diff --git a/CHANGELOG.md b/CHANGELOG.md index 74a8ea1..7b94046 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.7.0-a] - 2024-06-03 +### Added +- feat(network-config): Add deployments of Application Load Balancers in perimeter VPC. Added sample to deploy ALB in workload accounts and ALB Forwarding feature. +- feat(replacements): Added use of replacements-config.yaml file to centralize deployment variables. + +### Changed +- fix(custom-config): Updated nodejs and AWS SDK version +- fix(network-config): Removed App2 subnets from the central network. These were used originally used for AWS Managed Active Directory; however, since MAD now supports running in a delegated account with IAM Identity Center, these are no longer needed. Customers should check there are no other resources deployed in these subnets prior to making change +- feat(global-config): Enabled additional regions by default with CMK region excludes for cost optimization +- fix(global-config): Add CWL subscription filter exclusion for organization CloudTrail logs +- fix(docs): Updated broken link to install instructions +- fix(docs): Updated documentation for Control Tower deployments with LZA v1.7.0 + ## [1.6.1-a] - 2024-03-04 ### Added - feat(replacements): Added use of replacements-config.yaml file to centralize global variables. diff --git a/architecture-doc/images/alb-forwarding-architecture.png b/architecture-doc/images/alb-forwarding-architecture.png new file mode 100644 index 0000000..11eae30 Binary files /dev/null and b/architecture-doc/images/alb-forwarding-architecture.png differ diff --git a/architecture-doc/readme.md b/architecture-doc/readme.md index 09a5fec..b93f74e 100644 --- a/architecture-doc/readme.md +++ b/architecture-doc/readme.md @@ -915,4 +915,4 @@ These services must still be appropriately configured. This includes ensuring bo --- -**Continue to [LZA configuration files and installation instructions](../config/readme.md)** +**Continue to [LZA installation instructions](../install.md)** diff --git a/assets/certs/To_Create_Self_Signed-Cert.txt b/assets/certs/To_Create_Self_Signed-Cert.txt new file mode 100644 index 0000000..107ea2d --- /dev/null +++ b/assets/certs/To_Create_Self_Signed-Cert.txt @@ -0,0 +1,6 @@ +Run the following: + +Example1: +openssl req -newkey rsa:2048 -nodes -keyout example1-cert.key -out example1-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.ca" +openssl x509 -signkey example1-cert.key -in example1-cert.csr -req -days 1095 -out example1-cert.crt + diff --git a/config/custom-config-rules/attach-ec2-instance-profile.zip b/config/custom-config-rules/attach-ec2-instance-profile.zip index 1de00bf..677e2a9 100644 Binary files a/config/custom-config-rules/attach-ec2-instance-profile.zip and b/config/custom-config-rules/attach-ec2-instance-profile.zip differ diff --git a/config/custom-config-rules/ec2-instance-profile-permissions.zip b/config/custom-config-rules/ec2-instance-profile-permissions.zip index 49dad43..a5fec2a 100644 Binary files a/config/custom-config-rules/ec2-instance-profile-permissions.zip and b/config/custom-config-rules/ec2-instance-profile-permissions.zip differ diff --git a/config/customizations-config.yaml b/config/customizations-config.yaml new file mode 100644 index 0000000..863893a --- /dev/null +++ b/config/customizations-config.yaml @@ -0,0 +1,17 @@ +customizations: + cloudFormationStacks: + - name: AWSAccelerator-AlbIPForwardingStack + description: ALB Lambda Forwarder + runOrder: 10 + template: customizations/AlbIpForwardingStack.template.json + terminationProtection: true + parameters: + - name: acceleratorPrefix + value: AWSAccelerator + - name: vpcName + value: Perimeter + deploymentTargets: + accounts: + - Perimeter + regions: + - ca-central-1 \ No newline at end of file diff --git a/config/customizations/AlbIpForwardingStack.template.json b/config/customizations/AlbIpForwardingStack.template.json new file mode 100644 index 0000000..f952f4c --- /dev/null +++ b/config/customizations/AlbIpForwardingStack.template.json @@ -0,0 +1,610 @@ +{ + "Parameters": { + "vpcName": { + "Type": "String", + "Description": "The VPC Name for target ALBs" + }, + "acceleratorPrefix": { + "Type": "String", + "Default": "AWSAccelerator", + "Description": "The prefix used for the Landing Zone Accelerator with no dash. ex: AWSAccelerator" + } + }, + "Resources": { + "AlbIpForwardingalb2albKeyF92E9EA0": { + "Type": "AWS::KMS::Key", + "Properties": { + "EnableKeyRotation": true, + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/alb2albKey/Resource" + } + }, + "AlbIpForwardingddbDNSFirewallTableDE7BAC6C": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "PointInTimeRecoverySpecification": { + "PointInTimeRecoveryEnabled": true + }, + "SSESpecification": { + "KMSMasterKeyId": { + "Fn::GetAtt": [ + "AlbIpForwardingalb2albKeyF92E9EA0", + "Arn" + ] + }, + "SSEEnabled": true, + "SSEType": "KMS" + }, + "StreamSpecification": { + "StreamViewType": "NEW_AND_OLD_IMAGES" + }, + "TableName": { + "Fn::Join": [ + "", + [ + { + "Ref": "acceleratorPrefix" + }, + "-Alb-Ip-Forwarding-", + { + "Ref": "vpcName" + } + ] + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/ddbDNSFirewallTable/Resource", + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W28", + "reason": "Names must be set explicitly to be protected by accelerator SCPs" + } + ] + } + } + }, + "AlbIpForwardingdnsFWLambdaServiceRoleE2550228": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ], + "RoleName": { + "Fn::Join": [ + "", + [ + { + "Ref": "acceleratorPrefix" + }, + "-dnsFWLambdaRole-", + { + "Ref": "vpcName" + } + ] + ] + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W28", + "reason": "Names must be set explicitly to be protected by accelerator SCPs`" + } + ] + } + } + }, + "AlbIpForwardingdnsFWLambdaServiceRoleDefaultPolicyF5FC440E": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "AlbIpForwardingalb2albKeyF92E9EA0", + "Arn" + ] + } + }, + { + "Action": [ + "dynamodb:BatchGetItem", + "dynamodb:BatchWriteItem", + "dynamodb:ConditionCheckItem", + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:GetRecords", + "dynamodb:GetShardIterator", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:UpdateItem" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "AlbIpForwardingddbDNSFirewallTableDE7BAC6C", + "Arn" + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AlbIpForwardingdnsFWLambdaServiceRoleDefaultPolicyF5FC440E", + "Roles": [ + { + "Ref": "AlbIpForwardingdnsFWLambdaServiceRoleE2550228" + } + ] + }, + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/dnsFWLambda/ServiceRole/DefaultPolicy/Resource" + } + }, + "AlbIpForwardingdnsFWLambdaCDFE4DA7": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "\"use strict\";var Td=Object.create;var rr=Object.defineProperty;var Ld=Object.getOwnPropertyDescriptor;var Cd=Object.getOwnPropertyNames;var Rd=Object.getPrototypeOf,Ed=Object.prototype.hasOwnProperty;var Sd=(u,v)=>()=>(v||u((v={exports:{}}).exports,v),v.exports),Od=(u,v)=>{for(var x in v)rr(u,x,{get:v[x],enumerable:!0})},co=(u,v,x,m)=>{if(v&&typeof v==\"object\"||typeof v==\"function\")for(let I of Cd(v))!Ed.call(u,I)&&I!==x&&rr(u,I,{get:()=>v[I],enumerable:!(m=Ld(v,I))||m.enumerable});return u};var ho=(u,v,x)=>(x=u!=null?Td(Rd(u)):{},co(v||!u||!u.__esModule?rr(x,\"default\",{value:u,enumerable:!0}):x,u)),Pd=u=>co(rr({},\"__esModule\",{value:!0}),u);var xo=Sd((Ft,oe)=>{(function(){var u,v=\"4.17.21\",x=200,m=\"Unsupported core-js use. Try https://npms.io/search?q=ponyfill.\",I=\"Expected a function\",j=\"Invalid `variable` option passed into `_.template`\",ut=\"__lodash_hash_undefined__\",Eo=500,se=\"__lodash_placeholder__\",Jn=1,Oi=2,mt=4,wt=1,ae=2,pn=1,ft=2,Pi=4,Sn=8,At=16,On=32,xt=64,Bn=128,Mt=256,ur=512,So=30,Oo=\"...\",Po=800,bo=16,bi=1,Do=2,Wo=3,ot=1/0,Yn=9007199254740991,Bo=17976931348623157e292,le=0/0,Pn=4294967295,Go=Pn-1,Fo=Pn>>>1,Mo=[[\"ary\",Bn],[\"bind\",pn],[\"bindKey\",ft],[\"curry\",Sn],[\"curryRight\",At],[\"flip\",ur],[\"partial\",On],[\"partialRight\",xt],[\"rearg\",Mt]],yt=\"[object Arguments]\",ce=\"[object Array]\",No=\"[object AsyncFunction]\",Nt=\"[object Boolean]\",Ut=\"[object Date]\",Uo=\"[object DOMException]\",he=\"[object Error]\",ge=\"[object Function]\",Di=\"[object GeneratorFunction]\",In=\"[object Map]\",$t=\"[object Number]\",$o=\"[object Null]\",Gn=\"[object Object]\",Wi=\"[object Promise]\",Ho=\"[object Proxy]\",Ht=\"[object RegExp]\",Tn=\"[object Set]\",Kt=\"[object String]\",pe=\"[object Symbol]\",Ko=\"[object Undefined]\",qt=\"[object WeakMap]\",qo=\"[object WeakSet]\",zt=\"[object ArrayBuffer]\",It=\"[object DataView]\",fr=\"[object Float32Array]\",or=\"[object Float64Array]\",sr=\"[object Int8Array]\",ar=\"[object Int16Array]\",lr=\"[object Int32Array]\",cr=\"[object Uint8Array]\",hr=\"[object Uint8ClampedArray]\",gr=\"[object Uint16Array]\",pr=\"[object Uint32Array]\",zo=/\\b__p \\+= '';/g,Zo=/\\b(__p \\+=) '' \\+/g,Jo=/(__e\\(.*?\\)|\\b__t\\)) \\+\\n'';/g,Bi=/&(?:amp|lt|gt|quot|#39);/g,Gi=/[&<>\"']/g,Yo=RegExp(Bi.source),Xo=RegExp(Gi.source),Qo=/<%-([\\s\\S]+?)%>/g,Vo=/<%([\\s\\S]+?)%>/g,Fi=/<%=([\\s\\S]+?)%>/g,ko=/\\.|\\[(?:[^[\\]]*|([\"'])(?:(?!\\1)[^\\\\]|\\\\.)*?\\1)\\]/,jo=/^\\w*$/,ns=/[^.[\\]]+|\\[(?:(-?\\d+(?:\\.\\d+)?)|([\"'])((?:(?!\\2)[^\\\\]|\\\\.)*?)\\2)\\]|(?=(?:\\.|\\[\\])(?:\\.|\\[\\]|$))/g,dr=/[\\\\^$.*+?()[\\]{}|]/g,ts=RegExp(dr.source),_r=/^\\s+/,es=/\\s/,rs=/\\{(?:\\n\\/\\* \\[wrapped with .+\\] \\*\\/)?\\n?/,is=/\\{\\n\\/\\* \\[wrapped with (.+)\\] \\*/,us=/,? & /,fs=/[^\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f]+/g,os=/[()=,{}\\[\\]\\/\\s]/,ss=/\\\\(\\\\)?/g,as=/\\$\\{([^\\\\}]*(?:\\\\.[^\\\\}]*)*)\\}/g,Mi=/\\w*$/,ls=/^[-+]0x[0-9a-f]+$/i,cs=/^0b[01]+$/i,hs=/^\\[object .+?Constructor\\]$/,gs=/^0o[0-7]+$/i,ps=/^(?:0|[1-9]\\d*)$/,ds=/[\\xc0-\\xd6\\xd8-\\xf6\\xf8-\\xff\\u0100-\\u017f]/g,de=/($^)/,_s=/['\\n\\r\\u2028\\u2029\\\\]/g,_e=\"\\\\ud800-\\\\udfff\",vs=\"\\\\u0300-\\\\u036f\",ms=\"\\\\ufe20-\\\\ufe2f\",ws=\"\\\\u20d0-\\\\u20ff\",Ni=vs+ms+ws,Ui=\"\\\\u2700-\\\\u27bf\",$i=\"a-z\\\\xdf-\\\\xf6\\\\xf8-\\\\xff\",As=\"\\\\xac\\\\xb1\\\\xd7\\\\xf7\",xs=\"\\\\x00-\\\\x2f\\\\x3a-\\\\x40\\\\x5b-\\\\x60\\\\x7b-\\\\xbf\",ys=\"\\\\u2000-\\\\u206f\",Is=\" \\\\t\\\\x0b\\\\f\\\\xa0\\\\ufeff\\\\n\\\\r\\\\u2028\\\\u2029\\\\u1680\\\\u180e\\\\u2000\\\\u2001\\\\u2002\\\\u2003\\\\u2004\\\\u2005\\\\u2006\\\\u2007\\\\u2008\\\\u2009\\\\u200a\\\\u202f\\\\u205f\\\\u3000\",Hi=\"A-Z\\\\xc0-\\\\xd6\\\\xd8-\\\\xde\",Ki=\"\\\\ufe0e\\\\ufe0f\",qi=As+xs+ys+Is,vr=\"['\\u2019]\",Ts=\"[\"+_e+\"]\",zi=\"[\"+qi+\"]\",ve=\"[\"+Ni+\"]\",Zi=\"\\\\d+\",Ls=\"[\"+Ui+\"]\",Ji=\"[\"+$i+\"]\",Yi=\"[^\"+_e+qi+Zi+Ui+$i+Hi+\"]\",mr=\"\\\\ud83c[\\\\udffb-\\\\udfff]\",Cs=\"(?:\"+ve+\"|\"+mr+\")\",Xi=\"[^\"+_e+\"]\",wr=\"(?:\\\\ud83c[\\\\udde6-\\\\uddff]){2}\",Ar=\"[\\\\ud800-\\\\udbff][\\\\udc00-\\\\udfff]\",Tt=\"[\"+Hi+\"]\",Qi=\"\\\\u200d\",Vi=\"(?:\"+Ji+\"|\"+Yi+\")\",Rs=\"(?:\"+Tt+\"|\"+Yi+\")\",ki=\"(?:\"+vr+\"(?:d|ll|m|re|s|t|ve))?\",ji=\"(?:\"+vr+\"(?:D|LL|M|RE|S|T|VE))?\",nu=Cs+\"?\",tu=\"[\"+Ki+\"]?\",Es=\"(?:\"+Qi+\"(?:\"+[Xi,wr,Ar].join(\"|\")+\")\"+tu+nu+\")*\",Ss=\"\\\\d*(?:1st|2nd|3rd|(?![123])\\\\dth)(?=\\\\b|[A-Z_])\",Os=\"\\\\d*(?:1ST|2ND|3RD|(?![123])\\\\dTH)(?=\\\\b|[a-z_])\",eu=tu+nu+Es,Ps=\"(?:\"+[Ls,wr,Ar].join(\"|\")+\")\"+eu,bs=\"(?:\"+[Xi+ve+\"?\",ve,wr,Ar,Ts].join(\"|\")+\")\",Ds=RegExp(vr,\"g\"),Ws=RegExp(ve,\"g\"),xr=RegExp(mr+\"(?=\"+mr+\")|\"+bs+eu,\"g\"),Bs=RegExp([Tt+\"?\"+Ji+\"+\"+ki+\"(?=\"+[zi,Tt,\"$\"].join(\"|\")+\")\",Rs+\"+\"+ji+\"(?=\"+[zi,Tt+Vi,\"$\"].join(\"|\")+\")\",Tt+\"?