Merge pull request #84 from aws-solutions/develop

Updated to version v2.2.0

Author: beomseoklee

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,34 +1,31 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-title: ""
+title: ''
 labels: bug
-assignees: ""
+assignees: ''
+
 ---
 
 **Describe the bug**
-
-<!--- A clear and concise description of what the bug is -->
+A clear and concise description of what the bug is.
 
 **To Reproduce**
-
-<!--- Steps to reproduce the behavior -->
+Steps to reproduce the behavior.
 
 **Expected behavior**
-
-<!--- A clear and concise description of what you expected to happen -->
+A clear and concise description of what you expected to happen.
 
 **Please complete the following information about the solution:**
-
 - [ ] Version: [e.g. v1.0.0]
 
-To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "_(SO0158) - The AWS CloudFormation template for deployment of the Amazon CloudWatch Monitoring Framework. Version **v1.0.0**_". You can also find the version from [releases](https://github.com/awslabs/amazon-cloudwatch-monitoring-framework/releases)
+To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "_(SO0089) - customizations-for-aws-control-tower Solution. Version: v1.0.0_". You can also find the version from [releases](https://github.com/aws-solutions/aws-control-tower-customizations/releases)
 
 - [ ] Region: [e.g. us-east-1]
 - [ ] Was the solution modified from the version published on this repository?
 - [ ] If the answer to the previous question was yes, are the changes available on GitHub?
 - [ ] Have you checked your [service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) for the sevices this solution uses?
-- [ ] Were there any errors in the CloudWatch Logs? [How to enable debug mode?](https://docs.aws.amazon.com/solutions/latest/amazon-cloudwatch-monitoring-framework/troubleshooting.html)
+- [ ] Were there any errors in the CloudWatch Logs?
 
 **Screenshots**
 If applicable, add screenshots to help explain your problem (please **DO NOT include sensitive information**).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,19 +1,17 @@
 ---
 name: Feature request
 about: Suggest an idea for this solution
-title: ""
-labels: feature-request, enhancement
-assignees: ""
+title: ''
+labels: enhancement
+assignees: ''
+
 ---
 
 **Is your feature request related to a problem? Please describe.**
-
-<!--- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
 **Describe the feature you'd like**
-
-<!--- A clear and concise description of what you want to happen -->
+A clear and concise description of what you want to happen.
 
 **Additional context**
-
-<!--- Add any other context or screenshots about the feature request here -->
+Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,5 +2,4 @@
 
 *Description of changes:*
 
-
 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

.gitignore

@@ -0,0 +1,38 @@
+.DS_Store
+.idea/
+*.pyc
+.eggs
+*.egg-info
+.cache
+*.sonarlint
+source/tests/__pycache__/
+source/lib/__pycache__/
+/deployment/state_machines/sample_events/
+/source/scratch/
+/source/bin/build_scripts/CHANGELOG.json
+/deployment/global-s3-assets/
+/deployment/regional-s3-assets/
+/source/parse*
+/source/dateutil/
+/source/python_dateutil*
+/source/docutils*
+/source/futures-*
+/source/jmespath*
+/source/concurrent/
+/source/s3transfer*
+/source/six-*
+/source/urllib3*
+/source/six.py
+/source/chardet*
+/source/certifi*
+/source/idna*
+/source/requests*
+/source/yorm*
+/source/yaml*
+/source/jinja2*
+/source/markupsafe*
+/source/simplejson*
+/source/PyYAML*
+/source/_yaml/
+/source/pathlib2-2.3.6.dist-info/
+/source/pathlib2/

