:){0,2}[0-9]{12}:[a-z0-9-]+\/?[a-zA-Z0-9-]+\/?[a-zA-Z0-9-]+\/?[a-zA-Z0-9-]+)+(?:,|$)*",
         )
     )
     params.update(
@@ -210,23 +210,23 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
         parameter_pattern_validator(
             "SHIELD_PROACTIVE_ENGAGEMENT_EMAIL",
             os.environ.get("SHIELD_PROACTIVE_ENGAGEMENT_EMAIL"),
-            pattern=r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$",
+            pattern=r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$|^$",
             is_optional=True,
         )
     )
     params.update(
         parameter_pattern_validator(
             "SHIELD_PROACTIVE_ENGAGEMENT_PHONE_NUMBER",
             os.environ.get("SHIELD_PROACTIVE_ENGAGEMENT_PHONE_NUMBER"),
-            pattern=r"^\+?[1-9]\d{1,14}$",
+            pattern=r"^\+?[1-9]\d{1,14}$|^$",
             is_optional=True,
         )
     )
     params.update(
         parameter_pattern_validator(
             "SHIELD_PROACTIVE_ENGAGEMENT_NOTES",
             os.environ.get("SHIELD_PROACTIVE_ENGAGEMENT_NOTES"),
-            pattern=r"^[a-zA-Z0-9\s]+$",
+            pattern=r"^[a-zA-Z0-9\s]+$|^$",
             is_optional=True,
         )
     )
@@ -329,7 +329,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     params.update(
         parameter_pattern_validator(
             "PROTECTION_GROUP_2_ACCOUNT_ID",
-            os.environ.get("PROTECTION_GROUP_0_ACCOUNT_ID"),
+            os.environ.get("PROTECTION_GROUP_2_ACCOUNT_ID"),
             pattern=protection_group_account_id_pattern,
             is_optional=True,
         )
@@ -377,7 +377,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     params.update(
         parameter_pattern_validator(
             "PROTECTION_GROUP_3_ACCOUNT_ID",
-            os.environ.get("PROTECTION_GROUP_0_ACCOUNT_ID"),
+            os.environ.get("PROTECTION_GROUP_3_ACCOUNT_ID"),
             pattern=protection_group_account_id_pattern,
             is_optional=True,
         )
@@ -425,7 +425,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     params.update(
         parameter_pattern_validator(
             "PROTECTION_GROUP_4_ACCOUNT_ID",
-            os.environ.get("PROTECTION_GROUP_0_ACCOUNT_ID"),
+            os.environ.get("PROTECTION_GROUP_4_ACCOUNT_ID"),
             pattern=protection_group_account_id_pattern,
             is_optional=True,
         )
@@ -523,7 +523,9 @@ def setup_shield_global(params: dict, accounts: list) -> None:
     else:
         LOGGER.info("")
         accounts = []
+        print(f'SHIELD_ACCOUNTS_TO_PROTECT {params["SHIELD_ACCOUNTS_TO_PROTECT"]}')
         for account in params["SHIELD_ACCOUNTS_TO_PROTECT"].split(","):
+            print(f"Adding AccountId: {account} to accounts")
             accounts.append({"AccountId": account})
     for account in accounts:
         account_id = account["AccountId"]
@@ -532,7 +534,6 @@ def setup_shield_global(params: dict, accounts: list) -> None:
 
         account_session: boto3.Session = common.assume_role(params["CONFIGURATION_ROLE_NAME"], "sra-configure-shield", account_id)
         shield_client: ShieldClient = account_session.client("shield")
-        # shield.create_service_linked_role(account_id, params["CONFIGURATION_ROLE_NAME"])
         shield.create_subscription(shield_client)
         role_arn = shield.create_drt_role(account_id, params["SHIELD_DRT_ROLE_NAME"], account_session)
         shield.associate_drt_role(shield_client, role_arn)
@@ -582,11 +583,9 @@ def setup_shield(account_session: boto3.Session, account_id: str, params: dict)
     buckets_processed: list = []
     resources_processed: list = []
 