\"+Vi+\"+\"+ki,Tt+\"+\"+ji,Os,Ss,Zi,Ps].join(\"|\"),\"g\"),Gs=RegExp(\"[\"+Qi+_e+Ni+Ki+\"]\"),Fs=/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/,Ms=[\"Array\",\"Buffer\",\"DataView\",\"Date\",\"Error\",\"Float32Array\",\"Float64Array\",\"Function\",\"Int8Array\",\"Int16Array\",\"Int32Array\",\"Map\",\"Math\",\"Object\",\"Promise\",\"RegExp\",\"Set\",\"String\",\"Symbol\",\"TypeError\",\"Uint8Array\",\"Uint8ClampedArray\",\"Uint16Array\",\"Uint32Array\",\"WeakMap\",\"_\",\"clearTimeout\",\"isFinite\",\"parseInt\",\"setTimeout\"],Ns=-1,U={};U[fr]=U[or]=U[sr]=U[ar]=U[lr]=U[cr]=U[hr]=U[gr]=U[pr]=!0,U[yt]=U[ce]=U[zt]=U[Nt]=U[It]=U[Ut]=U[he]=U[ge]=U[In]=U[$t]=U[Gn]=U[Ht]=U[Tn]=U[Kt]=U[qt]=!1;var N={};N[yt]=N[ce]=N[zt]=N[It]=N[Nt]=N[Ut]=N[fr]=N[or]=N[sr]=N[ar]=N[lr]=N[In]=N[$t]=N[Gn]=N[Ht]=N[Tn]=N[Kt]=N[pe]=N[cr]=N[hr]=N[gr]=N[pr]=!0,N[he]=N[ge]=N[qt]=!1;var Us={\\u00C0:\"A\",\\u00C1:\"A\",\\u00C2:\"A\",\\u00C3:\"A\",\\u00C4:\"A\",\\u00C5:\"A\",\\u00E0:\"a\",\\u00E1:\"a\",\\u00E2:\"a\",\\u00E3:\"a\",\\u00E4:\"a\",\\u00E5:\"a\",\\u00C7:\"C\",\\u00E7:\"c\",\\u00D0:\"D\",\\u00F0:\"d\",\\u00C8:\"E\",\\u00C9:\"E\",\\u00CA:\"E\",\\u00CB:\"E\",\\u00E8:\"e\",\\u00E9:\"e\",\\u00EA:\"e\",\\u00EB:\"e\",\\u00CC:\"I\",\\u00CD:\"I\",\\u00CE:\"I\",\\u00CF:\"I\",\\u00EC:\"i\",\\u00ED:\"i\",\\u00EE:\"i\",\\u00EF:\"i\",\\u00D1:\"N\",\\u00F1:\"n\",\\u00D2:\"O\",\\u00D3:\"O\",\\u00D4:\"O\",\\u00D5:\"O\",\\u00D6:\"O\",\\u00D8:\"O\",\\u00F2:\"o\",\\u00F3:\"o\",\\u00F4:\"o\",\\u00F5:\"o\",\\u00F6:\"o\",\\u00F8:\"o\",\\u00D9:\"U\",\\u00DA:\"U\",\\u00DB:\"U\",\\u00DC:\"U\",\\u00F9:\"u\",\\u00FA:\"u\",\\u00FB:\"u\",\\u00FC:\"u\",\\u00DD:\"Y\",\\u00FD:\"y\",\\u00FF:\"y\",\\u00C6:\"Ae\",\\u00E6:\"ae\",\\u00DE:\"Th\",\\u00FE:\"th\",\\u00DF:\"ss\",\\u0100:\"A\",\\u0102:\"A\",\\u0104:\"A\",\\u0101:\"a\",\\u0103:\"a\",\\u0105:\"a\",\\u0106:\"C\",\\u0108:\"C\",\\u010A:\"C\",\\u010C:\"C\",\\u0107:\"c\",\\u0109:\"c\",\\u010B:\"c\",\\u010D:\"c\",\\u010E:\"D\",\\u0110:\"D\",\\u010F:\"d\",\\u0111:\"d\",\\u0112:\"E\",\\u0114:\"E\",\\u0116:\"E\",\\u0118:\"E\",\\u011A:\"E\",\\u0113:\"e\",\\u0115:\"e\",\\u0117:\"e\",\\u0119:\"e\",\\u011B:\"e\",\\u011C:\"G\",\\u011E:\"G\",\\u0120:\"G\",\\u0122:\"G\",\\u011D:\"g\",\\u011F:\"g\",\\u0121:\"g\",\\u0123:\"g\",\\u0124:\"H\",\\u0126:\"H\",\\u0125:\"h\",\\u0127:\"h\",\\u0128:\"I\",\\u012A:\"I\",\\u012C:\"I\",\\u012E:\"I\",\\u0130:\"I\",\\u0129:\"i\",\\u012B:\"i\",\\u012D:\"i\",\\u012F:\"i\",\\u0131:\"i\",\\u0134:\"J\",\\u0135:\"j\",\\u0136:\"K\",\\u0137:\"k\",\\u0138:\"k\",\\u0139:\"L\",\\u013B:\"L\",\\u013D:\"L\",\\u013F:\"L\",\\u0141:\"L\",\\u013A:\"l\",\\u013C:\"l\",\\u013E:\"l\",\\u0140:\"l\",\\u0142:\"l\",\\u0143:\"N\",\\u0145:\"N\",\\u0147:\"N\",\\u014A:\"N\",\\u0144:\"n\",\\u0146:\"n\",\\u0148:\"n\",\\u014B:\"n\",\\u014C:\"O\",\\u014E:\"O\",\\u0150:\"O\",\\u014D:\"o\",\\u014F:\"o\",\\u0151:\"o\",\\u0154:\"R\",\\u0156:\"R\",\\u0158:\"R\",\\u0155:\"r\",\\u0157:\"r\",\\u0159:\"r\",\\u015A:\"S\",\\u015C:\"S\",\\u015E:\"S\",\\u0160:\"S\",\\u015B:\"s\",\\u015D:\"s\",\\u015F:\"s\",\\u0161:\"s\",\\u0162:\"T\",\\u0164:\"T\",\\u0166:\"T\",\\u0163:\"t\",\\u0165:\"t\",\\u0167:\"t\",\\u0168:\"U\",\\u016A:\"U\",\\u016C:\"U\",\\u016E:\"U\",\\u0170:\"U\",\\u0172:\"U\",\\u0169:\"u\",\\u016B:\"u\",\\u016D:\"u\",\\u016F:\"u\",\\u0171:\"u\",\\u0173:\"u\",\\u0174:\"W\",\\u0175:\"w\",\\u0176:\"Y\",\\u0177:\"y\",\\u0178:\"Y\",\\u0179:\"Z\",\\u017B:\"Z\",\\u017D:\"Z\",\\u017A:\"z\",\\u017C:\"z\",\\u017E:\"z\",\\u0132:\"IJ\",\\u0133:\"ij\",\\u0152:\"Oe\",\\u0153:\"oe\",\\u0149:\"'n\",\\u017F:\"s\"},$s={\"&\":\"&\",\"<\":\"<\",\">\":\">\",'\"':\""\",\"'\":\"'\"},Hs={\"&\":\"&\",\"<\":\"<\",\">\":\">\",\""\":'\"',\"'\":\"'\"},Ks={\"\\\\\":\"\\\\\",\"'\":\"'\",\"\\n\":\"n\",\"\\r\":\"r\",\"\\u2028\":\"u2028\",\"\\u2029\":\"u2029\"},qs=parseFloat,zs=parseInt,ru=typeof global==\"object\"&&global&&global.Object===Object&&global,Zs=typeof self==\"object\"&&self&&self.Object===Object&&self,Y=ru||Zs||Function(\"return this\")(),yr=typeof Ft==\"object\"&&Ft&&!Ft.nodeType&&Ft,st=yr&&typeof oe==\"object\"&&oe&&!oe.nodeType&&oe,iu=st&&st.exports===yr,Ir=iu&&ru.process,dn=function(){try{var l=st&&st.require&&st.require(\"util\").types;return l||Ir&&Ir.binding&&Ir.binding(\"util\")}catch{}}(),uu=dn&&dn.isArrayBuffer,fu=dn&&dn.isDate,ou=dn&&dn.isMap,su=dn&&dn.isRegExp,au=dn&&dn.isSet,lu=dn&&dn.isTypedArray;function sn(l,g,h){switch(h.length){case 0:return l.call(g);case 1:return l.call(g,h[0]);case 2:return l.call(g,h[0],h[1]);case 3:return l.call(g,h[0],h[1],h[2])}return l.apply(g,h)}function Js(l,g,h,A){for(var R=-1,B=l==null?0:l.length;++R-1}function Tr(l,g,h){for(var A=-1,R=l==null?0:l.length;++A-1;);return h}function mu(l,g){for(var h=l.length;h--&&Lt(g,l[h],0)>-1;);return h}function ea(l,g){for(var h=l.length,A=0;h--;)l[h]===g&&++A;return A}var ra=Er(Us),ia=Er($s);function ua(l){return\"\\\\\"+Ks[l]}function fa(l,g){return l==null?u:l[g]}function Ct(l){return Gs.test(l)}function oa(l){return Fs.test(l)}function sa(l){for(var g,h=[];!(g=l.next()).done;)h.push(g.value);return h}function br(l){var g=-1,h=Array(l.size);return l.forEach(function(A,R){h[++g]=[R,A]}),h}function wu(l,g){return function(h){return l(g(h))}}function Vn(l,g){for(var h=-1,A=l.length,R=0,B=[];++h-1}function Xa(n,t){var e=this.__data__,r=Be(e,n);return r<0?(++this.size,e.push([n,t])):e[r][1]=t,this}Fn.prototype.clear=za,Fn.prototype.delete=Za,Fn.prototype.get=Ja,Fn.prototype.has=Ya,Fn.prototype.set=Xa;function Mn(n){var t=-1,e=n==null?0:n.length;for(this.clear();++t=t?n:t)),n}function wn(n,t,e,r,i,o){var s,a=t&Jn,c=t&Oi,p=t&mt;if(e&&(s=i?e(n,r,i,o):e(n)),s!==u)return s;if(!H(n))return n;var d=E(n);if(d){if(s=jl(n),!a)return rn(n,s)}else{var _=k(n),w=_==ge||_==Di;if(it(n))return tf(n,a);if(_==Gn||_==yt||w&&!i){if(s=c||w?{}:xf(n),!a)return c?Hl(n,cl(s,n)):$l(n,Pu(s,n))}else{if(!N[_])return i?n:{};s=nc(n,_,a)}}o||(o=new Cn);var y=o.get(n);if(y)return y;o.set(n,s),Qf(n)?n.forEach(function(C){s.add(wn(C,t,e,C,n,o))}):Yf(n)&&n.forEach(function(C,b){s.set(b,wn(C,t,e,b,n,o))});var L=p?c?ii:ri:c?fn:X,O=d?u:L(n);return _n(O||n,function(C,b){O&&(b=C,C=n[b]),kt(s,b,wn(C,t,e,b,n,o))}),s}function hl(n){var t=X(n);return function(e){return bu(e,n,t)}}function bu(n,t,e){var r=e.length;if(n==null)return!r;for(n=M(n);r--;){var i=e[r],o=t[i],s=n[i];if(s===u&&!(i in n)||!o(s))return!1}return!0}function Du(n,t,e){if(typeof n!=\"function\")throw new vn(I);return ue(function(){n.apply(u,e)},t)}function jt(n,t,e,r){var i=-1,o=me,s=!0,a=n.length,c=[],p=t.length;if(!a)return c;e&&(t=$(t,an(e))),r?(o=Tr,s=!1):t.length>=x&&(o=Zt,s=!1,t=new ct(t));n:for(;++ii?0:i+e),r=r===u||r>i?i:S(r),r<0&&(r+=i),r=e>r?0:kf(r);e0&&e(a)?t>1?Q(a,t-1,e,r,i):Qn(i,a):r||(i[i.length]=a)}return i}var Nr=sf(),Gu=sf(!0);function bn(n,t){return n&&Nr(n,t,X)}function Ur(n,t){return n&&Gu(n,t,X)}function Fe(n,t){return Xn(t,function(e){return Kn(n[e])})}function gt(n,t){t=et(t,n);for(var e=0,r=t.length;n!=null&&et}function dl(n,t){return n!=null&&F.call(n,t)}function _l(n,t){return n!=null&&t in M(n)}function vl(n,t,e){return n>=V(t,e)&&n=120&&d.length>=120)?new ct(s&&d):u}d=n[0];var _=-1,w=a[0];n:for(;++_-1;)a!==n&&Ee.call(a,c,1),Ee.call(n,c,1);return n}function Ju(n,t){for(var e=n?t.length:0,r=e-1;e--;){var i=t[e];if(e==r||i!==o){var o=i;Hn(i)?Ee.call(n,i,1):Qr(n,i)}}return n}function Jr(n,t){return n+Pe(Ru()*(t-n+1))}function Ol(n,t,e,r){for(var i=-1,o=J(Oe((t-n)/(e||1)),0),s=h(o);o--;)s[r?o:++i]=n,n+=e;return s}function Yr(n,t){var e=\"\";if(!n||t<1||t>Yn)return e;do t%2&&(e+=n),t=Pe(t/2),t&&(n+=n);while(t);return e}function P(n,t){return ci(Tf(n,t,on),n+\"\")}function Pl(n){return Ou(Gt(n))}function bl(n,t){var e=Gt(n);return Ye(e,ht(t,0,e.length))}function ee(n,t,e,r){if(!H(n))return n;t=et(t,n);for(var i=-1,o=t.length,s=o-1,a=n;a!=null&&++ii?0:i+t),e=e>i?i:e,e<0&&(e+=i),i=t>e?0:e-t>>>0,t>>>=0;for(var o=h(i);++r>>1,s=n[o];s!==null&&!cn(s)&&(e?s<=t:s=x){var p=t?null:Zl(n);if(p)return Ae(p);s=!1,i=Zt,c=new ct}else c=t?[]:a;n:for(;++r=r?n:An(n,t,e)}var nf=Ia||function(n){return Y.clearTimeout(n)};function tf(n,t){if(t)return n.slice();var e=n.length,r=yu?yu(e):new n.constructor(e);return n.copy(r),r}function ni(n){var t=new n.constructor(n.byteLength);return new Ce(t).set(new Ce(n)),t}function Fl(n,t){var e=t?ni(n.buffer):n.buffer;return new n.constructor(e,n.byteOffset,n.byteLength)}function Ml(n){var t=new n.constructor(n.source,Mi.exec(n));return t.lastIndex=n.lastIndex,t}function Nl(n){return Vt?M(Vt.call(n)):{}}function ef(n,t){var e=t?ni(n.buffer):n.buffer;return new n.constructor(e,n.byteOffset,n.length)}function rf(n,t){if(n!==t){var e=n!==u,r=n===null,i=n===n,o=cn(n),s=t!==u,a=t===null,c=t===t,p=cn(t);if(!a&&!p&&!o&&n>t||o&&s&&c&&!a&&!p||r&&s&&c||!e&&c||!i)return 1;if(!r&&!o&&!p&&n=a)return c;var p=e[r];return c*(p==\"desc\"?-1:1)}}return n.index-t.index}function uf(n,t,e,r){for(var i=-1,o=n.length,s=e.length,a=-1,c=t.length,p=J(o-s,0),d=h(c+p),_=!r;++a1?e[i-1]:u,s=i>2?e[2]:u;for(o=n.length>3&&typeof o==\"function\"?(i--,o):u,s&&tn(e[0],e[1],s)&&(o=i<3?u:o,i=1),t=M(t);++r-1?i[o?t[s]:s]:u}}function cf(n){return $n(function(t){var e=t.length,r=e,i=mn.prototype.thru;for(n&&t.reverse();r--;){var o=t[r];if(typeof o!=\"function\")throw new vn(I);if(i&&!s&&Ze(o)==\"wrapper\")var s=new mn([],!0)}for(r=s?r:e;++r1&&W.reverse(),d&&ca))return!1;var p=o.get(n),d=o.get(t);if(p&&d)return p==t&&d==n;var _=-1,w=!0,y=e&ae?new ct:u;for(o.set(n,t),o.set(t,n);++_1?\"& \":\"\")+t[r],t=t.join(e>2?\", \":\" \"),n.replace(rs,`{\n/* [wrapped with `+t+`] */\n`)}function ec(n){return E(n)||_t(n)||!!(Lu&&n&&n[Lu])}function Hn(n,t){var e=typeof n;return t=t??Yn,!!t&&(e==\"number\"||e!=\"symbol\"&&ps.test(n))&&n>-1&&n%1==0&&n0){if(++t>=Po)return arguments[0]}else t=0;return n.apply(u,arguments)}}function Ye(n,t){var e=-1,r=n.length,i=r-1;for(t=t===u?r:t;++e1?n[t-1]:u;return e=typeof e==\"function\"?(n.pop(),e):u,Gf(n,e)});function Ff(n){var t=f(n);return t.__chain__=!0,t}function gh(n,t){return t(n),n}function Xe(n,t){return t(n)}var ph=$n(function(n){var t=n.length,e=t?n[0]:0,r=this.__wrapped__,i=function(o){return Mr(o,n)};return t>1||this.__actions__.length||!(r instanceof D)||!Hn(e)?this.thru(i):(r=r.slice(e,+e+(t?1:0)),r.__actions__.push({func:Xe,args:[i],thisArg:u}),new mn(r,this.__chain__).thru(function(o){return t&&!o.length&&o.push(u),o}))});function dh(){return Ff(this)}function _h(){return new mn(this.value(),this.__chain__)}function vh(){this.__values__===u&&(this.__values__=Vf(this.value()));var n=this.__index__>=this.__values__.length,t=n?u:this.__values__[this.__index__++];return{done:n,value:t}}function mh(){return this}function wh(n){for(var t,e=this;e instanceof We;){var r=Of(e);r.__index__=0,r.__values__=u,t?i.__wrapped__=r:t=r;var i=r;e=e.__wrapped__}return i.__wrapped__=n,t}function Ah(){var n=this.__wrapped__;if(n instanceof D){var t=n;return this.__actions__.length&&(t=new D(this)),t=t.reverse(),t.__actions__.push({func:Xe,args:[hi],thisArg:u}),new mn(t,this.__chain__)}return this.thru(hi)}function xh(){return ku(this.__wrapped__,this.__actions__)}var yh=$e(function(n,t,e){F.call(n,e)?++n[e]:Nn(n,e,1)});function Ih(n,t,e){var r=E(n)?cu:gl;return e&&tn(n,t,e)&&(t=u),r(n,T(t,3))}function Th(n,t){var e=E(n)?Xn:Bu;return e(n,T(t,3))}var Lh=lf(Pf),Ch=lf(bf);function Rh(n,t){return Q(Qe(n,t),1)}function Eh(n,t){return Q(Qe(n,t),ot)}function Sh(n,t,e){return e=e===u?1:S(e),Q(Qe(n,t),e)}function Mf(n,t){var e=E(n)?_n:nt;return e(n,T(t,3))}function Nf(n,t){var e=E(n)?Ys:Wu;return e(n,T(t,3))}var Oh=$e(function(n,t,e){F.call(n,e)?n[e].push(t):Nn(n,e,[t])});function Ph(n,t,e,r){n=un(n)?n:Gt(n),e=e&&!r?S(e):0;var i=n.length;return e<0&&(e=J(i+e,0)),tr(n)?e<=i&&n.indexOf(t,e)>-1:!!i&&Lt(n,t,e)>-1}var bh=P(function(n,t,e){var r=-1,i=typeof t==\"function\",o=un(n)?h(n.length):[];return nt(n,function(s){o[++r]=i?sn(t,s,e):ne(s,t,e)}),o}),Dh=$e(function(n,t,e){Nn(n,e,t)});function Qe(n,t){var e=E(n)?$:$u;return e(n,T(t,3))}function Wh(n,t,e,r){return n==null?[]:(E(t)||(t=t==null?[]:[t]),e=r?u:e,E(e)||(e=e==null?[]:[e]),zu(n,t,e))}var Bh=$e(function(n,t,e){n[e?0:1].push(t)},function(){return[[],[]]});function Gh(n,t,e){var r=E(n)?Lr:du,i=arguments.length<3;return r(n,T(t,4),e,i,nt)}function Fh(n,t,e){var r=E(n)?Xs:du,i=arguments.length<3;return r(n,T(t,4),e,i,Wu)}function Mh(n,t){var e=E(n)?Xn:Bu;return e(n,je(T(t,3)))}function Nh(n){var t=E(n)?Ou:Pl;return t(n)}function Uh(n,t,e){(e?tn(n,t,e):t===u)?t=1:t=S(t);var r=E(n)?sl:bl;return r(n,t)}function $h(n){var t=E(n)?al:Wl;return t(n)}function Hh(n){if(n==null)return 0;if(un(n))return tr(n)?Rt(n):n.length;var t=k(n);return t==In||t==Tn?n.size:qr(n).length}function Kh(n,t,e){var r=E(n)?Cr:Bl;return e&&tn(n,t,e)&&(t=u),r(n,T(t,3))}var qh=P(function(n,t){if(n==null)return[];var e=t.length;return e>1&&tn(n,t[0],t[1])?t=[]:e>2&&tn(t[0],t[1],t[2])&&(t=[t[0]]),zu(n,Q(t,1),[])}),Ve=Ta||function(){return Y.Date.now()};function zh(n,t){if(typeof t!=\"function\")throw new vn(I);return n=S(n),function(){if(--n<1)return t.apply(this,arguments)}}function Uf(n,t,e){return t=e?u:t,t=n&&t==null?n.length:t,Un(n,Bn,u,u,u,u,t)}function $f(n,t){var e;if(typeof t!=\"function\")throw new vn(I);return n=S(n),function(){return--n>0&&(e=t.apply(this,arguments)),n<=1&&(t=u),e}}var pi=P(function(n,t,e){var r=pn;if(e.length){var i=Vn(e,Wt(pi));r|=On}return Un(n,r,t,e,i)}),Hf=P(function(n,t,e){var r=pn|ft;if(e.length){var i=Vn(e,Wt(Hf));r|=On}return Un(t,r,n,e,i)});function Kf(n,t,e){t=e?u:t;var r=Un(n,Sn,u,u,u,u,u,t);return r.placeholder=Kf.placeholder,r}function qf(n,t,e){t=e?u:t;var r=Un(n,At,u,u,u,u,u,t);return r.placeholder=qf.placeholder,r}function zf(n,t,e){var r,i,o,s,a,c,p=0,d=!1,_=!1,w=!0;if(typeof n!=\"function\")throw new vn(I);t=yn(t)||0,H(e)&&(d=!!e.leading,_=\"maxWait\"in e,o=_?J(yn(e.maxWait)||0,t):o,w=\"trailing\"in e?!!e.trailing:w);function y(z){var En=r,zn=i;return r=i=u,p=z,s=n.apply(zn,En),s}function L(z){return p=z,a=ue(b,t),d?y(z):s}function O(z){var En=z-c,zn=z-p,lo=t-En;return _?V(lo,o-zn):lo}function C(z){var En=z-c,zn=z-p;return c===u||En>=t||En<0||_&&zn>=o}function b(){var z=Ve();if(C(z))return W(z);a=ue(b,O(z))}function W(z){return a=u,w&&r?y(z):(r=i=u,s)}function hn(){a!