v2.8.2

AWS · AWS · commit a278ddf32636 · 2025-06-26T19:00:32.000Z
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 # Development
 .DS_Store
 .idea
+*.iml
 .vscode
 *.pyc
 *.so
@@ -28,4 +29,4 @@ build
 /deployment/open-source
 /deployment/state_machines/sample_events/
 /deployment/global-s3-assets/
-/deployment/regional-s3-assets/
+/deployment/regional-s3-assets/
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v2.8.1
+v2.8.2
diff --git a/customizations-for-aws-control-tower.template b/customizations-for-aws-control-tower.template
diff --git a/deployment/custom-control-tower-initiation.template b/deployment/custom-control-tower-initiation.template
@@ -1090,6 +1090,9 @@ Resources:
                   - kms:DescribeKey
                 Resource:
                   - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*
+                Condition:
+                  ForAnyValue:StringEquals:
+                    kms:ResourceAliases: !Sub ["alias/${KMSKeyName}", {KMSKeyName: !FindInMap [KMS, Alias, Name]}]
         - PolicyName: "Custom-Control-Tower-StackSet-CodeBuild-Policy-STS"
           PolicyDocument:
             Version: "2012-10-17"
@@ -1220,6 +1223,9 @@ Resources:
                   - kms:EnableKeyRotation
                 Resource:
                   - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*
+                Condition:
+                  ForAnyValue:StringEquals:
+                    kms:ResourceAliases: !Sub ["alias/${KMSKeyName}", {KMSKeyName: !FindInMap [KMS, Alias, Name]}]
               - Effect: "Allow"
                 Action:
                   - kms:CreateKey
@@ -1229,7 +1235,9 @@ Resources:
                 Action:
                   - kms:CreateAlias
                 Resource:
-                  - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/*
+                  - !Sub
+                    - arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/${KMSKeyName}
+                    - KMSKeyName: !FindInMap [KMS, Alias, Name]
                   - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*
         - PolicyName: Custom-Control-Tower-DeploymentLambda-S3
           PolicyDocument:
@@ -1499,6 +1507,9 @@ Resources:
                   - kms:DescribeKey
                 Resource:
                   - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*
+                Condition:
+                  ForAnyValue:StringEquals:
+                    kms:ResourceAliases: !Sub ["alias/${KMSKeyName}", {KMSKeyName: !FindInMap [KMS, Alias, Name]}]
         - PolicyName: State-Machine-Lambda-Policy-S3
           PolicyDocument:
             Version: '2012-10-17'
diff --git a/pytest.ini b/pytest.ini
@@ -1,7 +1,7 @@
 [pytest]
 addopts = --verbose -ra -m unit
 log_cli = true
-log_level=WARN
+log_level=INFO
 markers =
     unit
     integration
diff --git a/source/codebuild_scripts/install_stage_dependencies.sh b/source/codebuild_scripts/install_stage_dependencies.sh
@@ -22,8 +22,8 @@ install_common_pip_packages () {
     pip install --quiet --upgrade virtualenv==20.4.2
     pip install --quiet "cython<3.0.0" && pip install --quiet --no-build-isolation pyyaml==5.4.1
     pip install --quiet --upgrade yorm==1.6.2
-    pip install --quiet --upgrade jinja2==2.11.3
-    pip install --quiet --upgrade requests==2.25.1
+    pip install --quiet --upgrade jinja2==3.1.6
+    pip install --quiet --upgrade requests==2.32.4
 }
 
 build_dependencies () {
@@ -36,7 +36,7 @@ build_dependencies () {
     # install pip packages
     install_common_pip_packages
     pip install --quiet --upgrade pykwalify==1.8.0
-    pip install --quiet cfn_flip==1.2.3
+    pip install --quiet cfn_flip>=1.3.0
 
     # Install CFN Nag
     gem install --quiet cfn-nag -v 0.7.2
@@ -75,5 +75,5 @@ then
     stackset_dependencies
 else
     echo "Could not install dependencies. Argument didn't match one of the allowed values.
-    >> build | scp | stackset"
+    >> build | scp | rcp | stackset"
 fi
diff --git a/source/src/cfct/lambda_handlers/config_deployer.py b/source/src/cfct/lambda_handlers/config_deployer.py
@@ -39,7 +39,8 @@
 kms = KMS(logger)
 ssm = SSM(logger)
 
