v2.7.0

Author: AWS

.gitignore

@@ -12,6 +12,7 @@
 __pycache__
 .pytest_cache
 .mypy_cache
+.coverage
 
 # Ignore virtual environments
 venv
@@ -21,6 +22,7 @@ testing-venv
 # Ignore installed dependencies
 dist
 source/src/build
+build
 
 /deployment/open-source
 /deployment/state_machines/sample_events/

VERSION

@@ -1 +1 @@
-v2.6.0
+v2.7.0

customizations-for-aws-control-tower.template

@@ -308,6 +308,7 @@ Resources:
       RepositoryDescription: Configuration for Customizations for AWS Control Tower solution
       RepositoryName: !Ref CodeCommitRepositoryName
       Code:
+        BranchName: !Ref CodeCommitBranchName
         S3:
           Bucket: !Sub %TEMPLATE_BUCKET_NAME%
           Key: !Sub %SOLUTION_NAME%/%VERSION%/custom-control-tower-configuration-${AWS::Region}.zip
@@ -1204,14 +1205,14 @@ Resources:
                   - cloudformation:UpdateStackInstances
                   - cloudformation:TagResource
                   - cloudformation:ListStackInstances
-                  - cloudformation:GetTemplateSummary
                   - cloudformation:DescribeStacks
                 Resource:
                   - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*
                   - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/*
               - Effect: Allow
                 Action:
                   - cloudformation:ValidateTemplate
+                  - cloudformation:GetTemplateSummary
                 Resource: '*'
         - PolicyName: State-Machine-Lambda-Policy-SSM
           PolicyDocument:
@@ -2188,23 +2189,7 @@ Resources:
                 "TimeoutSeconds": 300,
                 "HeartbeatSeconds": 60,
                 "InputPath": "$",
-                "Next": "Check List StackInstances Accounts Complete?"
-              },
-              "Check List StackInstances Accounts Complete?": {
-                "Type": "Choice",
-                "Choices": [
-                  {
-                    "Variable": "$.NextToken",
-                    "StringEquals": "Complete",
-                    "Next": "Skip Update StackSet?"
-                  }
-                ],
-                "Default": "Check List StackInstances Accounts Wait"
-              },
-              "Check List StackInstances Accounts Wait": {
-                "Type": "Wait",
-                "Seconds": 5,
-                "Next": "List StackInstances Accounts"
+                "Next": "Skip Update StackSet?"
               },
               "Skip Update StackSet?": {
                  "Type": "Choice",
@@ -3118,10 +3103,10 @@ Resources:
           RoleArn: !GetAtt CustomControlTowerPipelineTriggerRole.Arn
 
   # Cloudwatch Event Rule for Lifecycle Event (LE): triggered by LE events and send events to SQS
-  CustomControlTowerLECWEventRule:
+  CustomControlTowerCreateManagedAccountCWEventRule:
     Type: AWS::Events::Rule
     Properties:
-      Description: Custom Control Tower - Rule for lifecycle events from Control Tower Service
+      Description: Trigger CFCT on CreateManagedAccount events from Control Tower Service
       EventPattern:
         {
           "detail-type": [
@@ -3150,6 +3135,38 @@ Resources:
           SqsParameters:
             MessageGroupId: CustomControlTower_Lifecycle_Event
 
+  CustomControlTowerUpdateManagedAccountCWEventRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: Trigger CFCT on UpdateManagedAccount events from Control Tower Service
+      EventPattern:
+        {
+          "detail-type": [
+            "AWS Service Event via CloudTrail"
+          ],
+          "source": [
+              "aws.controltower"
+          ],
+          "detail": {
+              "eventName": [
+                  "UpdateManagedAccount"
+              ],
+              "serviceEventDetails": {
+                "updateManagedAccountStatus": {
+                  "state": [
+                    "SUCCEEDED"
+                  ]
+                }
+              }
+          }
+        }
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt CustomControlTowerLEFIFOQueue.Arn
+          Id: "CustomControlTower_Lifecycle_Event_FIFO_Queue"
+          SqsParameters:
+            MessageGroupId: CustomControlTower_Lifecycle_Event
+
   # Lifecycle event SQS Policy
   CustomControlTowerLEQueuePolicy:
     Type: AWS::SQS::QueuePolicy
@@ -3166,7 +3183,9 @@ Resources:
             Resource: !GetAtt CustomControlTowerLEFIFOQueue.Arn
             Condition:
               ArnEquals:
-                aws:SourceArn: !GetAtt CustomControlTowerLECWEventRule.Arn
+                aws:SourceArn: 
+                  - !GetAtt CustomControlTowerCreateManagedAccountCWEventRule.Arn
+                  - !GetAtt CustomControlTowerUpdateManagedAccountCWEventRule.Arn
 
 Outputs:
   CustomControlTowerCodePipeline:

deployment/build-s3-dist.sh

@@ -1,9 +1,8 @@
 [pytest]
-addopts = -v -ra -q -p source.tests.plugins.env_vars
+addopts = --verbose -ra -m unit
 log_cli = true
 log_level=WARN
 markers =
     unit
     integration
     e2e
-

deployment/custom-control-tower-initiation.template

@@ -27,6 +27,7 @@ exit_shell_script() {
 
 validate_template_file() {
   echo "Running aws cloudformation validate-template on $template_url"
+  # TODO: Verify if this works if resource file is homed in opt-in region, and CT mgmt is homed in commercial region
   aws cloudformation validate-template --template-url "$template_url" --region "$AWS_REGION"
   if [ $? -ne 0 ]
   then