==u&&nf(a),p=0,r=c=i=a=u}function en(){return a===u?s:W(Ve())}function gn(){var z=Ve(),En=C(z);if(r=arguments,i=this,c=z,En){if(a===u)return L(c);if(_)return nf(a),a=ue(b,t),y(c)}return a===u&&(a=ue(b,t)),s}return gn.cancel=hn,gn.flush=en,gn}var Zh=P(function(n,t){return Du(n,1,t)}),Jh=P(function(n,t,e){return Du(n,yn(t)||0,e)});function Yh(n){return Un(n,ur)}function ke(n,t){if(typeof n!=\"function\"||t!=null&&typeof t!=\"function\")throw new vn(I);var e=function(){var r=arguments,i=t?t.apply(this,r):r[0],o=e.cache;if(o.has(i))return o.get(i);var s=n.apply(this,r);return e.cache=o.set(i,s)||o,s};return e.cache=new(ke.Cache||Mn),e}ke.Cache=Mn;function je(n){if(typeof n!=\"function\")throw new vn(I);return function(){var t=arguments;switch(t.length){case 0:return!n.call(this);case 1:return!n.call(this,t[0]);case 2:return!n.call(this,t[0],t[1]);case 3:return!n.call(this,t[0],t[1],t[2])}return!n.apply(this,t)}}function Xh(n){return $f(2,n)}var Qh=Gl(function(n,t){t=t.length==1&&E(t[0])?$(t[0],an(T())):$(Q(t,1),an(T()));var e=t.length;return P(function(r){for(var i=-1,o=V(r.length,e);++i=t}),_t=Mu(function(){return arguments}())?Mu:function(n){return K(n)&&F.call(n,\"callee\")&&!Tu.call(n,\"callee\")},E=h.isArray,cg=uu?an(uu):wl;function un(n){return n!=null&&nr(n.length)&&!Kn(n)}function q(n){return K(n)&&un(n)}function hg(n){return n===!0||n===!1||K(n)&&nn(n)==Nt}var it=Ca||Ci,gg=fu?an(fu):Al;function pg(n){return K(n)&&n.nodeType===1&&!fe(n)}function dg(n){if(n==null)return!0;if(un(n)&&(E(n)||typeof n==\"string\"||typeof n.splice==\"function\"||it(n)||Bt(n)||_t(n)))return!n.length;var t=k(n);if(t==In||t==Tn)return!n.size;if(ie(n))return!qr(n).length;for(var e in n)if(F.call(n,e))return!1;return!0}function _g(n,t){return te(n,t)}function vg(n,t,e){e=typeof e==\"function\"?e:u;var r=e?e(n,t):u;return r===u?te(n,t,u,e):!!r}function _i(n){if(!K(n))return!1;var t=nn(n);return t==he||t==Uo||typeof n.message==\"string\"&&typeof n.name==\"string\"&&!fe(n)}function mg(n){return typeof n==\"number\"&&Cu(n)}function Kn(n){if(!H(n))return!1;var t=nn(n);return t==ge||t==Di||t==No||t==Ho}function Jf(n){return typeof n==\"number\"&&n==S(n)}function nr(n){return typeof n==\"number\"&&n>-1&&n%1==0&&n<=Yn}function H(n){var t=typeof n;return n!=null&&(t==\"object\"||t==\"function\")}function K(n){return n!=null&&typeof n==\"object\"}var Yf=ou?an(ou):yl;function wg(n,t){return n===t||Kr(n,t,fi(t))}function Ag(n,t,e){return e=typeof e==\"function\"?e:u,Kr(n,t,fi(t),e)}function xg(n){return Xf(n)&&n!=+n}function yg(n){if(uc(n))throw new R(m);return Nu(n)}function Ig(n){return n===null}function Tg(n){return n==null}function Xf(n){return typeof n==\"number\"||K(n)&&nn(n)==$t}function fe(n){if(!K(n)||nn(n)!=Gn)return!1;var t=Re(n);if(t===null)return!0;var e=F.call(t,\"constructor\")&&t.constructor;return typeof e==\"function\"&&e instanceof e&&Ie.call(e)==Aa}var vi=su?an(su):Il;function Lg(n){return Jf(n)&&n>=-Yn&&n<=Yn}var Qf=au?an(au):Tl;function tr(n){return typeof n==\"string\"||!E(n)&&K(n)&&nn(n)==Kt}function cn(n){return typeof n==\"symbol\"||K(n)&&nn(n)==pe}var Bt=lu?an(lu):Ll;function Cg(n){return n===u}function Rg(n){return K(n)&&k(n)==qt}function Eg(n){return K(n)&&nn(n)==qo}var Sg=ze(zr),Og=ze(function(n,t){return n<=t});function Vf(n){if(!n)return[];if(un(n))return tr(n)?Ln(n):rn(n);if(Jt&&n[Jt])return sa(n[Jt]());var t=k(n),e=t==In?br:t==Tn?Ae:Gt;return e(n)}function qn(n){if(!n)return n===0?n:0;if(n=yn(n),n===ot||n===-ot){var t=n<0?-1:1;return t*Bo}return n===n?n:0}function S(n){var t=qn(n),e=t%1;return t===t?e?t-e:t:0}function kf(n){return n?ht(S(n),0,Pn):0}function yn(n){if(typeof n==\"number\")return n;if(cn(n))return le;if(H(n)){var t=typeof n.valueOf==\"function\"?n.valueOf():n;n=H(t)?t+\"\":t}if(typeof n!=\"string\")return n===0?n:+n;n=_u(n);var e=cs.test(n);return e||gs.test(n)?zs(n.slice(2),e?2:8):ls.test(n)?le:+n}function jf(n){return Dn(n,fn(n))}function Pg(n){return n?ht(S(n),-Yn,Yn):n===0?n:0}function G(n){return n==null?\"\":ln(n)}var bg=bt(function(n,t){if(ie(t)||un(t)){Dn(t,X(t),n);return}for(var e in t)F.call(t,e)&&kt(n,e,t[e])}),no=bt(function(n,t){Dn(t,fn(t),n)}),er=bt(function(n,t,e,r){Dn(t,fn(t),n,r)}),Dg=bt(function(n,t,e,r){Dn(t,X(t),n,r)}),Wg=$n(Mr);function Bg(n,t){var e=Pt(n);return t==null?e:Pu(e,t)}var Gg=P(function(n,t){n=M(n);var e=-1,r=t.length,i=r>2?t[2]:u;for(i&&tn(t[0],t[1],i)&&(r=1);++e1),o}),Dn(n,ii(n),e),r&&(e=wn(e,Jn|Oi|mt,Jl));for(var i=t.length;i--;)Qr(e,t[i]);return e});function np(n,t){return eo(n,je(T(t)))}var tp=$n(function(n,t){return n==null?{}:El(n,t)});function eo(n,t){if(n==null)return{};var e=$(ii(n),function(r){return[r]});return t=T(t),Zu(n,e,function(r,i){return t(r,i[0])})}function ep(n,t,e){t=et(t,n);var r=-1,i=t.length;for(i||(i=1,n=u);++rt){var r=n;n=t,t=r}if(e||n%1||t%1){var i=Ru();return V(n+i*(t-n+qs(\"1e-\"+((i+\"\").length-1))),t)}return Jr(n,t)}var gp=Dt(function(n,t,e){return t=t.toLowerCase(),n+(e?uo(t):t)});function uo(n){return Ai(G(n).toLowerCase())}function fo(n){return n=G(n),n&&n.replace(ds,ra).replace(Ws,\"\")}function pp(n,t,e){n=G(n),t=ln(t);var r=n.length;e=e===u?r:ht(S(e),0,r);var i=e;return e-=t.length,e>=0&&n.slice(e,i)==t}function dp(n){return n=G(n),n&&Xo.test(n)?n.replace(Gi,ia):n}function _p(n){return n=G(n),n&&ts.test(n)?n.replace(dr,\"\\\\$&\"):n}var vp=Dt(function(n,t,e){return n+(e?\"-\":\"\")+t.toLowerCase()}),mp=Dt(function(n,t,e){return n+(e?\" \":\"\")+t.toLowerCase()}),wp=af(\"toLowerCase\");function Ap(n,t,e){n=G(n),t=S(t);var r=t?Rt(n):0;if(!t||r>=t)return n;var i=(t-r)/2;return qe(Pe(i),e)+n+qe(Oe(i),e)}function xp(n,t,e){n=G(n),t=S(t);var r=t?Rt(n):0;return t&&r>>0,e?(n=G(n),n&&(typeof t==\"string\"||t!=null&&!vi(t))&&(t=ln(t),!t&&Ct(n))?rt(Ln(n),0,e):n.split(t,e)):[]}var Ep=Dt(function(n,t,e){return n+(e?\" \":\"\")+Ai(t)});function Sp(n,t,e){return n=G(n),e=e==null?0:ht(S(e),0,n.length),t=ln(t),n.slice(e,e+t.length)==t}function Op(n,t,e){var r=f.templateSettings;e&&tn(n,t,e)&&(t=u),n=G(n),t=er({},t,r,_f);var i=er({},t.imports,r.imports,_f),o=X(i),s=Pr(i,o),a,c,p=0,d=t.interpolate||de,_=\"__p += '\",w=Dr((t.escape||de).source+\"|\"+d.source+\"|\"+(d===Fi?as:de).source+\"|\"+(t.evaluate||de).source+\"|$\",\"g\"),y=\"//# sourceURL=\"+(F.call(t,\"sourceURL\")?(t.sourceURL+\"\").replace(/\\s/g,\" \"):\"lodash.templateSources[\"+ ++Ns+\"]\")+`\n`;n.replace(w,function(C,b,W,hn,en,gn){return W||(W=hn),_+=n.slice(p,gn).replace(_s,ua),b&&(a=!0,_+=`' +\n__e(`+b+`) +\n'`),en&&(c=!0,_+=`';\n`+en+`;\n__p += '`),W&&(_+=`' +\n((__t = (`+W+`)) == null ? '' : __t) +\n'`),p=gn+C.length,C}),_+=`';\n`;var L=F.call(t,\"variable\")&&t.variable;if(!L)_=`with (obj) {\n`+_+`\n}\n`;else if(os.test(L))throw new R(j);_=(c?_.replace(zo,\"\"):_).replace(Zo,\"$1\").replace(Jo,\"$1;\"),_=\"function(\"+(L||\"obj\")+`) {\n`+(L?\"\":`obj || (obj = {});\n`)+\"var __t, __p = ''\"+(a?\", __e = _.escape\":\"\")+(c?`, __j = Array.prototype.join;\nfunction print() { __p += __j.call(arguments, '') }\n`:`;\n`)+_+`return __p\n}`;var O=so(function(){return B(o,y+\"return \"+_).apply(u,s)});if(O.source=_,_i(O))throw O;return O}function Pp(n){return G(n).toLowerCase()}function bp(n){return G(n).toUpperCase()}function Dp(n,t,e){if(n=G(n),n&&(e||t===u))return _u(n);if(!n||!(t=ln(t)))return n;var r=Ln(n),i=Ln(t),o=vu(r,i),s=mu(r,i)+1;return rt(r,o,s).join(\"\")}function Wp(n,t,e){if(n=G(n),n&&(e||t===u))return n.slice(0,Au(n)+1);if(!n||!(t=ln(t)))return n;var r=Ln(n),i=mu(r,Ln(t))+1;return rt(r,0,i).join(\"\")}function Bp(n,t,e){if(n=G(n),n&&(e||t===u))return n.replace(_r,\"\");if(!n||!(t=ln(t)))return n;var r=Ln(n),i=vu(r,Ln(t));return rt(r,i).join(\"\")}function Gp(n,t){var e=So,r=Oo;if(H(t)){var i=\"separator\"in t?t.separator:i;e=\"length\"in t?S(t.length):e,r=\"omission\"in t?ln(t.omission):r}n=G(n);var o=n.length;if(Ct(n)){var s=Ln(n);o=s.length}if(e>=o)return n;var a=e-Rt(r);if(a<1)return r;var c=s?rt(s,0,a).join(\"\"):n.slice(0,a);if(i===u)return c+r;if(s&&(a+=c.length-a),vi(i)){if(n.slice(a).search(i)){var p,d=c;for(i.global||(i=Dr(i.source,G(Mi.exec(i))+\"g\")),i.lastIndex=0;p=i.exec(d);)var _=p.index;c=c.slice(0,_===u?a:_)}}else if(n.indexOf(ln(i),a)!=a){var w=c.lastIndexOf(i);w>-1&&(c=c.slice(0,w))}return c+r}function Fp(n){return n=G(n),n&&Yo.test(n)?n.replace(Bi,ha):n}var Mp=Dt(function(n,t,e){return n+(e?\" \":\"\")+t.toUpperCase()}),Ai=af(\"toUpperCase\");function oo(n,t,e){return n=G(n),t=e?u:t,t===u?oa(n)?da(n):ks(n):n.match(t)||[]}var so=P(function(n,t){try{return sn(n,u,t)}catch(e){return _i(e)?e:new R(e)}}),Np=$n(function(n,t){return _n(t,function(e){e=Wn(e),Nn(n,e,pi(n[e],n))}),n});function Up(n){var t=n==null?0:n.length,e=T();return n=t?$(n,function(r){if(typeof r[1]!=\"function\")throw new vn(I);return[e(r[0]),r[1]]}):[],P(function(r){for(var i=-1;++iYn)return[];var e=Pn,r=V(n,Pn);t=T(t),n-=Pn;for(var i=Or(r,t);++e0||t<0)?new D(e):(n<0?e=e.takeRight(-n):n&&(e=e.drop(n)),t!==u&&(t=S(t),e=t<0?e.dropRight(-t):e.take(t-n)),e)},D.prototype.takeRightWhile=function(n){return this.reverse().takeWhile(n).reverse()},D.prototype.toArray=function(){return this.take(Pn)},bn(D.prototype,function(n,t){var e=/^(?:filter|find|map|reject)|While$/.test(t),r=/^(?:head|last)$/.test(t),i=f[r?\"take\"+(t==\"last\"?\"Right\":\"\"):t],o=r||/^find/.test(t);i&&(f.prototype[t]=function(){var s=this.__wrapped__,a=r?[1]:arguments,c=s instanceof D,p=a[0],d=c||E(s),_=function(b){var W=i.apply(f,Qn([b],a));return r&&w?W[0]:W};d&&e&&typeof p==\"function\"&&p.length!=1&&(c=d=!1);var w=this.__chain__,y=!!this.__actions__.length,L=o&&!w,O=c&&!y;if(!o&&d){s=O?s:new D(this);var C=n.apply(s,a);return C.__actions__.push({func:Xe,args:[_],thisArg:u}),new mn(C,w)}return L&&O?n.apply(this,a):(C=this.thru(_),L?r?C.value()[0]:C.value():C)})}),_n([\"pop\",\"push\",\"shift\",\"sort\",\"splice\",\"unshift\"],function(n){var t=xe[n],e=/^(?:push|sort|unshift)$/.test(n)?\"tap\":\"thru\",r=/^(?:pop|shift)$/.test(n);f.prototype[n]=function(){var i=arguments;if(r&&!this.__chain__){var o=this.value();return t.apply(E(o)?o:[],i)}return this[e](function(s){return t.apply(E(s)?s:[],i)})}}),bn(D.prototype,function(n,t){var e=f[t];if(e){var r=e.name+\"\";F.call(Ot,r)||(Ot[r]=[]),Ot[r].push({name:t,func:e})}}),Ot[He(u,ft).name]=[{name:\"wrapper\",func:u}],D.prototype.clone=Fa,D.prototype.reverse=Ma,D.prototype.value=Na,f.prototype.at=ph,f.prototype.chain=dh,f.prototype.commit=_h,f.prototype.next=vh,f.prototype.plant=wh,f.prototype.reverse=Ah,f.prototype.toJSON=f.prototype.valueOf=f.prototype.value=xh,f.prototype.first=f.prototype.head,Jt&&(f.prototype[Jt]=mh),f},kn=_a();typeof define==\"function\"&&typeof define.amd==\"object\"&&define.amd?(Y._=kn,define(function(){return kn})):st?((st.exports=kn)._=kn,yr._=kn):Y._=kn}).call(Ft)});var jd={};Od(jd,{albIpMonitor:()=>Ao,albTargetRecordMonitor:()=>Ro});module.exports=Pd(jd);var go=ho(require(\"dns\")),po=require(\"@aws-sdk/lib-dynamodb\"),_o=require(\"@aws-sdk/client-dynamodb\"),vo=require(\"@aws-sdk/client-elastic-load-balancing-v2\"),Ri=process.env.LOOKUP_TABLE??\"\",mo=po.DynamoDBDocument.from(new _o.DynamoDB),wo=new vo.ElasticLoadBalancingV2({logger:console}),bd=async u=>{console.log(`Scanning route lookup table ${Ri}`);let v={TableName:u},x=[],m;do m=await mo.scan(v),m.Items?.forEach(I=>x.push(I)),v.ExclusiveStartKey=m.LastEvaluatedKey;while(typeof m.LastEvaluatedKey<\"u\");return x},Dd=async(u,v,x)=>{let m=v.map(j=>({Id:j,Port:x,AvailabilityZone:\"all\"})),I={TargetGroupArn:u,Targets:m};return wo.registerTargets(I)},Wd=async(u,v)=>{console.log(`Deregistering IP addresses ${JSON.stringify(v)} from target group ${u}`);let x=v.map(I=>({Id:I})),m={TargetGroupArn:u,Targets:x};return wo.deregisterTargets(m)},Bd=async u=>new Promise((v,x)=>{go.lookup(u,{all:!0,family:4},(m,I)=>{m?x(m):v(I.map(j=>j.address).sort())})}),Gd=(u,v)=>{let x=u.indexOf(v);return x>-1&&u.splice(x,1),u},Fd=async u=>{let v={TableName:Ri,Item:u};return mo.put(v)},Ao=async(u,v)=>{let x=await bd(Ri)??[];for(let m of x)try{m.dnsLookupIps=[];try{m.dnsLookupIps=await Bd(m.targetAlbDnsName)}catch(I){console.log(I)}m.ipAddList=m.dnsLookupIps?.filter(I=>!m.metadata?.targetGroupIpAddresses?.includes(I))??[],m.ipRemoveList=m.metadata?.targetGroupIpAddresses?.filter(I=>!m.dnsLookupIps?.includes(I))??[],m.ipAddList?.length>0?(console.log(`Registering new ips ${JSON.stringify(m.ipAddList)} to target ${m.metadata.targetGroupArn} with port ${m.targetGroupDestinationPort}`),await Dd(m.metadata.targetGroupArn,m.ipAddList,m.targetGroupDestinationPort),m.metadata.targetGroupIpAddresses.push(...m.ipAddList)):console.log(\"No new Ip addresses to register\"),m.ipRemoveList?.length>0?