-def safe_extract(zip_file_name, output_path, max_files = 1000, max_size = 500 * 1024 * 1024):
+
+def safe_extract(zip_file_name, output_path, max_files=1000, max_size=500 * 1024 * 1024):
     with zipfile.ZipFile(zip_file_name, "r") as zip_file:
         # Get the list of files
         file_list = zip_file.infolist()
@@ -56,6 +57,7 @@ def safe_extract(zip_file_name, output_path, max_files = 1000, max_size = 500 *
         for file in file_list:
             zip_file.extract(file, output_path)
 
+
 def unzip_function(zip_file_name, function_path, output_path):
     orig_path = os.getcwd()
     os.chdir(function_path)
diff --git a/source/src/cfct/lambda_handlers/state_machine_router.py b/source/src/cfct/lambda_handlers/state_machine_router.py
@@ -18,7 +18,12 @@
 import inspect
 import os
 
-from cfct.state_machine_handler import CloudFormation, ServiceControlPolicy, StackSetSMRequests, ResourceControlPolicy
+from cfct.state_machine_handler import (
+    CloudFormation,
+    ResourceControlPolicy,
+    ServiceControlPolicy,
+    StackSetSMRequests,
+)
 from cfct.utils.logger import Logger
 
 # initialise logger
diff --git a/source/src/cfct/manifest/manifest_parser.py b/source/src/cfct/manifest/manifest_parser.py
@@ -25,8 +25,8 @@
 from cfct.manifest.manifest import Manifest
 from cfct.manifest.sm_input_builder import (
     InputBuilder,
-    SCPResourceProperties,
     RCPResourceProperties,
+    SCPResourceProperties,
     StackSetResourceProperties,
 )
 from cfct.manifest.stage_to_s3 import StageFile
diff --git a/source/src/cfct/state_machine_handler.py b/source/src/cfct/state_machine_handler.py
@@ -24,9 +24,9 @@
 
 from cfct.aws.services.cloudformation import Stacks, StackSet
 from cfct.aws.services.organizations import Organizations as Org
+from cfct.aws.services.rcp import ResourceControlPolicy as RCP
 from cfct.aws.services.s3 import S3
 from cfct.aws.services.scp import ServiceControlPolicy as SCP
-from cfct.aws.services.rcp import ResourceControlPolicy as RCP
 from cfct.aws.services.ssm import SSM
 from cfct.aws.services.sts import AssumeRole
 from cfct.aws.utils.url_conversion import parse_bucket_key_names
diff --git a/source/src/cfct/utils/path_utils.py b/source/src/cfct/utils/path_utils.py
@@ -1,13 +1,17 @@
 import os
 
+
 def is_safe_path(allowed_base_directory: str, target_path: str) -> bool:
     # Normalize the paths to remove any '..' components
     normalized_allowed_base_directory = os.path.normpath(allowed_base_directory)
     normalized_target_path = os.path.normpath(target_path)
-    
+
     # Convert the paths to absolute paths
     abs_allowed_base_directory = os.path.abspath(normalized_allowed_base_directory)
     abs_target_path = os.path.abspath(normalized_target_path)
-    
+
     # Check if the resolved absolute path is within the base directory
-    return os.path.commonpath([abs_target_path, abs_allowed_base_directory]) == abs_allowed_base_directory
+    return (
+        os.path.commonpath([abs_target_path, abs_allowed_base_directory])
+        == abs_allowed_base_directory
+    )
diff --git a/source/src/setup.py b/source/src/setup.py
@@ -29,13 +29,13 @@
     install_requires=[
         "yorm==1.6.2",
         "pyyaml==5.4.1",
-        "Jinja2==3.1.4",
+        "Jinja2==3.1.6",
         "MarkupSafe==2.0.1",  # https://github.com/pallets/jinja/issues/1585
-        "requests==2.32.2",
+        "requests==2.32.4",
         "markdown_to_json==1.0.0",
         "python-dateutil==2.8.1",
-        "boto3==1.28.17",
-        "botocore==1.31.17",
+        "boto3==1.34.162",
+        "botocore==1.34.162",
     ],
     extras_require={
         "test": [
@@ -48,6 +48,7 @@
             "pytest == 6.2.4",
             "expecter==0.3.0",
             "pykwalify == 1.8.0",
+            "cfn-flip>=1.3.0",
         ],
         "dev": [
             "ipython",