-    # for region in regions:
-    LOGGER.info(f"setup shield in for account {account_id} in ")
+    LOGGER.info(f"setup shield in account: {account_id}")
     shield.build_resources_by_account(account_session, params, account_id)
     shield_client = account_session.client("shield")
-    # shield.create_subscription(shield_client)
     resources_already_protected = shield.list_protections(shield_client)
     shield.enable_proactive_engagement(shield_client, params)
     while len(shield.RESOURCES_BY_ACCOUNT[account_id]["buckets"]) > 0:
@@ -599,15 +598,11 @@ def setup_shield(account_session: boto3.Session, account_id: str, params: dict)
         if resource not in resources_already_protected and resource not in resources_processed:
             shield.create_protection(shield_client, resource)
             LOGGER.info(f"Create protection for {resource}")
-            # shield.create_protection_group(shield_client, params, account_id)
             resources_processed.append(resource)
-            # else:
-            #     shield.RESOURCES_BY_ACCOUNT[account_id]["resources_to_protect"].append(resource)
     if len(resources_already_protected) > 0 or len(resources_processed) > 0:
         shield.create_protection_group(shield_client, params, account_id)
 
 
-# COMMENT
 @helper.create
 @helper.update
 @helper.delete
@@ -649,8 +644,6 @@ def orchestrator(event: Dict[str, Any], context: Any) -> None:
     if event.get("RequestType"):
         LOGGER.info("...calling helper...")
         helper(event, context)
-        # TODO uncomment line above remove line below
-        # process_event_cloudformation(event, context)
     else:
         LOGGER.info("...else...just calling process_event...")
         process_event(event)
@@ -677,9 +670,3 @@ def lambda_handler(event: Dict[str, Any], context: Any) -> None:
         LOGGER.exception(ex)
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs ({context.log_group_name}) for details.") from None
-
-
-# lambda_handler({"RequestType": "Create"}, {})
-# lambda_handler({"RequestType": "Update"}, {})
-# lambda_handler({"RequestType": "Delete"}, {})
-"""COMMENT"""

aws_sra_examples/solutions/shield_advanced/shield_advanced/lambda/src/shield.py

@@ -16,15 +16,11 @@
 
 import boto3
 import common
+from botocore.exceptions import ClientError
 
 if TYPE_CHECKING:
     from mypy_boto3_iam import IAMClient
-    from mypy_boto3_iam.type_defs import (
-        AttachRolePolicyResponseTypeDef,
-        CreateRoleResponseTypeDef,
-        DeleteRoleRequestRequestTypeDef,
-        DetachRolePolicyRequestPolicyDetachRoleTypeDef,
-    )
+    from mypy_boto3_iam.type_defs import CreateRoleResponseTypeDef, DeleteRoleRequestRequestTypeDef, DetachRolePolicyRequestPolicyDetachRoleTypeDef
     from mypy_boto3_organizations import OrganizationsClient
     from mypy_boto3_route53 import Route53Client
     from mypy_boto3_route53.type_defs import ListHostedZonesResponseTypeDef
@@ -34,12 +30,8 @@
         AssociateDRTLogBucketRequestRequestTypeDef,
         AssociateProactiveEngagementDetailsRequestRequestTypeDef,
         CreateProtectionGroupRequestRequestTypeDef,
-        CreateProtectionGroupResponseTypeDef,
         CreateProtectionResponseTypeDef,
-        CreateSubscriptionRequestRequestTypeDef,
-        CreateSubscriptionResponseTypeDef,
         DeleteProtectionGroupRequestRequestTypeDef,
-        DeleteProtectionGroupResponseTypeDef,
         DeleteProtectionRequestRequestTypeDef,
         DescribeEmergencyContactSettingsResponseTypeDef,
         DescribeProtectionResponseTypeDef,
@@ -48,8 +40,6 @@
         DisassociateDRTLogBucketRequestRequestTypeDef,
         EmergencyContactTypeDef,
         ProtectionTypeDef,
-        UpdateEmergencyContactSettingsRequestRequestTypeDef,
-        UpdateEmergencyContactSettingsResponseTypeDef,
         UpdateProtectionGroupRequestRequestTypeDef,
     )
 