CHANGELOG.md

@@ -4,14 +4,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.2.0] - 2021-12-09
+### Added 
+- Added support for organization Root as an OU for manifest schema version "2021-03-15". [#8](https://github.com/aws-solutions/aws-control-tower-customizations/pull/8)
+- Added support for nested OU for manifest schema version "2021-03-15". [#19](https://github.com/aws-solutions/aws-control-tower-customizations/issues/19)
+- Added support for CAPABILITY_AUTO_EXPAND for SAM. [#78](https://github.com/aws-solutions/aws-control-tower-customizations/pull/78)
+### Changed
+- Fixed the issue that SSM parameter names were not output to logs for troubleshooting. [#68](https://github.com/aws-solutions/aws-control-tower-customizations/pull/68)
+- Fixed the issue that resources starting with "S3" were incorrectly parsed as empty buckets. [#65](https://github.com/aws-solutions/aws-control-tower-customizations/issues/65)
+- Fixed the issue that customization example folder was missing from the github repository. [#71](https://github.com/aws-solutions/aws-control-tower-customizations/issues/71)
+
 ## [2.1.0] - 2021-05-15
 ### Added
 - Added option to enable concurrency to deploy StackSets operations in regions in parallel.
-- Added support for UTF-8 encoded CloudFormation templates. [#55](https://github.com/awslabs/aws-control-tower-customizations/issues/55)
+- Added support for UTF-8 encoded CloudFormation templates. [#55](https://github.com/aws-solutions/aws-control-tower-customizations/issues/55)
 ### Changed
-- Support list of SSM Parameter Store keys as CloudFormation parameter value. [#43](https://github.com/awslabs/aws-control-tower-customizations/issues/43)
-- Use environment variable for Update StackSet API [#50](https://github.com/awslabs/aws-control-tower-customizations/pull/50/files)
-- Handle account names with overlapping string [#45](https://github.com/awslabs/aws-control-tower-customizations/issues/45)
+- Support list of SSM Parameter Store keys as CloudFormation parameter value. [#43](https://github.com/aws-solutions/aws-control-tower-customizations/issues/43)
+- Use environment variable for Update StackSet API [#50](https://github.com/aws-solutions/aws-control-tower-customizations/pull/50/files)
+- Handle account names with overlapping string [#45](https://github.com/aws-solutions/aws-control-tower-customizations/issues/45)
 - Handle SCP policy tag name with whitespace.
 - Update parsing logic to learn manifest version in the manifest.
 
@@ -20,7 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Support for new simplified manifest schema (version "2021-03-15"). This does not impact existing customers using manifest version "2020-01-01".
 ### Changed
 - Optimization to skip update Stack Set workflow when only new accounts are added to the Stack Set.
-- Ability to create only Stack Sets if the account list is empty. This allows users to configure Stack Set resources with empty Organizational Units. Ref:[GitHub Issue 42](https://github.com/awslabs/aws-control-tower-customizations/issues/42)
+- Ability to create only Stack Sets if the account list is empty. This allows users to configure Stack Set resources with empty Organizational Units. Ref:[GitHub Issue 42](https://github.com/aws-solutions/aws-control-tower-customizations/issues/42)
 - Pinned versions for all the third-party packages.
 - Update cfn-nag package to v0.7.2 to utilize new rules. This may result in new failures and warning in the build stage. However, it would help you identify new issues.
 - Update default branch name to 'main'.
@@ -42,8 +52,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Updates the AWS CodeBuild image to the latest available version (aws/codebuild/standard:4.0).
 - Optimizes the CloudFormation resource stage to trigger step function execution only if there is difference between the configuration and deployed stack sets.
 - Fixes the issue in the build stage of the CodePipeline by updating manifest version to match the manifest schema.
-- Fixes the issue for comparing deployed stack set templates and parameters [#4](https://github.com/awslabs/aws-control-tower-customizations/issues/4)
-- Fixes the issue for updating the variables in the files using Jinja [#17](https://github.com/awslabs/aws-control-tower-customizations/issues/17)
+- Fixes the issue for comparing deployed stack set templates and parameters [#4](https://github.com/aws-solutions/aws-control-tower-customizations/issues/4)
+- Fixes the issue for updating the variables in the files using Jinja [#17](https://github.com/aws-solutions/aws-control-tower-customizations/issues/17)
 
 ## [1.1.0] - 2020-02-25
 ### Known Issue Fix and Code Optimization

CONTRIBUTING.md

@@ -11,7 +11,7 @@ information to effectively respond to your bug report or contribution.
 
 We welcome you to use the GitHub issue tracker to report bugs or suggest features. 
 