(console.log(`Deregistering old ip addresses ${JSON.stringify(m.ipRemoveList)} from target group targetGroupRecord.metadata.targetGroupArn`),await Wd(m.metadata.targetGroupArn,m.ipRemoveList),m.ipRemoveList?.forEach(I=>{console.log(m.metadata.targetGroupIpAddresses,I),m.metadata.targetGroupIpAddresses=Gd(m.metadata.targetGroupIpAddresses,I)})):console.log(\"No old ip addresses to deregister\"),delete m.ipAddList,delete m.ipRemoveList,delete m.dnsLookupIps,console.log(\"Writing record to DDB table \",JSON.stringify(m,null,4)),await Fd(m)}catch(I){console.log(\"There was a problem updating the record \",JSON.stringify(m,null,4)),console.log(I)}return\"Done\"};var yo=require(\"@aws-sdk/lib-dynamodb\"),Io=require(\"@aws-sdk/client-dynamodb\"),Ei=require(\"@aws-sdk/util-dynamodb\"),ir=require(\"@aws-sdk/client-elastic-load-balancing-v2\"),vt=ho(xo()),Zn=new ir.ElasticLoadBalancingV2,Md=yo.DynamoDBDocument.from(new Io.DynamoDB),Nd=process.env.LOOKUP_TABLE||\"\",Ud=u=>new Promise(v=>{setTimeout(v,u)}),$d=async(u,v,x,m)=>{let I={Name:u,Port:v,Protocol:m,VpcId:x,TargetType:ir.TargetTypeEnum.IP};return Zn.createTargetGroup(I)},Hd=async u=>{let v={Attributes:[{Key:\"stickiness.enabled\",Value:\"true\"}],TargetGroupArn:u};return Zn.modifyTargetGroupAttributes(v)},To=async(u,v)=>{let x={ListenerArn:v};return((await Zn.describeRules(x)).Rules?.filter(j=>j.Priority===u.toString())||[]).length===0},Lo=async u=>{try{let v={ListenerArns:[u]};return await Zn.describeListeners(v),Promise.resolve(!0)}catch(v){return console.log(v),Promise.resolve(!1)}},Kd=async(u,v,x,m,I)=>{console.log(\"trying to create listener rule\"),console.log(x,v,u,m,I);let j={Actions:[{TargetGroupArn:m,Type:\"forward\"}],ListenerArn:u,Priority:I,Conditions:[]};if(v?.length>0){let ut={Field:\"path-pattern\",Values:v};j.Conditions?.push(ut)}if(x?.length>0){let ut={Field:\"host-header\",Values:x};j.Conditions?.push(ut)}return Zn.createRule(j)},qd=async(u,v,x,m)=>{let I={Actions:[{TargetGroupArn:m,Type:\"forward\"}],RuleArn:u,Conditions:[]};if(v?.length>0){let j={Field:\"path-pattern\",Values:v};I?.Conditions?.push(j)}if(x?.length>0){let j={Field:\"host-header\",Values:x};I?.Conditions?.push(j)}return Zn.modifyRule(I)},zd=async u=>{let v={RuleArn:u};return Zn.deleteRule(v)},Zd=async u=>{let v={TargetGroupArn:u};return Zn.deleteTargetGroup(v)},Jd=async(u,v)=>{let x={RulePriorities:[{Priority:v,RuleArn:u}]};return Zn.setRulePriorities(x)},Yd=async(u,v)=>{let x={TableName:u,Item:v};return Md.put(x)},Xd=(u,v)=>{let x={vpcId:u.vpcId,destinationPort:u.targetGroupDestinationPort,protocol:u.targetGroupProtocol},m={vpcId:v.vpcId,destinationPort:v.targetGroupDestinationPort,protocol:v.targetGroupProtocol};return!vt.isEqual(x,m)},Qd=(u,v)=>{let x={sourceListenerArn:u.rule.sourceListenerArn,priority:u.rule.condition.priority,paths:u.rule.condition.paths?.sort(),hosts:u.rule.condition.hosts?.sort()},m={sourceListenerArn:v.rule.sourceListenerArn,priority:v.rule.condition.priority,paths:v.rule.condition.paths?.sort(),hosts:v.rule.condition.hosts?.sort()};return!vt.isEqual(x,m)},Vd=(u,v)=>{let x=u.rule.condition.priority,m=v.rule.condition.priority;return x!==m},Si=async u=>{console.log(\"Record creation detected.\");try{if(!await Lo(u.rule.sourceListenerArn))throw new Error(`The ALB Listener ARN: ${u.rule.sourceListenerArn} does not exist. Exiting`);if(console.log(\"Checking if priority is valid\"),!await To(u.rule.condition.priority,u.rule.sourceListenerArn))throw new Error(`The priority ${u.rule.condition.priority.toString()} matches an existing rule priority on the listener arn ${u.rule.sourceListenerArn}. Priorities must not match. Exiting`);let x=(await $d(u.id,u.targetGroupDestinationPort,u.vpcId,u.targetGroupProtocol))?.TargetGroups?.[0].TargetGroupArn??\"\";await Hd(x);let I=(await Kd(u.rule.sourceListenerArn,u.rule.condition.paths,u.rule.condition.hosts,x,u.rule.condition.priority))?.Rules?.[0].RuleArn??\"\";if(!x||!I)throw new Error(`There was an error getting the target group arn or listener rule arn. \nTarget Group Arn: ${x}\nRule Arn: ${I}`);return u.metadata={targetGroupArn:x,ruleArn:I,targetGroupIpAddresses:[]},await Yd(Nd,u),console.log(\"Added metadata to table\"),u}catch(v){throw console.log(\"There was a problem creating resources for the following record\",JSON.stringify(u,null,4)),v}},Co=async u=>{try{console.log(`Deleting listener rule and target group for ${u.id}`),await zd(u.metadata.ruleArn),console.log(\"Deleted listener rule.\")}catch(v){console.log(v),console.log(\"Could not delete listener rule for record. Continuing...\",JSON.stringify(u,null,4))}try{await Zd(u.metadata.targetGroupArn),console.log(\"Deleted target group\");return}catch(v){console.log(\"Could not delete target group for record\",JSON.stringify(u,null,4)),console.log(v)}},kd=async(u,v)=>{try{if(console.log(`The record with id ${u.id} was updated. Performing comparison.`),!await Lo(u.rule.sourceListenerArn))throw new Error(`The ALB Listener ARN: ${u.rule.sourceListenerArn} does not exist. Exiting`);let x=vt.cloneDeep(u),m=vt.cloneDeep(v);if(delete x.metadata,delete m.metadata,vt.isEqual(x,m)){console.log(`Update Record handler found no changes made for record with Id ${u.id}`);return}if(!v.metadata){console.log(\"No previous metadata detected for record. Creating metadata based off of new entry\"),await Si(u);return}if(Qd(v,u)&&(console.log(`Detected a listener rule change. Modifying rule ${u.metadata.ruleArn}`),await qd(u.metadata.ruleArn,u.rule.condition.paths,u.rule.condition.hosts,u.metadata.targetGroupArn)),Vd(v,u)){if(!await To(u.rule.condition.priority,u.rule.sourceListenerArn))throw new Error(`The priority ${u.rule.condition.priority.toString()} matches an existing rule priority on the listener arn ${u.rule.sourceListenerArn}. Priorities must not match.`);await Jd(u.metadata.ruleArn,u.rule.condition.priority)}Xd(v,u)&&(console.log(`Detected a target group change. deleting target group ${u.metadata.targetGroupArn} and creating a new target group`),await Co(u),await Ud(1e4),await Si(u))}catch(x){throw console.log(\"There was a problem updating a target group or listener rule for the records:\"),console.log(\"Old Record: \",JSON.stringify(v,null,4)),console.log(\"New Record: \",JSON.stringify(u,null,4)),x}},Ro=async(u,v)=>{console.log(JSON.stringify(u,null,2));let x=u.Records.map(m=>(m.dynamodb.OldImage&&(m.dynamodb.OldImage=(0,Ei.unmarshall)(m.dynamodb.OldImage)),m.dynamodb.NewImage&&(m.dynamodb.NewImage=(0,Ei.unmarshall)(m.dynamodb.NewImage)),m));for(let m of x)m.eventName===\"INSERT\"&&await Si(m.dynamodb.NewImage),m.eventName===\"MODIFY\"&&await kd(m.dynamodb.NewImage,m.dynamodb.OldImage),m.eventName===\"REMOVE\"&&await Co(m.dynamodb.OldImage)};0&&(module.exports={albIpMonitor,albTargetRecordMonitor});\n/*! Bundled license information:\n\nlodash/lodash.js:\n (**\n * @license\n * Lodash \n * Copyright OpenJS Foundation and other contributors \n * Released under MIT license \n * Based on Underscore.js 1.8.3 \n * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors\n *)\n*/\n" + }, + "Environment": { + "Variables": { + "LOOKUP_TABLE": { + "Ref": "AlbIpForwardingddbDNSFirewallTableDE7BAC6C" + } + } + }, + "Handler": "index.albIpMonitor", + "MemorySize": 512, + "Role": { + "Fn::GetAtt": [ + "AlbIpForwardingdnsFWLambdaServiceRoleE2550228", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Timeout": 60 + }, + "DependsOn": [ + "AlbIpForwardingdnsFWLambdaServiceRoleDefaultPolicyF5FC440E", + "AlbIpForwardingdnsFWLambdaServiceRoleE2550228" + ], + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/dnsFWLambda/Resource", + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "CloudWatch Logs are enabled in AWSLambdaBasicExecutionRole" + }, + { + "id": "W89", + "reason": "This function supports infrastructure deployment and is not deployed inside a VPC." + }, + { + "id": "W92", + "reason": "This function supports infrastructure deployment and does not require setting ReservedConcurrentExecutions." + } + ] + } + } + }, + "AlbIpForwardingdnsFWPolicyB74542DB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:RegisterTargets" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AlbIpForwardingdnsFWPolicyB74542DB", + "Roles": [ + { + "Ref": "AlbIpForwardingdnsFWLambdaServiceRoleE2550228" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Lambda need to be able to work with any ELB in the account" + } + ] + } + } + }, + "AlbIpForwardingddbDnsRecordMonitorServiceRoleBDC0C08F": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ], + "RoleName": { + "Fn::Join": [ + "", + [ + { + "Ref": "acceleratorPrefix" + }, + "-ddbDnsRecordMonitor-", + { + "Ref": "vpcName" + } + ] + ] + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W28", + "reason": "Names must be set explicitly to be protected by accelerator SCPs`" + } + ] + } + } + }, + "AlbIpForwardingddbDnsRecordMonitorServiceRoleDefaultPolicyBB5ECA75": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "AlbIpForwardingalb2albKeyF92E9EA0", + "Arn" + ] + } + }, + { + "Action": [ + "dynamodb:BatchGetItem", + "dynamodb:BatchWriteItem", + "dynamodb:ConditionCheckItem", + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:GetRecords", + "dynamodb:GetShardIterator", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:UpdateItem" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "AlbIpForwardingddbDNSFirewallTableDE7BAC6C", + "Arn" + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Action": "dynamodb:ListStreams", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "dynamodb:DescribeStream", + "dynamodb:GetRecords", + "dynamodb:GetShardIterator" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "AlbIpForwardingddbDNSFirewallTableDE7BAC6C", + "StreamArn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AlbIpForwardingddbDnsRecordMonitorServiceRoleDefaultPolicyBB5ECA75", + "Roles": [ + { + "Ref": "AlbIpForwardingddbDnsRecordMonitorServiceRoleBDC0C08F" + } + ] + }, + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/ddbDnsRecordMonitor/ServiceRole/DefaultPolicy/Resource" + } + }, + "AlbIpForwardingddbDnsRecordMonitor551C6C2F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "\"use strict\";var Td=Object.create;var rr=Object.defineProperty;var Ld=Object.getOwnPropertyDescriptor;var Cd=Object.getOwnPropertyNames;var Rd=Object.getPrototypeOf,Ed=Object.prototype.hasOwnProperty;var Sd=(u,v)=>()=>(v||u((v={exports:{}}).exports,v),v.exports),Od=(u,v)=>{for(var x in v)rr(u,x,{get:v[x],enumerable:!0})},co=(u,v,x,m)=>{if(v&&typeof v==\"object\"||typeof v==\"function\")for(let I of Cd(v))!Ed.call(u,I)&&I!==x&&rr(u,I,{get:()=>v[I],enumerable:!(m=Ld(v,I))||m.enumerable});return u};var ho=(u,v,x)=>(x=u!=null?Td(Rd(u)):{},co(v||!u||!u.__esModule?rr(x,\"default\",{value:u,enumerable:!0}):x,u)),Pd=u=>co(rr({},\"__esModule\",{value:!0}),u);var xo=Sd((Ft,oe)=>{(function(){var u,v=\"4.17.21\",x=200,m=\"Unsupported core-js use. Try https://npms.io/search?q=ponyfill.\",I=\"Expected a function\",j=\"Invalid `variable` option passed into `_.template`\",ut=\"__lodash_hash_undefined__\",Eo=500,se=\"__lodash_placeholder__\",Jn=1,Oi=2,mt=4,wt=1,ae=2,pn=1,ft=2,Pi=4,Sn=8,At=16,On=32,xt=64,Bn=128,Mt=256,ur=512,So=30,Oo=\"...\",Po=800,bo=16,bi=1,Do=2,Wo=3,ot=1/0,Yn=9007199254740991,Bo=17976931348623157e292,le=0/0,Pn=4294967295,Go=Pn-1,Fo=Pn>>>1,Mo=[[\"ary\",Bn],[\"bind\",pn],[\"bindKey\",ft],[\"curry\",Sn],[\"curryRight\",At],[\"flip\",ur],[\"partial\",On],[\"partialRight\",xt],[\"rearg\",Mt]],yt=\"[object Arguments]\",ce=\"[object Array]\",No=\"[object AsyncFunction]\",Nt=\"[object Boolean]\",Ut=\"[object Date]\",Uo=\"[object DOMException]\",he=\"[object Error]\",ge=\"[object Function]\",Di=\"[object GeneratorFunction]\",In=\"[object Map]\",$t=\"[object Number]\",$o=\"[object Null]\",Gn=\"[object Object]\",Wi=\"[object Promise]\",Ho=\"[object Proxy]\",Ht=\"[object RegExp]\",Tn=\"[object Set]\",Kt=\"[object String]\",pe=\"[object Symbol]\",Ko=\"[object Undefined]\",qt=\"[object WeakMap]\",qo=\"[object WeakSet]\",zt=\"[object ArrayBuffer]\",It=\"[object DataView]\",fr=\"[object Float32Array]\",or=\"[object Float64Array]\",sr=\"[object Int8Array]\",ar=\"[object Int16Array]\",lr=\"[object Int32Array]\",cr=\"[object Uint8Array]\",hr=\"[object Uint8ClampedArray]\",gr=\"[object Uint16Array]\",pr=\"[object Uint32Array]\",zo=/\\b__p \\+= '';/g,Zo=/\\b(__p \\+=) '' \\+/g,Jo=/(__e\\(.*?\\)|\\b__t\\)) \\+\\n'';/g,Bi=/&(?:amp|lt|gt|quot|#39);/g,Gi=/[&<>\"']/g,Yo=RegExp(Bi.source),Xo=RegExp(Gi.source),Qo=/<%-([\\s\\S]+?)%>/g,Vo=/<%([\\s\\S]+?)%>/g,Fi=/<%=([\\s\\S]+?)%>/g,ko=/\\.|\\[(?:[^[\\]]*|([\"'])(?:(?!\\1)[^\\\\]|\\\\.)*?\\1)\\]/,jo=/^\\w*$/,ns=/[^.[\\]]+|\\[(?:(-?\\d+(?:\\.\\d+)?)|([\"'])((?:(?!\\2)[^\\\\]|\\\\.)*?)