@@ -137,7 +127,7 @@ def get_route_53_hosted_zones(account_session: boto3.Session) -> list:
     """
     route53_client: Route53Client = account_session.client("route53")
     hosted_zones: ListHostedZonesResponseTypeDef = route53_client.list_hosted_zones()
-    LOGGER.info("[INFO] Listing hosted zones from the Route53\n\n")
+    LOGGER.info("[INFO] Listing hosted zones from the Route53")
     marker: bool = True
     hosted_zone_arns: list = []
     while marker:
@@ -218,7 +208,7 @@ def update_emergency_contacts(shield_client: ShieldClient, params: dict, is_dele
     """
     emergency_contacts: Sequence[EmergencyContactTypeDef] = []
     if not is_delete:
-        emergency_contacts: Sequence[EmergencyContactTypeDef] = build_emergency_contacts(params)
+        emergency_contacts = build_emergency_contacts(params)
         LOGGER.info(f"Updating emergency contacts to {emergency_contacts}")
         shield_client.update_emergency_contact_settings(EmergencyContactList=emergency_contacts)
     else:
@@ -304,7 +294,7 @@ def create_subscription(shield_client: ShieldClient) -> None:
     if subscription_enabled:
         LOGGER.info("Shield Advanced Subscription is already enabled")
     else:
-        enable_shield_response: CreateSubscriptionResponseTypeDef = shield_client.create_subscription()
+        enable_shield_response = shield_client.create_subscription()
         api_call_details = {"API_Call": "shield:CreateSubscription", "API_Response": enable_shield_response}
         LOGGER.info(api_call_details)
 
@@ -410,13 +400,13 @@ def create_drt_role(account: str, role_name: str, account_session: boto3.Session
                 ]
             }""",
         )
-        attach_policy_response: AttachRolePolicyResponseTypeDef = iam_client.attach_role_policy(
+        attach_policy_response = iam_client.attach_role_policy(
             PolicyArn="arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy", RoleName=role_name
         )
         role_arn: str = create_role_response["Role"]["Arn"]
     else:
         role_arn = role_exists
-        attach_policy_response: AttachRolePolicyResponseTypeDef = iam_client.attach_role_policy(
+        attach_policy_response = iam_client.attach_role_policy(
             PolicyArn="arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy", RoleName=role_name
         )
 
@@ -549,8 +539,7 @@ def check_proactive_engagement_enabled(shield_client: ShieldClient, params: dict
             time.sleep(5)
             check_proactive_engagement_enabled(shield_client, params, retry + 1)
     else:
-        # TODO take a look at this and see if I should raise an error instead
-        return True
+        raise ValueError("Proactive engagement status not found")
 
 
 def check_if_protection_group_exists(shield_client: ShieldClient, protection_group_id: str) -> bool:
@@ -596,7 +585,7 @@ def delete_protection_group(shield_client: ShieldClient, params: dict, account_i
         pg_id: str = params[f"PROTECTION_GROUP_{i}_ID"]
         if account_id == params[f"PROTECTION_GROUP_{i}_ACCOUNT_ID"]:
             if pg_id != "":
-                delete_protection_group_response: DeleteProtectionGroupResponseTypeDef = shield_client.delete_protection_group(
+                delete_protection_group_response: DeleteProtectionGroupRequestRequestTypeDef = shield_client.delete_protection_group(
                     ProtectionGroupId=pg_id
                 )
                 api_call_details = {"API_Call": "shield:DeleteProtectionGroup", "API_Response": delete_protection_group_response}
@@ -651,10 +640,11 @@ def create_protection_group(shield_client: ShieldClient, params: dict, account_i
 
