Merge pull request #54 from aws-solutions/release/v2.6.3

Updated to version v2.6.3

CHANGELOG.md

@@ -3,7 +3,14 @@
 
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
+
+## [2.6.3] - 2023-09
+ ### Fixed
+ - Added the bugfix to skip the processing of the workspaces in error state.
+ - Updated all the package versions to resolve security vulnerabilities.
+ - Updated the docker base image to the python 3.11.
+ - Updated all the lambda runtimes to python 3.11.
+
 ## [2.6.2] - 2023-04
  ### Fixed
  - Changed the Object Ownership for logging bucket from 'Object writer' to 'Bucket owner enforced' to mitigate the impact caused by new S3 default settings.
@@ -12,8 +19,8 @@
 ## [2.6.1] - 2023-04
  ### Added
  - Added support to block customer misconfiguration for 'Terminate Unused Workspaces' feature. The feature will terminate workspaces only on the last day of the month to avoid accidental termination due to misconfiguration.
- 
- ## [2.6.0] - 2023-03
+
+## [2.6.0] - 2023-03
  ### Added
  - Updated the solution to use CDK V2 to generate CloudFormation templates and support CDK deployments.
  - Updated the 'Terminate Workspace' feature to accept user input for number of months to check for before terminating unused workspaces.

source/Dockerfile

@@ -1,8 +1,11 @@
-FROM public.ecr.aws/docker/library/python:3.10.10-slim-bullseye
+FROM public.ecr.aws/docker/library/python:3.11.5-slim-bullseye
 COPY workspaces_app /workspaces_app
 
 WORKDIR /workspaces_app
 
+RUN adduser -uid 1001 nonroot
+USER nonroot
+
 RUN pip install -r ./setup_requirements.txt
 RUN pip install -r ./requirements.txt
 

source/lambda/account_registration_provider/account_registration_provider.py

@@ -27,10 +27,10 @@ def invoke_register_lambda(request_type: str):
     payload = {
         'account_id': account_id,
         'request_type': request_type,
-        'role_arn': os.environ['MANAGEMENT_ROLE_ARN']
+        'role_arn': os.environ.get('MANAGEMENT_ROLE_ARN')
     }
     return boto3.client('lambda', config=boto_config).invoke(
-        FunctionName=os.environ['REGISTER_LAMBDA_ARN'],
+        FunctionName=os.environ.get('REGISTER_LAMBDA_ARN'),
         Payload=json.dumps(payload),
         InvocationType='RequestResponse'
     )

source/lambda/register_spoke_lambda/register_spoke_accounts.py

@@ -14,7 +14,7 @@
 log = logging.getLogger()
 log.setLevel(LOG_LEVEL)
 
-DYNAMO_DB_TABLE_NAME = os.environ['DDB_TABLE_NAME']
+DYNAMO_DB_TABLE_NAME = os.environ.get('DDB_TABLE_NAME')
 STATUS_CODE_SUCCESS = 'Success'
 STATUS_CODE_FAILED = 'Failed'
 SUCCESS_MESSAGE = 'Successfully processed the request'

source/lambda/utils/cfnresponse.py

@@ -23,9 +23,9 @@ def send(event, context, response_status, response_data, physical_resource_id=No
         'Status': response_status,
         'Reason': reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
         'PhysicalResourceId': physical_resource_id or context.log_stream_name,
-        'StackId': event['StackId'],
-        'RequestId': event['RequestId'],
-        'LogicalResourceId': event['LogicalResourceId'],
+        'StackId': event.get('StackId'),
+        'RequestId': event.get('RequestId'),
+        'LogicalResourceId': event.get('LogicalResourceId'),
         'NoEcho': no_echo,
         'Data': response_data
     }

source/lambda/uuid_generator/uuid_generator.py

@@ -63,7 +63,7 @@ def get_existing_uuid_from_current_stack(event):
 def describe_existing_stack(event):
     response = {}
     try:
-        response = cfn_client.describe_stacks(StackName=event['StackId'])
+        response = cfn_client.describe_stacks(StackName=event.get('StackId'))
     except Exception as e:
         logger.error(f'Error occurred when calling the describe stack operation {e}')
 