\\2)\\]|(?=(?:\\.|\\[\\])(?:\\.|\\[\\]|$))/g,dr=/[\\\\^$.*+?()[\\]{}|]/g,ts=RegExp(dr.source),_r=/^\\s+/,es=/\\s/,rs=/\\{(?:\\n\\/\\* \\[wrapped with .+\\] \\*\\/)?\\n?/,is=/\\{\\n\\/\\* \\[wrapped with (.+)\\] \\*/,us=/,? & /,fs=/[^\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f]+/g,os=/[()=,{}\\[\\]\\/\\s]/,ss=/\\\\(\\\\)?/g,as=/\\$\\{([^\\\\}]*(?:\\\\.[^\\\\}]*)*)\\}/g,Mi=/\\w*$/,ls=/^[-+]0x[0-9a-f]+$/i,cs=/^0b[01]+$/i,hs=/^\\[object .+?Constructor\\]$/,gs=/^0o[0-7]+$/i,ps=/^(?:0|[1-9]\\d*)$/,ds=/[\\xc0-\\xd6\\xd8-\\xf6\\xf8-\\xff\\u0100-\\u017f]/g,de=/($^)/,_s=/['\\n\\r\\u2028\\u2029\\\\]/g,_e=\"\\\\ud800-\\\\udfff\",vs=\"\\\\u0300-\\\\u036f\",ms=\"\\\\ufe20-\\\\ufe2f\",ws=\"\\\\u20d0-\\\\u20ff\",Ni=vs+ms+ws,Ui=\"\\\\u2700-\\\\u27bf\",$i=\"a-z\\\\xdf-\\\\xf6\\\\xf8-\\\\xff\",As=\"\\\\xac\\\\xb1\\\\xd7\\\\xf7\",xs=\"\\\\x00-\\\\x2f\\\\x3a-\\\\x40\\\\x5b-\\\\x60\\\\x7b-\\\\xbf\",ys=\"\\\\u2000-\\\\u206f\",Is=\" \\\\t\\\\x0b\\\\f\\\\xa0\\\\ufeff\\\\n\\\\r\\\\u2028\\\\u2029\\\\u1680\\\\u180e\\\\u2000\\\\u2001\\\\u2002\\\\u2003\\\\u2004\\\\u2005\\\\u2006\\\\u2007\\\\u2008\\\\u2009\\\\u200a\\\\u202f\\\\u205f\\\\u3000\",Hi=\"A-Z\\\\xc0-\\\\xd6\\\\xd8-\\\\xde\",Ki=\"\\\\ufe0e\\\\ufe0f\",qi=As+xs+ys+Is,vr=\"['\\u2019]\",Ts=\"[\"+_e+\"]\",zi=\"[\"+qi+\"]\",ve=\"[\"+Ni+\"]\",Zi=\"\\\\d+\",Ls=\"[\"+Ui+\"]\",Ji=\"[\"+$i+\"]\",Yi=\"[^\"+_e+qi+Zi+Ui+$i+Hi+\"]\",mr=\"\\\\ud83c[\\\\udffb-\\\\udfff]\",Cs=\"(?:\"+ve+\"|\"+mr+\")\",Xi=\"[^\"+_e+\"]\",wr=\"(?:\\\\ud83c[\\\\udde6-\\\\uddff]){2}\",Ar=\"[\\\\ud800-\\\\udbff][\\\\udc00-\\\\udfff]\",Tt=\"[\"+Hi+\"]\",Qi=\"\\\\u200d\",Vi=\"(?:\"+Ji+\"|\"+Yi+\")\",Rs=\"(?:\"+Tt+\"|\"+Yi+\")\",ki=\"(?:\"+vr+\"(?:d|ll|m|re|s|t|ve))?\",ji=\"(?:\"+vr+\"(?:D|LL|M|RE|S|T|VE))?\",nu=Cs+\"?\",tu=\"[\"+Ki+\"]?\",Es=\"(?:\"+Qi+\"(?:\"+[Xi,wr,Ar].join(\"|\")+\")\"+tu+nu+\")*\",Ss=\"\\\\d*(?:1st|2nd|3rd|(?![123])\\\\dth)(?=\\\\b|[A-Z_])\",Os=\"\\\\d*(?:1ST|2ND|3RD|(?![123])\\\\dTH)(?=\\\\b|[a-z_])\",eu=tu+nu+Es,Ps=\"(?:\"+[Ls,wr,Ar].join(\"|\")+\")\"+eu,bs=\"(?:\"+[Xi+ve+\"?\",ve,wr,Ar,Ts].join(\"|\")+\")\",Ds=RegExp(vr,\"g\"),Ws=RegExp(ve,\"g\"),xr=RegExp(mr+\"(?=\"+mr+\")|\"+bs+eu,\"g\"),Bs=RegExp([Tt+\"?\"+Ji+\"+\"+ki+\"(?=\"+[zi,Tt,\"$\"].join(\"|\")+\")\",Rs+\"+\"+ji+\"(?=\"+[zi,Tt+Vi,\"$\"].join(\"|\")+\")\",Tt+\"?\"+Vi+\"+\"+ki,Tt+\"+\"+ji,Os,Ss,Zi,Ps].join(\"|\"),\"g\"),Gs=RegExp(\"[\"+Qi+_e+Ni+Ki+\"]\"),Fs=/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/,Ms=[\"Array\",\"Buffer\",\"DataView\",\"Date\",\"Error\",\"Float32Array\",\"Float64Array\",\"Function\",\"Int8Array\",\"Int16Array\",\"Int32Array\",\"Map\",\"Math\",\"Object\",\"Promise\",\"RegExp\",\"Set\",\"String\",\"Symbol\",\"TypeError\",\"Uint8Array\",\"Uint8ClampedArray\",\"Uint16Array\",\"Uint32Array\",\"WeakMap\",\"_\",\"clearTimeout\",\"isFinite\",\"parseInt\",\"setTimeout\"],Ns=-1,U={};U[fr]=U[or]=U[sr]=U[ar]=U[lr]=U[cr]=U[hr]=U[gr]=U[pr]=!0,U[yt]=U[ce]=U[zt]=U[Nt]=U[It]=U[Ut]=U[he]=U[ge]=U[In]=U[$t]=U[Gn]=U[Ht]=U[Tn]=U[Kt]=U[qt]=!1;var N={};N[yt]=N[ce]=N[zt]=N[It]=N[Nt]=N[Ut]=N[fr]=N[or]=N[sr]=N[ar]=N[lr]=N[In]=N[$t]=N[Gn]=N[Ht]=N[Tn]=N[Kt]=N[pe]=N[cr]=N[hr]=N[gr]=N[pr]=!0,N[he]=N[ge]=N[qt]=!1;var Us={\\u00C0:\"A\",\\u00C1:\"A\",\\u00C2:\"A\",\\u00C3:\"A\",\\u00C4:\"A\",\\u00C5:\"A\",\\u00E0:\"a\",\\u00E1:\"a\",\\u00E2:\"a\",\\u00E3:\"a\",\\u00E4:\"a\",\\u00E5:\"a\",\\u00C7:\"C\",\\u00E7:\"c\",\\u00D0:\"D\",\\u00F0:\"d\",\\u00C8:\"E\",\\u00C9:\"E\",\\u00CA:\"E\",\\u00CB:\"E\",\\u00E8:\"e\",\\u00E9:\"e\",\\u00EA:\"e\",\\u00EB:\"e\",\\u00CC:\"I\",\\u00CD:\"I\",\\u00CE:\"I\",\\u00CF:\"I\",\\u00EC:\"i\",\\u00ED:\"i\",\\u00EE:\"i\",\\u00EF:\"i\",\\u00D1:\"N\",\\u00F1:\"n\",\\u00D2:\"O\",\\u00D3:\"O\",\\u00D4:\"O\",\\u00D5:\"O\",\\u00D6:\"O\",\\u00D8:\"O\",\\u00F2:\"o\",\\u00F3:\"o\",\\u00F4:\"o\",\\u00F5:\"o\",\\u00F6:\"o\",\\u00F8:\"o\",\\u00D9:\"U\",\\u00DA:\"U\",\\u00DB:\"U\",\\u00DC:\"U\",\\u00F9:\"u\",\\u00FA:\"u\",\\u00FB:\"u\",\\u00FC:\"u\",\\u00DD:\"Y\",\\u00FD:\"y\",\\u00FF:\"y\",\\u00C6:\"Ae\",\\u00E6:\"ae\",\\u00DE:\"Th\",\\u00FE:\"th\",\\u00DF:\"ss\",\\u0100:\"A\",\\u0102:\"A\",\\u0104:\"A\",\\u0101:\"a\",\\u0103:\"a\",\\u0105:\"a\",\\u0106:\"C\",\\u0108:\"C\",\\u010A:\"C\",\\u010C:\"C\",\\u0107:\"c\",\\u0109:\"c\",\\u010B:\"c\",\\u010D:\"c\",\\u010E:\"D\",\\u0110:\"D\",\\u010F:\"d\",\\u0111:\"d\",\\u0112:\"E\",\\u0114:\"E\",\\u0116:\"E\",\\u0118:\"E\",\\u011A:\"E\",\\u0113:\"e\",\\u0115:\"e\",\\u0117:\"e\",\\u0119:\"e\",\\u011B:\"e\",\\u011C:\"G\",\\u011E:\"G\",\\u0120:\"G\",\\u0122:\"G\",\\u011D:\"g\",\\u011F:\"g\",\\u0121:\"g\",\\u0123:\"g\",\\u0124:\"H\",\\u0126:\"H\",\\u0125:\"h\",\\u0127:\"h\",\\u0128:\"I\",\\u012A:\"I\",\\u012C:\"I\",\\u012E:\"I\",\\u0130:\"I\",\\u0129:\"i\",\\u012B:\"i\",\\u012D:\"i\",\\u012F:\"i\",\\u0131:\"i\",\\u0134:\"J\",\\u0135:\"j\",\\u0136:\"K\",\\u0137:\"k\",\\u0138:\"k\",\\u0139:\"L\",\\u013B:\"L\",\\u013D:\"L\",\\u013F:\"L\",\\u0141:\"L\",\\u013A:\"l\",\\u013C:\"l\",\\u013E:\"l\",\\u0140:\"l\",\\u0142:\"l\",\\u0143:\"N\",\\u0145:\"N\",\\u0147:\"N\",\\u014A:\"N\",\\u0144:\"n\",\\u0146:\"n\",\\u0148:\"n\",\\u014B:\"n\",\\u014C:\"O\",\\u014E:\"O\",\\u0150:\"O\",\\u014D:\"o\",\\u014F:\"o\",\\u0151:\"o\",\\u0154:\"R\",\\u0156:\"R\",\\u0158:\"R\",\\u0155:\"r\",\\u0157:\"r\",\\u0159:\"r\",\\u015A:\"S\",\\u015C:\"S\",\\u015E:\"S\",\\u0160:\"S\",\\u015B:\"s\",\\u015D:\"s\",\\u015F:\"s\",\\u0161:\"s\",\\u0162:\"T\",\\u0164:\"T\",\\u0166:\"T\",\\u0163:\"t\",\\u0165:\"t\",\\u0167:\"t\",\\u0168:\"U\",\\u016A:\"U\",\\u016C:\"U\",\\u016E:\"U\",\\u0170:\"U\",\\u0172:\"U\",\\u0169:\"u\",\\u016B:\"u\",\\u016D:\"u\",\\u016F:\"u\",\\u0171:\"u\",\\u0173:\"u\",\\u0174:\"W\",\\u0175:\"w\",\\u0176:\"Y\",\\u0177:\"y\",\\u0178:\"Y\",\\u0179:\"Z\",\\u017B:\"Z\",\\u017D:\"Z\",\\u017A:\"z\",\\u017C:\"z\",\\u017E:\"z\",\\u0132:\"IJ\",\\u0133:\"ij\",\\u0152:\"Oe\",\\u0153:\"oe\",\\u0149:\"'n\",\\u017F:\"s\"},$s={\"&\":\"&\",\"<\":\"<\",\">\":\">\",'\"':\""\",\"'\":\"'\"},Hs={\"&\":\"&\",\"<\":\"<\",\">\":\">\",\""\":'\"',\"'\":\"'\"},Ks={\"\\\\\":\"\\\\\",\"'\":\"'\",\"\\n\":\"n\",\"\\r\":\"r\",\"\\u2028\":\"u2028\",\"\\u2029\":\"u2029\"},qs=parseFloat,zs=parseInt,ru=typeof global==\"object\"&&global&&global.Object===Object&&global,Zs=typeof self==\"object\"&&self&&self.Object===Object&&self,Y=ru||Zs||Function(\"return this\")(),yr=typeof Ft==\"object\"&&Ft&&!Ft.nodeType&&Ft,st=yr&&typeof oe==\"object\"&&oe&&!oe.nodeType&&oe,iu=st&&st.exports===yr,Ir=iu&&ru.process,dn=function(){try{var l=st&&st.require&&st.require(\"util\").types;return l||Ir&&Ir.binding&&Ir.binding(\"util\")}catch{}}(),uu=dn&&dn.isArrayBuffer,fu=dn&&dn.isDate,ou=dn&&dn.isMap,su=dn&&dn.isRegExp,au=dn&&dn.isSet,lu=dn&&dn.isTypedArray;function sn(l,g,h){switch(h.length){case 0:return l.call(g);case 1:return l.call(g,h[0]);case 2:return l.call(g,h[0],h[1]);case 3:return l.call(g,h[0],h[1],h[2])}return l.apply(g,h)}function Js(l,g,h,A){for(var R=-1,B=l==null?0:l.length;++R-1}function Tr(l,g,h){for(var A=-1,R=l==null?0:l.length;++A-1;);return h}function mu(l,g){for(var h=l.length;h--&&Lt(g,l[h],0)>-1;);return h}function ea(l,g){for(var h=l.length,A=0;h--;)l[h]===g&&++A;return A}var ra=Er(Us),ia=Er($s);function ua(l){return\"\\\\\"+Ks[l]}function fa(l,g){return l==null?u:l[g]}function Ct(l){return Gs.test(l)}function oa(l){return Fs.test(l)}function sa(l){for(var g,h=[];!(g=l.next()).done;)h.push(g.value);return h}function br(l){var g=-1,h=Array(l.size);return l.forEach(function(A,R){h[++g]=[R,A]}),h}function wu(l,g){return function(h){return l(g(h))}}function Vn(l,g){for(var h=-1,A=l.length,R=0,B=[];++h-1}function Xa(n,t){var e=this.__data__,r=Be(e,n);return r<0?(++this.size,e.push([n,t])):e[r][1]=t,this}Fn.prototype.clear=za,Fn.prototype.delete=Za,Fn.prototype.get=Ja,Fn.prototype.has=Ya,Fn.prototype.set=Xa;function Mn(n){var t=-1,e=n==null?0:n.length;for(this.clear();++t=t?n:t)),n}function wn(n,t,e,r,i,o){var s,a=t&Jn,c=t&Oi,p=t&mt;if(e&&(s=i?e(n,r,i,o):e(n)),s!==u)return s;if(!H(n))return n;var d=E(n);if(d){if(s=jl(n),!a)return rn(n,s)}else{var _=k(n),w=_==ge||_==Di;if(it(n))return tf(n,a);if(_==Gn||_==yt||w&&!i){if(s=c||w?{}:xf(n),!a)return c?Hl(n,cl(s,n)):$l(n,Pu(s,n))}else{if(!N[_])return i?n:{};s=nc(n,_,a)}}o||(o=new Cn);var y=o.get(n);if(y)return y;o.set(n,s),Qf(n)?n.forEach(function(C){s.add(wn(C,t,e,C,n,o))}):Yf(n)&&n.forEach(function(C,b){s.set(b,wn(C,t,e,b,n,o))});var L=p?c?ii:ri:c?fn:X,O=d?u:L(n);return _n(O||n,function(C,b){O&&(b=C,C=n[b]),kt(s,b,wn(C,t,e,b,n,o))}),s}function hl(n){var t=X(n);return function(e){return bu(e,n,t)}}function bu(n,t,e){var r=e.length;if(n==null)return!r;for(n=M(n);r--;){var i=e[r],o=t[i],s=n[i];if(s===u&&!(i in n)||!o(s))return!1}return!0}function Du(n,t,e){if(typeof n!=\"function\")throw new vn(I);return ue(function(){n.apply(u,e)},t)}function jt(n,t,e,r){var i=-1,o=me,s=!0,a=n.length,c=[],p=t.length;if(!a)return c;e&&(t=$(t,an(e))),r?(o=Tr,s=!1):t.length>=x&&(o=Zt,s=!1,t=new ct(t));n:for(;++ii?0:i+e),r=r===u||r>i?i:S(r),r<0&&(r+=i),r=e>r?0:kf(r);e0&&e(a)?t>1?Q(a,t-1,e,r,i):Qn(i,a):r||(i[i.length]=a)}return i}var Nr=sf(),Gu=sf(!0);function bn(n,t){return n&&Nr(n,t,X)}function Ur(n,t){return n&&Gu(n,t,X)}function Fe(n,t){return Xn(t,function(e){return Kn(n[e])})}function gt(n,t){t=et(t,n);for(var e=0,r=t.length;n!=null&&et}function dl(n,t){return n!=null&&F.call(n,t)}function _l(n,t){return n!=null&&t in M(n)}function vl(n,t,e){return n>=V(t,e)&&n=120&&d.length>=120)?new ct(s&&d):u}d=n[0];var _=-1,w=a[0];n:for(;++_-1;)a!==n&&Ee.call(a,c,1),Ee.call(n,c,1);return n}function Ju(n,t){for(var e=n?t.length:0,r=e-1;e--;){var i=t[e];if(e==r||i!==o){var o=i;Hn(i)?Ee.call(n,i,1):Qr(n,i)}}return n}function Jr(n,t){return n+Pe(Ru()*(t-n+1))}function Ol(n,t,e,r){for(var i=-1,o=J(Oe((t-n)/(e||1)),0),s=h(o);o--;)s[r?o:++i]=n,n+=e;return s}function Yr(n,t){var e=\"\";if(!n||t<1||t>Yn)return e;do t%2&&(e+=n),t=Pe(t/2),t&&(n+=n);while(t);return e}function P(n,t){return ci(Tf(n,t,on),n+\"\")}function Pl(n){return Ou(Gt(n))}function bl(n,t){var e=Gt(n);return Ye(e,ht(t,0,e.length))}function ee(n,t,e,r){if(!H(n))return n;t=et(t,n);for(var i=-1,o=t.length,s=o-1,a=n;a!=null&&++ii?0:i+t),e=e>i?i:e,e<0&&(e+=i),i=t>e?0:e-t>>>0,t>>>=0;for(var o=h(i);++r>>1,s=n[o];s!==null&&!cn(s)&&(e?s<=t:s=x){var p=t?null:Zl(n);if(p)return Ae(p);s=!1,i=Zt,c=new ct}else c=t?[]:a;n:for(;++r=r?n:An(n,t,e)}var nf=Ia||function(n){return Y.clearTimeout(n)};function tf(n,t){if(t)return n.slice();var e=n.length,r=yu?yu(e):new n.constructor(e);return n.copy(r),r}function ni(n){var t=new n.constructor(n.byteLength);return new Ce(t).set(new Ce(n)),t}function Fl(n,t){var e=t?ni(n.buffer):n.buffer;return new n.constructor(e,n.byteOffset,n.byteLength)}function Ml(n){var t=new n.constructor(n.source,Mi.exec(n));return t.lastIndex=n.lastIndex,t}function Nl(n){return Vt?M(Vt.call(n)):{}}function ef(n,t){var e=t?ni(n.buffer):n.buffer;return new n.constructor(e,n.byteOffset,n.length)}function rf(n,t){if(n!==t){var e=n!==u,r=n===null,i=n===n,o=cn(n),s=t!==u,a=t===null,c=t===t,p=cn(t);if(!a&&!p&&!o&&n>t||o&&s&&c&&!a&&!p||r&&s&&c||!e&&c||!i)return 1;if(!r&&!o&&!p&&n=a)return c;var p=e[r];return c*(p==\"desc\"?-1:1)}}return n.index-t.index}function uf(n,t,e,r){for(var i=-1,o=n.length,s=e.length,a=-1,c=t.length,p=J(o-s,0),d=h(c+p),_=!r;++a1?e[i-1]:u,s=i>2?e[2]:u;for(o=n.length>3&&typeof o==\"function\"?(i--,o):u,s&&tn(e[0],e[1],s)&&(o=i<3?u:o,i=1),t=M(t);++r-1?i[o?t[s]:s]:u}}function cf(n){return $n(function(t){var e=t.length,r=e,i=mn.prototype.thru;for(n&&t.reverse();r--;){var o=t[r];if(typeof o!=\"function\")throw new vn(I);if(i&&!s&&Ze(o)==\"wrapper\")var s=new mn([],!0)}for(r=s?r:e;++r1&&W.reverse(),d&&ca))return!1;var p=o.get(n),d=o.get(t);if(p&&d)return p==t&&d==n;var _=-1,w=!0,y=e&ae?new ct:u;for(o.set(n,t),o.set(t,n);++_1?\"& \":\"\")+t[r],t=t.join(e>2?\", \":\" \"),n.replace(rs,`{\n/* [wrapped with `+t+`] */\n`)}function ec(n){return E(n)||_t(n)||!!(Lu&&n&&n[Lu])}function Hn(n,t){var e=typeof n;return t=t??Yn,!!t&&(e==\"number\"||e!=\"symbol\"&&ps.test(n))&&n>-1&&n%1==0&&n0){if(++t>=Po)return arguments[0]}else t=0;return n.apply(u,arguments)}}function Ye(n,t){var e=-1,r=n.length,i=r-1;for(t=t===u?r:t;++e1?n[t-1]:u;return e=typeof e==\"function\"?(n.pop(),e):u,Gf(n,e)});function Ff(n){var t=f(n);return t.__chain__=!0,t}function gh(n,t){return t(n),n}function Xe(n,t){return t(n)}var ph=$n(function(n){var t=n.length,e=t?n[0]:0,r=this.__wrapped__,i=function(o){return Mr(o,n)};return t>1||this.__actions__.length||!(r instanceof D)||!Hn(e)?this.thru(i):(r=r.slice(e,+e+(t?1:0)),r.__actions__.push({func:Xe,args:[i],thisArg:u}),new mn(r,this.__chain__).thru(function(o){return t&&!o.length&&o.push(u),o}))});function dh(){return Ff(this)}function _h(){return new mn(this.value(),this.__chain__)}function vh(){this.__values__===u&&(this.__values__=Vf(this.value()));var n=this.