     Args:
         shield_client: shield client
-        params: environment variablrd
+        params: environment variables
         account_id: AWS account id
     """
     for i in range(0, 5):
+        print(i)
         pg_id: str = params[f"PROTECTION_GROUP_{i}_ID"]
         pg_account_id: str = params[f"PROTECTION_GROUP_{i}_ACCOUNT_ID"]
         pg_aggregation: Literal["SUM", "MEAN", "MAX"] = params[f"PROTECTION_GROUP_{i}_AGGREGATION"]
@@ -667,24 +657,26 @@ def create_protection_group(shield_client: ShieldClient, params: dict, account_i
             "APPLICATION_LOAD_BALANCER",
             "GLOBAL_ACCELERATOR",
         ] = params[f"PROTECTION_GROUP_{i}_RESOURCE_TYPE"]
-
+        print(f" pg_account_id {pg_account_id}")
         pg_members: list = params[f"PROTECTION_GROUP_{i}_MEMBERS"]
+        print(f"pg_members{pg_members}")
+        print(f"i {i}")
         if pg_id != "" and pg_account_id == account_id:
             if check_if_protection_group_exists(shield_client, pg_id):
                 LOGGER.info(f"Protection_Group_{i} already exists in {account_id}")
                 update_protection_group(shield_client, pg_id, pg_aggregation, pg_pattern, pg_resource_type, pg_members)
                 break
             LOGGER.info(f"Creating Protection_Group_{i} in {account_id}")
             if pg_pattern == "BY_RESOURCE_TYPE":
-                protection_group_response = shield_client.create_protection_group(
+                protection_group_response: CreateProtectionGroupRequestRequestTypeDef = shield_client.create_protection_group(
                     ProtectionGroupId=pg_id, Aggregation=pg_aggregation, Pattern=pg_pattern, ResourceType=pg_resource_type
                 )
             elif pg_pattern == "ARBITRARY":
-                protection_group_response = shield_client.create_protection_group(
+                protection_group_response: CreateProtectionGroupRequestRequestTypeDef = shield_client.create_protection_group(
                     ProtectionGroupId=pg_id, Aggregation=pg_aggregation, Pattern=pg_pattern, Members=pg_members.split(",")
                 )
             else:
-                protection_group_response = shield_client.create_protection_group(
+                protection_group_response: CreateProtectionGroupRequestRequestTypeDef = shield_client.create_protection_group(
                     ProtectionGroupId=pg_id, Aggregation=pg_aggregation, Pattern=pg_pattern
                 )
             api_call_details = {"API_Call": "shield:CreateProtectionGroup", "API_Response": protection_group_response}
@@ -715,6 +707,7 @@ def enable_proactive_engagement(shield_client: ShieldClient, params: dict) -> No
         shield_client: shield client
         params: environment variables
     """
+    print(f"Before IF SHIELD_ENABLE_PROACTIVE_ENGAGEMENT is set to {params['SHIELD_ENABLE_PROACTIVE_ENGAGEMENT']}")
     if params["SHIELD_ENABLE_PROACTIVE_ENGAGEMENT"] == "true":
         if check_proactive_engagement_enabled(shield_client, params):
             update_emergency_contacts(shield_client, params)
@@ -757,8 +750,14 @@ def disable_proactive_engagement(shield_client: ShieldClient) -> None:
     Args:
         shield_client: shield client
     """
-    disable_proactive_engagement_response: DisableApplicationLayerAutomaticResponseRequestRequestTypeDef = (
-        shield_client.disable_proactive_engagement()
-    )
-    api_call_details = {"API_Call": "shield:DisableProactiveEngagement", "API_Response": disable_proactive_engagement_response}
-    LOGGER.info(api_call_details)
+    try:
+        disable_proactive_engagement_response: DisableApplicationLayerAutomaticResponseRequestRequestTypeDef = (
+            shield_client.disable_proactive_engagement()
+        )
+        api_call_details = {"API_Call": "shield:DisableProactiveEngagement", "API_Response": disable_proactive_engagement_response}
+        LOGGER.info(api_call_details)
+    except ClientError as e:
+        if e.response["Error"]["Code"] == "InvalidOperationException":
+            LOGGER.exception(e)
+        else:
+            raise e

aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-configuration-role.yaml

@@ -172,6 +172,7 @@ Resources:
                   - s3:ListAllMyBuckets
                   - route53:ListHostedZones
                   - elasticloadbalancing:DescribeLoadBalancers
+                  - ec2:DescribeAddresses
                 Resource: '*'
 
         - PolicyName: sra-shield-advanced-policy-iam

aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml

@@ -559,7 +559,6 @@ Parameters:
 
 
 Conditions:
-  cDeploymentTargets: !Equals [!Select ['0', !Ref pShieldAccountsToProtect], 'ALL']
   cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]]
 
 Rules:
@@ -589,7 +588,7 @@ Resources:
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds:
-              - !If [cDeploymentTargets, !Ref pRootOrganizationalUnitId, !Ref pShieldAccountsToProtect]
+              - !Ref pRootOrganizationalUnitId
           Regions:
             - !Ref AWS::Region
       TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-shield-advanced-configuration-role.yaml