source/lib/components/register-spoke-account-resources.ts

@@ -84,9 +84,9 @@ export class RegisterSpokeAccountResources extends Construct {
 
         const registerSpokeAccountLambdaFunction = new lambda.Function(this, 'RegisterSpokeAccountLambdaFunction', {
             functionName: cdk.Fn.join("-", [props.registerSpokeAccountLambdaFunctionName, cdk.Aws.REGION]),
-            runtime: Runtime.PYTHON_3_9,
+            runtime: Runtime.PYTHON_3_11,
             tracing: lambda.Tracing.ACTIVE,
-            timeout: Duration.seconds(20),
+            timeout: Duration.seconds(300),
             role: registerSpokeAccountsFunctionLambdaRole.withoutPolicyUpdates(),
             code: Code.fromBucket(deploymentSourceBucket, `${props.solutionName}/${props.solutionVersion}/register_spoke_lambda.zip`),
             handler: 'register_spoke_lambda/register_spoke_accounts.lambda_handler',

source/lib/components/uuid-resources.ts

@@ -78,7 +78,7 @@ export class UUIDResources extends Construct {
         });
 
         const uuidGeneratorLambdaFunction = new lambda.Function(this, 'UUIDGeneratorLambdaFunction', {
-            runtime: Runtime.PYTHON_3_9,
+            runtime: Runtime.PYTHON_3_11,
             description: 'Solution Helper Lambda Function',
             tracing: lambda.Tracing.ACTIVE,
             timeout: Duration.seconds(300),

source/lib/components/vpc-resources.ts

@@ -25,7 +25,8 @@ export interface VpcResourcesProps extends cdk.StackProps {
     egressCIDR: string,
     costOptimizerBucketName: string,
     spokeAccountTableName: string,
-    createDynamoDBEndpointCondition: CfnCondition
+    createDynamoDBEndpointCondition: CfnCondition,
+    ecsTaskRoleName: string
 };
 export class VpcResources extends Construct {
     public readonly vpc: CfnVPC
@@ -131,16 +132,24 @@ export class VpcResources extends Construct {
         })
         overrideLogicalId(subnet2RouteTableAssociation, 'Subnet2RouteTableAssociation')
 
+        const accountCondition = {
+            StringEquals: {
+              'aws:PrincipalArn': [ 
+                `arn:${cdk.Aws.PARTITION}:iam::${cdk.Aws.ACCOUNT_ID}:role/${props.ecsTaskRoleName}-${cdk.Aws.REGION}`
+            ],
+            },
+          };
+
         const s3EndPointPolicyDocument = new PolicyDocument({
             statements: [new PolicyStatement({
                 actions: [
                     's3:PutObject'
                 ],
                 principals: [new AnyPrincipal],
                 resources: [
-                    `arn:${cdk.Aws.PARTITION}:s3:::${props.costOptimizerBucketName}/*`
-                ]
-
+                    `arn:${cdk.Aws.PARTITION}:s3:::${props.costOptimizerBucketName}/*`,
+                ],
+                conditions:accountCondition
             })],
         });
 
@@ -160,7 +169,8 @@ export class VpcResources extends Construct {
                 principals: [new AnyPrincipal],
                 resources: [
                     `arn:${cdk.Aws.PARTITION}:dynamodb:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:table/${props.spokeAccountTableName}`
-                ]
+                ],
+                conditions:accountCondition
             })],
         });
 

source/lib/cost-optimizer-for-amazon-workspaces-hub-stack.ts

@@ -351,7 +351,8 @@ export class CostOptimizerHubStack extends cdk.Stack {
             egressCIDR: egressCIDR.valueAsString,
             costOptimizerBucketName: reportingBucket.reportingBucket.bucketName,
             spokeAccountTableName: spokeAccountTable.tableName,
-            createDynamoDBEndpointCondition: createDynamoDBEndpointCondition
+            createDynamoDBEndpointCondition: createDynamoDBEndpointCondition,
+            ecsTaskRoleName: mappings.findInMap('Data','RoleName')
         }
 
         const costOptimizerVpc = new VpcResources(this, 'CostOptimizerVpc', costOptimizerVpcProps)

source/lib/cost-optimizer-for-amazon-workspaces-spoke-stack.ts

@@ -184,7 +184,7 @@ export class CostOptimizerSpokeStack extends cdk.Stack {
 
         const accountRegistrationProviderLambdaFunction = new lambda.Function(this, 'AccountRegistrationProvider', {
             description: "WorkspacesCostOptimizer spoke account registration custom resource provider",
-            runtime: Runtime.PYTHON_3_9,
+            runtime: Runtime.PYTHON_3_11,
             tracing: lambda.Tracing.ACTIVE,
             timeout: Duration.seconds(300),
             role: accountRegistrationProviderRole.withoutPolicyUpdates(),