-When filing an issue, please check [existing open](https://github.com/awslabs/aws-control-tower-customizations/issues), or [recently closed](https://github.com/awslabs/aws-control-tower-customizations/issues?q=is%3Aissue+is%3Aclosed), issues to make sure somebody else hasn't already 
+When filing an issue, please check [existing open](https://github.com/aws-solutions/aws-control-tower-customizations/issues), or [recently closed](https://github.com/aws-solutions/aws-control-tower-customizations/issues?q=is%3Aissue+is%3Aclosed), issues to make sure somebody else hasn't already 
 reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 
 
 * A reproducible test case or series of steps 
@@ -41,7 +41,7 @@ GitHub provides additional document on [forking a repository](https://help.githu
 
 
 ## Finding contributions to work on 
-Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/aws-control-tower-customizations/labels/help%20wanted) issues is a great place to start. 
+Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws-solutions/aws-control-tower-customizations/labels/help%20wanted) issues is a great place to start. 
 
 
 ## Code of Conduct 
@@ -55,7 +55,7 @@ If you discover a potential security issue in this project we ask that you notif
 
 
 ## Licensing 
-See the [LICENSE](https://github.com/awslabs/aws-control-tower-customizations/blob/main/LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 
+See the [LICENSE](https://github.com/aws-solutions/aws-control-tower-customizations/blob/main/LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 
 
 
 We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 

README.md

@@ -1,12 +1,8 @@
-# Customizations for AWS Control Tower Solution
-
-**[🚀Solution Landing Page](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)** | **[🚧Feature request](https://github.com/awslabs/aws-control-tower-customizations/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)** | **[🐛Bug Report](https://github.com/awslabs/aws-control-tower-customizations/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)** | **[📜Documentation Improvement](https://github.com/awslabs/aws-control-tower-customizations/issues/new?assignees=&labels=document-update&template=documentation_improvements.md&title=)**
-
-## Solution Overview
+## Customizations for AWS Control Tower Solution
 The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. Customers can easily add customizations to their AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). Customers can deploy their custom template and policies to both individual accounts and organizational units (OUs) within their organization. Customizations for AWS Control Tower integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with the customer's landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account's OUs will be automatically deployed. Before deploying this solution, customers need to have an AWS Control Tower landing zone deployed in their account.
 
 ## Getting Started 
-To get started with the Customizations for AWS Control Tower solution, please review the solution documentation. https://aws.amazon.com/solutions/customizations-for-aws-control-tower
+To get started with the Customizations for AWS Control Tower solution, please review the [solution documentation](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)
 
 ## Running unit tests for customization 
 * Clone the repository, then make the desired code changes 
@@ -20,25 +16,31 @@ chmod +x ./deployment/run-unit-tests.sh
 ## Building the customized solution
 * Configure the solution name, version number and bucket name of your target Amazon S3 distribution bucket 
 ``` 
-export DIST_OUTPUT_BUCKET=my-source-code-bucket-name # Name for the S3 bucket where customized code will reside 
+export DIST_OUTPUT_BUCKET_PREFIX=my-source-code-bucket-name_prefix # Prefix for the S3 bucket where customized code will reside 
 export TEMPLATE_OUTPUT_BUCKET=my-template-bucket-name # Name for the S3 bucket where the template will be located
 export SOLUTION_NAME=customizations-for-aws-control-tower # name of the solution 
 export VERSION=my-version # version number for the customized code  
+export REGION=aws-region-code # the AWS region to test the solution (e.g. us-east-1)
 ``` 
-_Note:_ You would have to create an S3 bucket with prefix 'my-bucket-name-<aws_region>'; aws_region is where you are testing the customized solution. Also, the assets in bucket should be publicly accessible 
+_Note:_ You would need to create one global bucket and one regional bucket. The global bucket TEMPLATE_OUTPUT_BUCKET, for example "my-bucket-name", is used to store the AWS CloudFormation template. The regional bucket <DIST_OUTPUT_BUCKET_PREFIX>-<REGION>, for example "my-bucket-name-us-east-1", is used to store your customized source code zip packages (lambda code). The solution's CloudFormation template will expect the source code to be located in a bucket matching that name. Also, the assets in bucket should be publicly accessible.
 