__index__>=this.__values__.length,t=n?u:this.__values__[this.__index__++];return{done:n,value:t}}function mh(){return this}function wh(n){for(var t,e=this;e instanceof We;){var r=Of(e);r.__index__=0,r.__values__=u,t?i.__wrapped__=r:t=r;var i=r;e=e.__wrapped__}return i.__wrapped__=n,t}function Ah(){var n=this.__wrapped__;if(n instanceof D){var t=n;return this.__actions__.length&&(t=new D(this)),t=t.reverse(),t.__actions__.push({func:Xe,args:[hi],thisArg:u}),new mn(t,this.__chain__)}return this.thru(hi)}function xh(){return ku(this.__wrapped__,this.__actions__)}var yh=$e(function(n,t,e){F.call(n,e)?++n[e]:Nn(n,e,1)});function Ih(n,t,e){var r=E(n)?cu:gl;return e&&tn(n,t,e)&&(t=u),r(n,T(t,3))}function Th(n,t){var e=E(n)?Xn:Bu;return e(n,T(t,3))}var Lh=lf(Pf),Ch=lf(bf);function Rh(n,t){return Q(Qe(n,t),1)}function Eh(n,t){return Q(Qe(n,t),ot)}function Sh(n,t,e){return e=e===u?1:S(e),Q(Qe(n,t),e)}function Mf(n,t){var e=E(n)?_n:nt;return e(n,T(t,3))}function Nf(n,t){var e=E(n)?Ys:Wu;return e(n,T(t,3))}var Oh=$e(function(n,t,e){F.call(n,e)?n[e].push(t):Nn(n,e,[t])});function Ph(n,t,e,r){n=un(n)?n:Gt(n),e=e&&!r?S(e):0;var i=n.length;return e<0&&(e=J(i+e,0)),tr(n)?e<=i&&n.indexOf(t,e)>-1:!!i&&Lt(n,t,e)>-1}var bh=P(function(n,t,e){var r=-1,i=typeof t==\"function\",o=un(n)?h(n.length):[];return nt(n,function(s){o[++r]=i?sn(t,s,e):ne(s,t,e)}),o}),Dh=$e(function(n,t,e){Nn(n,e,t)});function Qe(n,t){var e=E(n)?$:$u;return e(n,T(t,3))}function Wh(n,t,e,r){return n==null?[]:(E(t)||(t=t==null?[]:[t]),e=r?u:e,E(e)||(e=e==null?[]:[e]),zu(n,t,e))}var Bh=$e(function(n,t,e){n[e?0:1].push(t)},function(){return[[],[]]});function Gh(n,t,e){var r=E(n)?Lr:du,i=arguments.length<3;return r(n,T(t,4),e,i,nt)}function Fh(n,t,e){var r=E(n)?Xs:du,i=arguments.length<3;return r(n,T(t,4),e,i,Wu)}function Mh(n,t){var e=E(n)?Xn:Bu;return e(n,je(T(t,3)))}function Nh(n){var t=E(n)?Ou:Pl;return t(n)}function Uh(n,t,e){(e?tn(n,t,e):t===u)?t=1:t=S(t);var r=E(n)?sl:bl;return r(n,t)}function $h(n){var t=E(n)?al:Wl;return t(n)}function Hh(n){if(n==null)return 0;if(un(n))return tr(n)?Rt(n):n.length;var t=k(n);return t==In||t==Tn?n.size:qr(n).length}function Kh(n,t,e){var r=E(n)?Cr:Bl;return e&&tn(n,t,e)&&(t=u),r(n,T(t,3))}var qh=P(function(n,t){if(n==null)return[];var e=t.length;return e>1&&tn(n,t[0],t[1])?t=[]:e>2&&tn(t[0],t[1],t[2])&&(t=[t[0]]),zu(n,Q(t,1),[])}),Ve=Ta||function(){return Y.Date.now()};function zh(n,t){if(typeof t!=\"function\")throw new vn(I);return n=S(n),function(){if(--n<1)return t.apply(this,arguments)}}function Uf(n,t,e){return t=e?u:t,t=n&&t==null?n.length:t,Un(n,Bn,u,u,u,u,t)}function $f(n,t){var e;if(typeof t!=\"function\")throw new vn(I);return n=S(n),function(){return--n>0&&(e=t.apply(this,arguments)),n<=1&&(t=u),e}}var pi=P(function(n,t,e){var r=pn;if(e.length){var i=Vn(e,Wt(pi));r|=On}return Un(n,r,t,e,i)}),Hf=P(function(n,t,e){var r=pn|ft;if(e.length){var i=Vn(e,Wt(Hf));r|=On}return Un(t,r,n,e,i)});function Kf(n,t,e){t=e?u:t;var r=Un(n,Sn,u,u,u,u,u,t);return r.placeholder=Kf.placeholder,r}function qf(n,t,e){t=e?u:t;var r=Un(n,At,u,u,u,u,u,t);return r.placeholder=qf.placeholder,r}function zf(n,t,e){var r,i,o,s,a,c,p=0,d=!1,_=!1,w=!0;if(typeof n!=\"function\")throw new vn(I);t=yn(t)||0,H(e)&&(d=!!e.leading,_=\"maxWait\"in e,o=_?J(yn(e.maxWait)||0,t):o,w=\"trailing\"in e?!!e.trailing:w);function y(z){var En=r,zn=i;return r=i=u,p=z,s=n.apply(zn,En),s}function L(z){return p=z,a=ue(b,t),d?y(z):s}function O(z){var En=z-c,zn=z-p,lo=t-En;return _?V(lo,o-zn):lo}function C(z){var En=z-c,zn=z-p;return c===u||En>=t||En<0||_&&zn>=o}function b(){var z=Ve();if(C(z))return W(z);a=ue(b,O(z))}function W(z){return a=u,w&&r?y(z):(r=i=u,s)}function hn(){a!==u&&nf(a),p=0,r=c=i=a=u}function en(){return a===u?s:W(Ve())}function gn(){var z=Ve(),En=C(z);if(r=arguments,i=this,c=z,En){if(a===u)return L(c);if(_)return nf(a),a=ue(b,t),y(c)}return a===u&&(a=ue(b,t)),s}return gn.cancel=hn,gn.flush=en,gn}var Zh=P(function(n,t){return Du(n,1,t)}),Jh=P(function(n,t,e){return Du(n,yn(t)||0,e)});function Yh(n){return Un(n,ur)}function ke(n,t){if(typeof n!=\"function\"||t!=null&&typeof t!=\"function\")throw new vn(I);var e=function(){var r=arguments,i=t?t.apply(this,r):r[0],o=e.cache;if(o.has(i))return o.get(i);var s=n.apply(this,r);return e.cache=o.set(i,s)||o,s};return e.cache=new(ke.Cache||Mn),e}ke.Cache=Mn;function je(n){if(typeof n!=\"function\")throw new vn(I);return function(){var t=arguments;switch(t.length){case 0:return!n.call(this);case 1:return!n.call(this,t[0]);case 2:return!n.call(this,t[0],t[1]);case 3:return!n.call(this,t[0],t[1],t[2])}return!n.apply(this,t)}}function Xh(n){return $f(2,n)}var Qh=Gl(function(n,t){t=t.length==1&&E(t[0])?$(t[0],an(T())):$(Q(t,1),an(T()));var e=t.length;return P(function(r){for(var i=-1,o=V(r.length,e);++i=t}),_t=Mu(function(){return arguments}())?Mu:function(n){return K(n)&&F.call(n,\"callee\")&&!Tu.call(n,\"callee\")},E=h.isArray,cg=uu?an(uu):wl;function un(n){return n!=null&&nr(n.length)&&!Kn(n)}function q(n){return K(n)&&un(n)}function hg(n){return n===!0||n===!1||K(n)&&nn(n)==Nt}var it=Ca||Ci,gg=fu?an(fu):Al;function pg(n){return K(n)&&n.nodeType===1&&!fe(n)}function dg(n){if(n==null)return!0;if(un(n)&&(E(n)||typeof n==\"string\"||typeof n.splice==\"function\"||it(n)||Bt(n)||_t(n)))return!n.length;var t=k(n);if(t==In||t==Tn)return!n.size;if(ie(n))return!qr(n).length;for(var e in n)if(F.call(n,e))return!1;return!0}function _g(n,t){return te(n,t)}function vg(n,t,e){e=typeof e==\"function\"?e:u;var r=e?e(n,t):u;return r===u?te(n,t,u,e):!!r}function _i(n){if(!K(n))return!1;var t=nn(n);return t==he||t==Uo||typeof n.message==\"string\"&&typeof n.name==\"string\"&&!fe(n)}function mg(n){return typeof n==\"number\"&&Cu(n)}function Kn(n){if(!H(n))return!1;var t=nn(n);return t==ge||t==Di||t==No||t==Ho}function Jf(n){return typeof n==\"number\"&&n==S(n)}function nr(n){return typeof n==\"number\"&&n>-1&&n%1==0&&n<=Yn}function H(n){var t=typeof n;return n!=null&&(t==\"object\"||t==\"function\")}function K(n){return n!=null&&typeof n==\"object\"}var Yf=ou?an(ou):yl;function wg(n,t){return n===t||Kr(n,t,fi(t))}function Ag(n,t,e){return e=typeof e==\"function\"?e:u,Kr(n,t,fi(t),e)}function xg(n){return Xf(n)&&n!=+n}function yg(n){if(uc(n))throw new R(m);return Nu(n)}function Ig(n){return n===null}function Tg(n){return n==null}function Xf(n){return typeof n==\"number\"||K(n)&&nn(n)==$t}function fe(n){if(!K(n)||nn(n)!=Gn)return!1;var t=Re(n);if(t===null)return!0;var e=F.call(t,\"constructor\")&&t.constructor;return typeof e==\"function\"&&e instanceof e&&Ie.call(e)==Aa}var vi=su?an(su):Il;function Lg(n){return Jf(n)&&n>=-Yn&&n<=Yn}var Qf=au?an(au):Tl;function tr(n){return typeof n==\"string\"||!E(n)&&K(n)&&nn(n)==Kt}function cn(n){return typeof n==\"symbol\"||K(n)&&nn(n)==pe}var Bt=lu?an(lu):Ll;function Cg(n){return n===u}function Rg(n){return K(n)&&k(n)==qt}function Eg(n){return K(n)&&nn(n)==qo}var Sg=ze(zr),Og=ze(function(n,t){return n<=t});function Vf(n){if(!n)return[];if(un(n))return tr(n)?Ln(n):rn(n);if(Jt&&n[Jt])return sa(n[Jt]());var t=k(n),e=t==In?br:t==Tn?Ae:Gt;return e(n)}function qn(n){if(!n)return n===0?n:0;if(n=yn(n),n===ot||n===-ot){var t=n<0?-1:1;return t*Bo}return n===n?n:0}function S(n){var t=qn(n),e=t%1;return t===t?e?t-e:t:0}function kf(n){return n?ht(S(n),0,Pn):0}function yn(n){if(typeof n==\"number\")return n;if(cn(n))return le;if(H(n)){var t=typeof n.valueOf==\"function\"?n.valueOf():n;n=H(t)?t+\"\":t}if(typeof n!=\"string\")return n===0?n:+n;n=_u(n);var e=cs.test(n);return e||gs.test(n)?zs(n.slice(2),e?2:8):ls.test(n)?le:+n}function jf(n){return Dn(n,fn(n))}function Pg(n){return n?ht(S(n),-Yn,Yn):n===0?n:0}function G(n){return n==null?\"\":ln(n)}var bg=bt(function(n,t){if(ie(t)||un(t)){Dn(t,X(t),n);return}for(var e in t)F.call(t,e)&&kt(n,e,t[e])}),no=bt(function(n,t){Dn(t,fn(t),n)}),er=bt(function(n,t,e,r){Dn(t,fn(t),n,r)}),Dg=bt(function(n,t,e,r){Dn(t,X(t),n,r)}),Wg=$n(Mr);function Bg(n,t){var e=Pt(n);return t==null?e:Pu(e,t)}var Gg=P(function(n,t){n=M(n);var e=-1,r=t.length,i=r>2?t[2]:u;for(i&&tn(t[0],t[1],i)&&(r=1);++e1),o}),Dn(n,ii(n),e),r&&(e=wn(e,Jn|Oi|mt,Jl));for(var i=t.length;i--;)Qr(e,t[i]);return e});function np(n,t){return eo(n,je(T(t)))}var tp=$n(function(n,t){return n==null?{}:El(n,t)});function eo(n,t){if(n==null)return{};var e=$(ii(n),function(r){return[r]});return t=T(t),Zu(n,e,function(r,i){return t(r,i[0])})}function ep(n,t,e){t=et(t,n);var r=-1,i=t.length;for(i||(i=1,n=u);++rt){var r=n;n=t,t=r}if(e||n%1||t%1){var i=Ru();return V(n+i*(t-n+qs(\"1e-\"+((i+\"\").length-1))),t)}return Jr(n,t)}var gp=Dt(function(n,t,e){return t=t.toLowerCase(),n+(e?uo(t):t)});function uo(n){return Ai(G(n).toLowerCase())}function fo(n){return n=G(n),n&&n.replace(ds,ra).replace(Ws,\"\")}function pp(n,t,e){n=G(n),t=ln(t);var r=n.length;e=e===u?r:ht(S(e),0,r);var i=e;return e-=t.length,e>=0&&n.slice(e,i)==t}function dp(n){return n=G(n),n&&Xo.test(n)?n.replace(Gi,ia):n}function _p(n){return n=G(n),n&&ts.test(n)?n.replace(dr,\"\\\\$&\"):n}var vp=Dt(function(n,t,e){return n+(e?\"-\":\"\")+t.toLowerCase()}),mp=Dt(function(n,t,e){return n+(e?\" \":\"\")+t.toLowerCase()}),wp=af(\"toLowerCase\");function Ap(n,t,e){n=G(n),t=S(t);var r=t?Rt(n):0;if(!t||r>=t)return n;var i=(t-r)/2;return qe(Pe(i),e)+n+qe(Oe(i),e)}function xp(n,t,e){n=G(n),t=S(t);var r=t?Rt(n):0;return t&&r>>0,e?(n=G(n),n&&(typeof t==\"string\"||t!=null&&!vi(t))&&(t=ln(t),!t&&Ct(n))?rt(Ln(n),0,e):n.split(t,e)):[]}var Ep=Dt(function(n,t,e){return n+(e?\" \":\"\")+Ai(t)});function Sp(n,t,e){return n=G(n),e=e==null?0:ht(S(e),0,n.length),t=ln(t),n.slice(e,e+t.length)==t}function Op(n,t,e){var r=f.templateSettings;e&&tn(n,t,e)&&(t=u),n=G(n),t=er({},t,r,_f);var i=er({},t.imports,r.imports,_f),o=X(i),s=Pr(i,o),a,c,p=0,d=t.interpolate||de,_=\"__p += '\",w=Dr((t.escape||de).source+\"|\"+d.source+\"|\"+(d===Fi?as:de).source+\"|\"+(t.evaluate||de).source+\"|$\",\"g\"),y=\"//# sourceURL=\"+(F.call(t,\"sourceURL\")?(t.sourceURL+\"\").replace(/\\s/g,\" \"):\"lodash.templateSources[\"+ ++Ns+\"]\")+`\n`;n.replace(w,function(C,b,W,hn,en,gn){return W||(W=hn),_+=n.slice(p,gn).replace(_s,ua),b&&(a=!0,_+=`' +\n__e(`+b+`) +\n'`),en&&(c=!0,_+=`';\n`+en+`;\n__p += '`),W&&(_+=`' +\n((__t = (`+W+`)) == null ? '' : __t) +\n'`),p=gn+C.length,C}),_+=`';\n`;var L=F.call(t,\"variable\")&&t.variable;if(!L)_=`with (obj) {\n`+_+`\n}\n`;else if(os.test(L))throw new R(j);_=(c?_.replace(zo,\"\"):_).replace(Zo,\"$1\").replace(Jo,\"$1;\"),_=\"function(\"+(L||\"obj\")+`) {\n`+(L?\"\":`obj || (obj = {});\n`)+\"var __t, __p = ''\"+(a?\", __e = _.escape\":\"\")+(c?`, __j = Array.prototype.join;\nfunction print() { __p += __j.call(arguments, '') }\n`:`;\n`)+_+`return __p\n}`;var O=so(function(){return B(o,y+\"return \"+_).apply(u,s)});if(O.source=_,_i(O))throw O;return O}function Pp(n){return G(n).toLowerCase()}function bp(n){return G(n).toUpperCase()}function Dp(n,t,e){if(n=G(n),n&&(e||t===u))return _u(n);if(!n||!(t=ln(t)))return n;var r=Ln(n),i=Ln(t),o=vu(r,i),s=mu(r,i)+1;return rt(r,o,s).join(\"\")}function Wp(n,t,e){if(n=G(n),n&&(e||t===u))return n.slice(0,Au(n)+1);if(!n||!(t=ln(t)))return n;var r=Ln(n),i=mu(r,Ln(t))+1;return rt(r,0,i).join(\"\")}function Bp(n,t,e){if(n=G(n),n&&(e||t===u))return n.replace(_r,\"\");if(!n||!(t=ln(t)))return n;var r=Ln(n),i=vu(r,Ln(t));return rt(r,i).join(\"\")}function Gp(n,t){var e=So,r=Oo;if(H(t)){var i=\"separator\"in t?t.separator:i;e=\"length\"in t?S(t.length):e,r=\"omission\"in t?ln(t.omission):r}n=G(n);var o=n.length;if(Ct(n)){var s=Ln(n);o=s.length}if(e>=o)return n;var a=e-Rt(r);if(a<1)return r;var c=s?rt(s,0,a).join(\"\"):n.slice(0,a);if(i===u)return c+r;if(s&&(a+=c.length-a),vi(i)){if(n.slice(a).search(i)){var p,d=c;for(i.global||(i=Dr(i.source,G(Mi.exec(i))+\"g\")),i.lastIndex=0;p=i.exec(d);)var _=p.index;c=c.slice(0,_===u?a:_)}}else if(n.indexOf(ln(i),a)!=a){var w=c.lastIndexOf(i);w>-1&&(c=c.slice(0,w))}return c+r}function Fp(n){return n=G(n),n&&Yo.test(n)?n.replace(Bi,ha):n}var Mp=Dt(function(n,t,e){return n+(e?\" \":\"\")+t.toUpperCase()}),Ai=af(\"toUpperCase\");function oo(n,t,e){return n=G(n),t=e?u:t,t===u?oa(n)?da(n):ks(n):n.match(t)||[]}var so=P(function(n,t){try{return sn(n,u,t)}catch(e){return _i(e)?e:new R(e)}}),Np=$n(function(n,t){return _n(t,function(e){e=Wn(e),Nn(n,e,pi(n[e],n))}),n});function Up(n){var t=n==null?0:n.length,e=T();return n=t?$(n,function(r){if(typeof r[1]!=\"function\")throw new vn(I);return[e(r[0]),r[1]]}):[],P(function(r){for(var i=-1;++iYn)return[];var e=Pn,r=V(n,Pn);t=T(t),n-=Pn;for(var i=Or(r,t);++e0||t<0)?new D(e):(n<0?e=e.takeRight(-n):n&&(e=e.drop(n)),t!==u&&(t=S(t),e=t<0?e.dropRight(-t):e.take(t-n)),e)},D.prototype.takeRightWhile=function(n){return this.reverse().takeWhile(n).reverse()},D.prototype.toArray=function(){return this.take(Pn)},bn(D.prototype,function(n,t){var e=/^(?:filter|find|map|reject)|While$/.test(t),r=/^(?:head|last)$/.test(t),i=f[r?