-* Now build the distributable: 
+* Now build the distributable
 ``` 
 chmod +x ./build-s3-dist.sh
-./build-s3-dist.sh $DIST_OUTPUT_BUCKET $TEMPLATE_OUTPUT_BUCKET $SOLUTION_NAME $VERSION
+./build-s3-dist.sh $DIST_OUTPUT_BUCKET_PREFIX $TEMPLATE_OUTPUT_BUCKET $SOLUTION_NAME $VERSION
 ``` 
 
-* Deploy the distributable to an Amazon S3 bucket in your account. _Note:_ you must have the AWS Command Line Interface installed. 
-Make sure you use proper acl and profile for the copy operation as applicable.
-``` 
-aws s3 cp deployment/global-s3-assets/  s3://my-bucket-name-<aws_region>/$SOLUTION_NAME/$VERSION/ --recursive --acl bucket-owner-full-control --profile aws-cred-profile-name 
-aws s3 cp deployment/regional-s3-assets/ s3://my-bucket-name-<aws_region>/$SOLUTION_NAME/$VERSION/ --recursive --acl bucket-owner-full-control --profile aws-cred-profile-name
-``` 
+* Upload the distributable to an Amazon S3 bucket in your account.
+
+  * Upload the AWS CloudFormation template to your global bucket in the following pattern
+    ``` 
+    s3://my-bucket-name/$SOLUTION_NAME/$VERSION/ 
+    ``` 
+
+  * Upload the customized source code zip packages to your regional bucket in the following pattern
+    ``` 
+    s3://my-bucket-name-<REGION>/$SOLUTION_NAME/$VERSION/
+    ``` 
 
 ## Deploying the customized solution
 * Get the link of the custom-control-tower-initiation.template loaded to your Amazon S3 bucket. 
@@ -82,8 +84,8 @@ custom_control_tower_configuration
 
 ## Collection of operational metrics
 
-This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/customizations-for-aws-control-tower/welcome.html).
+This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/customizations-for-aws-control-tower/appendix-b.html).
 
 ## License
 
-See license [here](https://github.com/awslabs/aws-control-tower-customizations/blob/main/LICENSE.txt) 
+See license [here](https://github.com/aws-solutions/aws-control-tower-customizations/blob/main/LICENSE.txt) 

deployment/custom-control-tower-initiation.template

@@ -1,4 +1,4 @@
-# Copyright 2012-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License").
 # You may not use this file except in compliance with the License.
@@ -151,6 +151,10 @@ Mappings:
   AutoBuild:
     CustomControlTower:
       Flag: 'No'
+  ControlTowerBaselineConfigStackset:
+      Info:
+        Name: 'AWSControlTowerBP-BASELINE-CONFIG'
+  
 
 Conditions:
   IsPipelineApprovalStageCondition: !Equals [!Ref PipelineApprovalStage, 'Yes']
@@ -769,6 +773,7 @@ Resources:
                   - organizations:ListOrganizationalUnitsForParent
                   - organizations:ListAccountsForParent
                   - organizations:ListAccounts
+                  - organizations:DescribeOrganization
                 Resource: '*' # The APIs above only support '*' resource.
         - PolicyName: "Custom-Control-Tower-StackSet-CodeBuild-Policy-SSM"
           PolicyDocument:
@@ -867,6 +872,8 @@ Resources:
                     Value: %VERSION%
                   - Name: METRICS_URL
                     Value: !FindInMap [Solution, Metrics, MetricsURL]
+                  - Name: CONTROL_TOWER_BASELINE_CONFIG_STACKSET
+                    Value: !FindInMap [ControlTowerBaselineConfigStackset, Info, Name]
           Artifacts:
               Name: !Sub ${CustomControlTowerPipelineArtifactS3Bucket}-Built
               Type: CODEPIPELINE
@@ -1275,11 +1282,6 @@ Resources:
 
   StateMachineRole:
     Type: "AWS::IAM::Role"
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: W11
-            reason: "Allow Resource * for AWS Lambda Functions in the account. State Machine execution fails otherwise."
     Properties:
       AssumeRolePolicyDocument:
         Version: "2012-10-17"