\"take\"+(t==\"last\"?\"Right\":\"\"):t],o=r||/^find/.test(t);i&&(f.prototype[t]=function(){var s=this.__wrapped__,a=r?[1]:arguments,c=s instanceof D,p=a[0],d=c||E(s),_=function(b){var W=i.apply(f,Qn([b],a));return r&&w?W[0]:W};d&&e&&typeof p==\"function\"&&p.length!=1&&(c=d=!1);var w=this.__chain__,y=!!this.__actions__.length,L=o&&!w,O=c&&!y;if(!o&&d){s=O?s:new D(this);var C=n.apply(s,a);return C.__actions__.push({func:Xe,args:[_],thisArg:u}),new mn(C,w)}return L&&O?n.apply(this,a):(C=this.thru(_),L?r?C.value()[0]:C.value():C)})}),_n([\"pop\",\"push\",\"shift\",\"sort\",\"splice\",\"unshift\"],function(n){var t=xe[n],e=/^(?:push|sort|unshift)$/.test(n)?\"tap\":\"thru\",r=/^(?:pop|shift)$/.test(n);f.prototype[n]=function(){var i=arguments;if(r&&!this.__chain__){var o=this.value();return t.apply(E(o)?o:[],i)}return this[e](function(s){return t.apply(E(s)?s:[],i)})}}),bn(D.prototype,function(n,t){var e=f[t];if(e){var r=e.name+\"\";F.call(Ot,r)||(Ot[r]=[]),Ot[r].push({name:t,func:e})}}),Ot[He(u,ft).name]=[{name:\"wrapper\",func:u}],D.prototype.clone=Fa,D.prototype.reverse=Ma,D.prototype.value=Na,f.prototype.at=ph,f.prototype.chain=dh,f.prototype.commit=_h,f.prototype.next=vh,f.prototype.plant=wh,f.prototype.reverse=Ah,f.prototype.toJSON=f.prototype.valueOf=f.prototype.value=xh,f.prototype.first=f.prototype.head,Jt&&(f.prototype[Jt]=mh),f},kn=_a();typeof define==\"function\"&&typeof define.amd==\"object\"&&define.amd?(Y._=kn,define(function(){return kn})):st?((st.exports=kn)._=kn,yr._=kn):Y._=kn}).call(Ft)});var jd={};Od(jd,{albIpMonitor:()=>Ao,albTargetRecordMonitor:()=>Ro});module.exports=Pd(jd);var go=ho(require(\"dns\")),po=require(\"@aws-sdk/lib-dynamodb\"),_o=require(\"@aws-sdk/client-dynamodb\"),vo=require(\"@aws-sdk/client-elastic-load-balancing-v2\"),Ri=process.env.LOOKUP_TABLE??\"\",mo=po.DynamoDBDocument.from(new _o.DynamoDB),wo=new vo.ElasticLoadBalancingV2({logger:console}),bd=async u=>{console.log(`Scanning route lookup table ${Ri}`);let v={TableName:u},x=[],m;do m=await mo.scan(v),m.Items?.forEach(I=>x.push(I)),v.ExclusiveStartKey=m.LastEvaluatedKey;while(typeof m.LastEvaluatedKey<\"u\");return x},Dd=async(u,v,x)=>{let m=v.map(j=>({Id:j,Port:x,AvailabilityZone:\"all\"})),I={TargetGroupArn:u,Targets:m};return wo.registerTargets(I)},Wd=async(u,v)=>{console.log(`Deregistering IP addresses ${JSON.stringify(v)} from target group ${u}`);let x=v.map(I=>({Id:I})),m={TargetGroupArn:u,Targets:x};return wo.deregisterTargets(m)},Bd=async u=>new Promise((v,x)=>{go.lookup(u,{all:!0,family:4},(m,I)=>{m?x(m):v(I.map(j=>j.address).sort())})}),Gd=(u,v)=>{let x=u.indexOf(v);return x>-1&&u.splice(x,1),u},Fd=async u=>{let v={TableName:Ri,Item:u};return mo.put(v)},Ao=async(u,v)=>{let x=await bd(Ri)??[];for(let m of x)try{m.dnsLookupIps=[];try{m.dnsLookupIps=await Bd(m.targetAlbDnsName)}catch(I){console.log(I)}m.ipAddList=m.dnsLookupIps?.filter(I=>!m.metadata?.targetGroupIpAddresses?.includes(I))??[],m.ipRemoveList=m.metadata?.targetGroupIpAddresses?.filter(I=>!m.dnsLookupIps?.includes(I))??[],m.ipAddList?.length>0?(console.log(`Registering new ips ${JSON.stringify(m.ipAddList)} to target ${m.metadata.targetGroupArn} with port ${m.targetGroupDestinationPort}`),await Dd(m.metadata.targetGroupArn,m.ipAddList,m.targetGroupDestinationPort),m.metadata.targetGroupIpAddresses.push(...m.ipAddList)):console.log(\"No new Ip addresses to register\"),m.ipRemoveList?.length>0?(console.log(`Deregistering old ip addresses ${JSON.stringify(m.ipRemoveList)} from target group targetGroupRecord.metadata.targetGroupArn`),await Wd(m.metadata.targetGroupArn,m.ipRemoveList),m.ipRemoveList?.forEach(I=>{console.log(m.metadata.targetGroupIpAddresses,I),m.metadata.targetGroupIpAddresses=Gd(m.metadata.targetGroupIpAddresses,I)})):console.log(\"No old ip addresses to deregister\"),delete m.ipAddList,delete m.ipRemoveList,delete m.dnsLookupIps,console.log(\"Writing record to DDB table \",JSON.stringify(m,null,4)),await Fd(m)}catch(I){console.log(\"There was a problem updating the record \",JSON.stringify(m,null,4)),console.log(I)}return\"Done\"};var yo=require(\"@aws-sdk/lib-dynamodb\"),Io=require(\"@aws-sdk/client-dynamodb\"),Ei=require(\"@aws-sdk/util-dynamodb\"),ir=require(\"@aws-sdk/client-elastic-load-balancing-v2\"),vt=ho(xo()),Zn=new ir.ElasticLoadBalancingV2,Md=yo.DynamoDBDocument.from(new Io.DynamoDB),Nd=process.env.LOOKUP_TABLE||\"\",Ud=u=>new Promise(v=>{setTimeout(v,u)}),$d=async(u,v,x,m)=>{let I={Name:u,Port:v,Protocol:m,VpcId:x,TargetType:ir.TargetTypeEnum.IP};return Zn.createTargetGroup(I)},Hd=async u=>{let v={Attributes:[{Key:\"stickiness.enabled\",Value:\"true\"}],TargetGroupArn:u};return Zn.modifyTargetGroupAttributes(v)},To=async(u,v)=>{let x={ListenerArn:v};return((await Zn.describeRules(x)).Rules?.filter(j=>j.Priority===u.toString())||[]).length===0},Lo=async u=>{try{let v={ListenerArns:[u]};return await Zn.describeListeners(v),Promise.resolve(!0)}catch(v){return console.log(v),Promise.resolve(!1)}},Kd=async(u,v,x,m,I)=>{console.log(\"trying to create listener rule\"),console.log(x,v,u,m,I);let j={Actions:[{TargetGroupArn:m,Type:\"forward\"}],ListenerArn:u,Priority:I,Conditions:[]};if(v?.length>0){let ut={Field:\"path-pattern\",Values:v};j.Conditions?.push(ut)}if(x?.length>0){let ut={Field:\"host-header\",Values:x};j.Conditions?.push(ut)}return Zn.createRule(j)},qd=async(u,v,x,m)=>{let I={Actions:[{TargetGroupArn:m,Type:\"forward\"}],RuleArn:u,Conditions:[]};if(v?.length>0){let j={Field:\"path-pattern\",Values:v};I?.Conditions?.push(j)}if(x?.length>0){let j={Field:\"host-header\",Values:x};I?.Conditions?.push(j)}return Zn.modifyRule(I)},zd=async u=>{let v={RuleArn:u};return Zn.deleteRule(v)},Zd=async u=>{let v={TargetGroupArn:u};return Zn.deleteTargetGroup(v)},Jd=async(u,v)=>{let x={RulePriorities:[{Priority:v,RuleArn:u}]};return Zn.setRulePriorities(x)},Yd=async(u,v)=>{let x={TableName:u,Item:v};return Md.put(x)},Xd=(u,v)=>{let x={vpcId:u.vpcId,destinationPort:u.targetGroupDestinationPort,protocol:u.targetGroupProtocol},m={vpcId:v.vpcId,destinationPort:v.targetGroupDestinationPort,protocol:v.targetGroupProtocol};return!vt.isEqual(x,m)},Qd=(u,v)=>{let x={sourceListenerArn:u.rule.sourceListenerArn,priority:u.rule.condition.priority,paths:u.rule.condition.paths?.sort(),hosts:u.rule.condition.hosts?.sort()},m={sourceListenerArn:v.rule.sourceListenerArn,priority:v.rule.condition.priority,paths:v.rule.condition.paths?.sort(),hosts:v.rule.condition.hosts?.sort()};return!vt.isEqual(x,m)},Vd=(u,v)=>{let x=u.rule.condition.priority,m=v.rule.condition.priority;return x!==m},Si=async u=>{console.log(\"Record creation detected.\");try{if(!await Lo(u.rule.sourceListenerArn))throw new Error(`The ALB Listener ARN: ${u.rule.sourceListenerArn} does not exist. Exiting`);if(console.log(\"Checking if priority is valid\"),!await To(u.rule.condition.priority,u.rule.sourceListenerArn))throw new Error(`The priority ${u.rule.condition.priority.toString()} matches an existing rule priority on the listener arn ${u.rule.sourceListenerArn}. Priorities must not match. Exiting`);let x=(await $d(u.id,u.targetGroupDestinationPort,u.vpcId,u.targetGroupProtocol))?.TargetGroups?.[0].TargetGroupArn??\"\";await Hd(x);let I=(await Kd(u.rule.sourceListenerArn,u.rule.condition.paths,u.rule.condition.hosts,x,u.rule.condition.priority))?.Rules?.[0].RuleArn??\"\";if(!x||!I)throw new Error(`There was an error getting the target group arn or listener rule arn. \nTarget Group Arn: ${x}\nRule Arn: ${I}`);return u.metadata={targetGroupArn:x,ruleArn:I,targetGroupIpAddresses:[]},await Yd(Nd,u),console.log(\"Added metadata to table\"),u}catch(v){throw console.log(\"There was a problem creating resources for the following record\",JSON.stringify(u,null,4)),v}},Co=async u=>{try{console.log(`Deleting listener rule and target group for ${u.id}`),await zd(u.metadata.ruleArn),console.log(\"Deleted listener rule.\")}catch(v){console.log(v),console.log(\"Could not delete listener rule for record. Continuing...\",JSON.stringify(u,null,4))}try{await Zd(u.metadata.targetGroupArn),console.log(\"Deleted target group\");return}catch(v){console.log(\"Could not delete target group for record\",JSON.stringify(u,null,4)),console.log(v)}},kd=async(u,v)=>{try{if(console.log(`The record with id ${u.id} was updated. Performing comparison.`),!await Lo(u.rule.sourceListenerArn))throw new Error(`The ALB Listener ARN: ${u.rule.sourceListenerArn} does not exist. Exiting`);let x=vt.cloneDeep(u),m=vt.cloneDeep(v);if(delete x.metadata,delete m.metadata,vt.isEqual(x,m)){console.log(`Update Record handler found no changes made for record with Id ${u.id}`);return}if(!v.metadata){console.log(\"No previous metadata detected for record. Creating metadata based off of new entry\"),await Si(u);return}if(Qd(v,u)&&(console.log(`Detected a listener rule change. Modifying rule ${u.metadata.ruleArn}`),await qd(u.metadata.ruleArn,u.rule.condition.paths,u.rule.condition.hosts,u.metadata.targetGroupArn)),Vd(v,u)){if(!await To(u.rule.condition.priority,u.rule.sourceListenerArn))throw new Error(`The priority ${u.rule.condition.priority.toString()} matches an existing rule priority on the listener arn ${u.rule.sourceListenerArn}. Priorities must not match.`);await Jd(u.metadata.ruleArn,u.rule.condition.priority)}Xd(v,u)&&(console.log(`Detected a target group change. deleting target group ${u.metadata.targetGroupArn} and creating a new target group`),await Co(u),await Ud(1e4),await Si(u))}catch(x){throw console.log(\"There was a problem updating a target group or listener rule for the records:\"),console.log(\"Old Record: \",JSON.stringify(v,null,4)),console.log(\"New Record: \",JSON.stringify(u,null,4)),x}},Ro=async(u,v)=>{console.log(JSON.stringify(u,null,2));let x=u.Records.map(m=>(m.dynamodb.OldImage&&(m.dynamodb.OldImage=(0,Ei.unmarshall)(m.dynamodb.OldImage)),m.dynamodb.NewImage&&(m.dynamodb.NewImage=(0,Ei.unmarshall)(m.dynamodb.NewImage)),m));for(let m of x)m.eventName===\"INSERT\"&&await Si(m.dynamodb.NewImage),m.eventName===\"MODIFY\"&&await kd(m.dynamodb.NewImage,m.dynamodb.OldImage),m.eventName===\"REMOVE\"&&await Co(m.dynamodb.OldImage)};0&&(module.exports={albIpMonitor,albTargetRecordMonitor});\n/*! Bundled license information:\n\nlodash/lodash.js:\n (**\n * @license\n * Lodash \n * Copyright OpenJS Foundation and other contributors \n * Released under MIT license \n * Based on Underscore.js 1.8.3 \n * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors\n *)\n*/\n" + }, + "Environment": { + "Variables": { + "LOOKUP_TABLE": { + "Ref": "AlbIpForwardingddbDNSFirewallTableDE7BAC6C" + } + } + }, + "Handler": "index.albTargetRecordMonitor", + "MemorySize": 512, + "Role": { + "Fn::GetAtt": [ + "AlbIpForwardingddbDnsRecordMonitorServiceRoleBDC0C08F", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Timeout": 60 + }, + "DependsOn": [ + "AlbIpForwardingddbDnsRecordMonitorServiceRoleDefaultPolicyBB5ECA75", + "AlbIpForwardingddbDnsRecordMonitorServiceRoleBDC0C08F" + ], + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/ddbDnsRecordMonitor/Resource", + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "CloudWatch Logs are enabled in AWSLambdaBasicExecutionRole" + }, + { + "id": "W89", + "reason": "This function supports infrastructure deployment and is not deployed inside a VPC." + }, + { + "id": "W92", + "reason": "This function supports infrastructure deployment and does not require setting ReservedConcurrentExecutions." + } + ] + } + } + }, + "AlbIpForwardingddbDnsRecordMonitorDynamoDBEventSourceAlbIpForwardingStackAlbIpForwardingddbDNSFirewallTable6FC8CBEEB4643A78": { + "Type": "AWS::Lambda::EventSourceMapping", + "Properties": { + "BatchSize": 100, + "EventSourceArn": { + "Fn::GetAtt": [ + "AlbIpForwardingddbDNSFirewallTableDE7BAC6C", + "StreamArn" + ] + }, + "FunctionName": { + "Ref": "AlbIpForwardingddbDnsRecordMonitor551C6C2F" + }, + "MaximumRetryAttempts": 0, + "StartingPosition": "TRIM_HORIZON" + }, + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/ddbDnsRecordMonitor/DynamoDBEventSource:AlbIpForwardingStackAlbIpForwardingddbDNSFirewallTable6FC8CBEE/Resource" + } + }, + "AlbIpForwardingddbDnsRecordMonitorPolicyF716B7E4": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:SetRulePriorities" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AlbIpForwardingddbDnsRecordMonitorPolicyF716B7E4", + "Roles": [ + { + "Ref": "AlbIpForwardingddbDnsRecordMonitorServiceRoleBDC0C08F" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Lambda need to be able to work with any ELB in the account" + } + ] + } + } + }, + "AlbIpForwardingcwruleBF5444E5": { + "Type": "AWS::Events::Rule", + "Properties": { + "ScheduleExpression": "rate(1 minute)", + "State": "ENABLED", + "Targets": [ + { + "Arn": { + "Fn::GetAtt": [ + "AlbIpForwardingdnsFWLambdaCDFE4DA7", + "Arn" + ] + }, + "Id": "Target0" + } + ] + }, + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/cwrule/Resource" + } + }, + "AlbIpForwardingcwruleAllowEventRuleAlbIpForwardingStackAlbIpForwardingdnsFWLambda3E8E784BCF0ACCC6": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "AlbIpForwardingdnsFWLambdaCDFE4DA7", + "Arn" + ] + }, + "Principal": "events.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "AlbIpForwardingcwruleBF5444E5", + "Arn" + ] + } + }, + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/AlbIpForwarding/cwrule/AllowEventRuleAlbIpForwardingStackAlbIpForwardingdnsFWLambda3E8E784B" + } + }, + "CDKMetadata": { + "Type": "AWS::CDK::Metadata", + "Properties": { + "Analytics": "v2:deflate64:H4sIAAAAAAAA/22OzWrDMBCEnyV3eev4kgco7SUUjJN7WEvbsrF+gn4SjNC7F8khp5zmY2aZnQH2wwH6HT5CJ9XSaZ4hnyLKRXz+2hE9GorkBT7CJS8mQD7SWqMjrUWo1aJxaoZ8xllT9RsUodHMCiF/JysjO1ujF3/dycaTS17SD95ubP9q/N4dyRsOgZ0tgtFAntz2qOnoNMu2Z6MiqLYEyFN6niVNpYiJQmtu1pOLsE4RXMPHfehh30O/uwbmzicb2RBMm/4DO1vN1iMBAAA=" + }, + "Metadata": { + "aws:cdk:path": "AlbIpForwardingStack/CDKMetadata/Default" + } + } + } +} \ No newline at end of file diff --git a/config/global-config.yaml b/config/global-config.yaml index 6e01a39..759f917 100644 --- a/config/global-config.yaml +++ b/config/global-config.yaml @@ -1,7 +1,9 @@ homeRegion: &HOME_REGION ca-central-1 -configVersion: 1.6.1-a +configVersion: 1.7.0-a enabledRegions: - *HOME_REGION + # It is recommended to enable additional regions once the initial installation is complete in the home region. + # See the post-deployment documentation for more information. # - "ap-northeast-1" # - "ap-northeast-2" # - "ap-northeast-3" @@ -28,23 +30,33 @@ cdkOptions: forceBootstrap: true snsTopics: deploymentTargets: - organizationalUnits: - - Root + accounts: + - Management + - Audit topics: - name: SecurityHigh emailAddresses: - - @example.com # <----- UPDATE EMAIL ADDRESS + - "{{ SecurityHigh }}" - name: SecurityMedium emailAddresses: - - @example.com # <----- UPDATE EMAIL ADDRESS + - "{{ SecurityMedium }}" - name: SecurityLow emailAddresses: - - @example.com # <----- UPDATE EMAIL ADDRESS + - "{{ SecurityLow }}" - name: SecurityIgnore emailAddresses: - - @example.com # <----- UPDATE EMAIL ADDRESS + - "{{ SecurityIgnore }}" controlTower: enable: false # UPDATE if using Control Tower, set to true + # UPDATE If using ControlTower, uncomment the following block and set the version to ControlTower latest available version + # landingZone: + # version: '3.3' + # logging: + # loggingBucketRetentionDays: 365 + # accessLoggingBucketRetentionDays: 3650 + # organizationTrail: true + # security: + # enableIdentityCenterAccess: true logging: account: LogArchive cloudtrail: @@ -62,7 +74,7 @@ logging: accountTrails: - name: AccountTrail regions: - - *HOME_REGION + - "{{ AcceleratorHomeRegion }}" deploymentTargets: accounts: [] organizationalUnits: [] @@ -85,9 +97,66 @@ logging: noncurrentVersionExpiration: 730 attachPolicyToIamRoles: - EC2-Default-SSM-AD-Role - - AWSAccelerator-RDGW-Role + - "{{ AcceleratorPrefix }}-RDGW-Role" + excludeRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + excludeAccounts: + - Management + - LogArchive + - Audit cloudwatchLogs: dynamicPartitioning: dynamic-partitioning/log-filters.json + exclusions: + - accounts: + - Management + logGroupNames: + - aws-accelerator-cloudtrail-logs + encryption: + useCMK: true + deploymentTargets: + organizationalUnits: + - Security + - Infrastructure + - Central + - Dev + - Test + - Prod + - UnClass + - Sandbox + accounts: + - Management + excludedRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 accessLogBucket: lifecycleRules: - enabled: true @@ -106,6 +175,70 @@ logging: abortIncompleteMultipartUpload: 7 expiration: 730 noncurrentVersionExpiration: 730 +s3: + encryption: + createCMK: true + deploymentTargets: + organizationalUnits: + - Security + - Infrastructure + - Central + - Dev + - Test + - Prod + - UnClass + - Sandbox + accounts: + - Management + excludedRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 +lambda: + encryption: + useCMK: true + deploymentTargets: + organizationalUnits: + - Security + - Infrastructure + - Central + - Dev + - Test + - Prod + - UnClass + - Sandbox + accounts: + - Management + excludedRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 ssmInventory: enable: true deploymentTargets: @@ -162,25 +295,25 @@ reports: threshold: 100 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 75 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 50 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - deploymentTargets: accounts: - Perimeter @@ -206,31 +339,31 @@ reports: threshold: 100 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 80 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 75 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 50 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - deploymentTargets: accounts: - Management @@ -256,31 +389,31 @@ reports: threshold: 100 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 80 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 75 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 50 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - deploymentTargets: organizationalUnits: - Security @@ -313,31 +446,31 @@ reports: threshold: 100 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 80 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 75 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" - type: ACTUAL thresholdType: PERCENTAGE threshold: 50 comparisonOperator: GREATER_THAN subscriptionType: EMAIL - address: @example.com # <----- UPDATE EMAIL ADDRESS + address: "{{ BudgetEmail }}" limits: - serviceCode: vpc quotaCode: L-29B6F2EB diff --git a/config/iam-config.yaml b/config/iam-config.yaml index 32855ce..336ee4f 100644 --- a/config/iam-config.yaml +++ b/config/iam-config.yaml @@ -1,4 +1,4 @@ -homeRegion: &HOME_REGION ca-central-1 +homeRegion: {{ AcceleratorHomeRegion }} ###### # Version 1.6.1-a of the configuration introduced this change. If you are upgrading from a previous version, # review the Identity Center section of the FAQ in this repository before applying this change. @@ -11,13 +11,13 @@ policySets: organizationalUnits: - Root policies: - - name: AWSAccelerator-Default-Boundary-Policy + - name: "{{ AcceleratorPrefix }}-Default-Boundary-Policy" policy: iam-policies/boundary-policy.json - deploymentTargets: accounts: - Management policies: - - name: AWSAccelerator-IAM-User-Boundary-Policy + - name: "{{ AcceleratorPrefix }}-IAM-User-Boundary-Policy" policy: iam-policies/iam-user-boundary-policy.json roleSets: - deploymentTargets: @@ -34,8 +34,8 @@ roleSets: - AmazonSSMManagedInstanceCore - AmazonSSMDirectoryServiceAccess - CloudWatchAgentServerPolicy - boundaryPolicy: AWSAccelerator-Default-Boundary-Policy - - name: AWSAccelerator-RDGW-Role + boundaryPolicy: "{{ AcceleratorPrefix }}-Default-Boundary-Policy" + - name: "{{ AcceleratorPrefix }}-RDGW-Role" instanceProfile: true assumedBy: - type: service @@ -45,8 +45,8 @@ roleSets: - AmazonSSMManagedInstanceCore - AmazonSSMDirectoryServiceAccess - CloudWatchAgentServerPolicy - boundaryPolicy: AWSAccelerator-Default-Boundary-Policy - - name: AWSAccelerator-Rsyslog-Role + boundaryPolicy: "{{ AcceleratorPrefix }}-Default-Boundary-Policy" + - name: "{{ AcceleratorPrefix }}-Rsyslog-Role" instanceProfile: true assumedBy: - type: service @@ -56,7 +56,7 @@ roleSets: - AmazonSSMManagedInstanceCore - CloudWatchAgentServerPolicy - AmazonS3ReadOnlyAccess - boundaryPolicy: AWSAccelerator-Default-Boundary-Policy + boundaryPolicy: "{{ AcceleratorPrefix }}-Default-Boundary-Policy" groupSets: - deploymentTargets: accounts: @@ -77,15 +77,15 @@ userSets: users: - username: breakGlassUser01 group: BreakGlassAdmins - boundaryPolicy: AWSAccelerator-IAM-User-Boundary-Policy + boundaryPolicy: "{{ AcceleratorPrefix }}-IAM-User-Boundary-Policy" - username: breakGlassUser02 group: BreakGlassAdmins - boundaryPolicy: AWSAccelerator-IAM-User-Boundary-Policy + boundaryPolicy: "{{ AcceleratorPrefix }}-IAM-User-Boundary-Policy" managedActiveDirectories: - - name: AWSAcceleratorManagedActiveDirectory + - name: "{{ AcceleratorPrefix }}ManagedActiveDirectory" type: AWS Managed Microsoft AD account: Operations - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} dnsName: {{ MadDnsName }} netBiosDomainName: {{ MadNetbiosDomainName }} description: This directory is a) shared to most accounts in the organization to provide centralized Windows and Linux authentication for cloud workloads, b) used as an identity source for AWS SSO, c) used to inter-connect with on-premises directory services, and d) provides a single identities source for instance and AWS console access. @@ -95,10 +95,10 @@ managedActiveDirectories: subnets: - Central-App-A - Central-App-B - resolverRuleName: AWSAccelerator-Endpoint-mad-example-local + resolverRuleName: "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" secretConfig: account: Operations - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} adminSecretName: my-admin-001 sharedOrganizationalUnits: organizationalUnits: @@ -117,7 +117,7 @@ managedActiveDirectories: imagePath: /aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base securityGroupInboundSources: - 10.1.0.0/16 - instanceRole: AWSAccelerator-RDGW-Role + instanceRole: "{{ AcceleratorPrefix }}-RDGW-Role" userDataScripts: - scriptName: JoinDomain scriptFilePath: ad-config-scripts/Join-Domain.ps1 @@ -155,11 +155,11 @@ managedActiveDirectories: lockoutAttemptsReset: 30 adUsers: - name: adconnector-user - email: example-adconnector-user@example.com # <----- UPDATE EMAIL ADDRESS + email: {{ ActiveDirectoryConnectorEmail }} groups: - ADConnector-grp - name: User1 - email: example-user1@example.com # <----- UPDATE EMAIL ADDRESS + email: {{ ActiveDirectoryUserEmail }} groups: - aws-Provisioning - "*-View" @@ -167,6 +167,6 @@ managedActiveDirectories: - "*-PowerUser" - AWS Delegated Administrators - name: User2 - email: example-user2@example.com # <----- UPDATE EMAIL ADDRESS + email: {{ ActiveDirectoryReadonlyUserEmail }} groups: - "*-View" diff --git a/config/network-config.yaml b/config/network-config.yaml index 66e203a..3fbfeb6 100644 --- a/config/network-config.yaml +++ b/config/network-config.yaml @@ -1,11 +1,10 @@ -homeRegion: &HOME_REGION ca-central-1 defaultVpc: delete: true excludeAccounts: [] transitGateways: - name: Network-Main account: Network - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} shareTargets: organizationalUnits: - Infrastructure @@ -42,14 +41,14 @@ centralNetworkServices: delegatedAdminAccount: Network ipams: - name: accelerator-ipam - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} description: Accelerator IPAM operatingRegions: - - *HOME_REGION + - {{ AcceleratorHomeRegion }} pools: - name: home-region-sandbox-pool description: Pool for sandbox environment - locale: *HOME_REGION + locale: {{ AcceleratorHomeRegion }} provisionedCidrs: - 10.0.0.0/8 shareTargets: @@ -57,9 +56,9 @@ centralNetworkServices: - Sandbox networkFirewall: firewalls: - - name: AWSAccelerator-firewall - region: *HOME_REGION - firewallPolicy: AWSAccelerator-policy + - name: "{{ AcceleratorPrefix }}-firewall" + region: {{ AcceleratorHomeRegion }} + firewallPolicy: "{{ AcceleratorPrefix }}-policy" subnets: - Perimeter-A - Perimeter-B @@ -70,22 +69,22 @@ centralNetworkServices: - destination: cloud-watch-logs type: FLOW policies: - - name: AWSAccelerator-policy + - name: "{{ AcceleratorPrefix }}-policy" regions: - - *HOME_REGION + - {{ AcceleratorHomeRegion }} firewallPolicy: statelessDefaultActions: ["aws:forward_to_sfe"] statelessFragmentDefaultActions: ["aws:forward_to_sfe"] statefulRuleGroups: - - name: AWSAccelerator-rule-group - - name: AWSAccelerator-domain-list-group + - name: "{{ AcceleratorPrefix }}-rule-group" + - name: "{{ AcceleratorPrefix }}-domain-list-group" shareTargets: accounts: - Perimeter rules: - - name: AWSAccelerator-rule-group + - name: "{{ AcceleratorPrefix }}-rule-group" regions: - - *HOME_REGION + - {{ AcceleratorHomeRegion }} capacity: 100 type: STATEFUL ruleGroup: @@ -114,9 +113,9 @@ centralNetworkServices: ruleOptions: - keyword: sid settings: ["200"] - - name: AWSAccelerator-domain-list-group + - name: "{{ AcceleratorPrefix }}-domain-list-group" regions: - - *HOME_REGION + - {{ AcceleratorHomeRegion }} capacity: 10 type: STATEFUL ruleGroup: @@ -150,7 +149,7 @@ centralNetworkServices: - Endpoint-A - Endpoint-B rules: - - name: AWSAccelerator-Endpoint-mad-example-local + - name: "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" domainName: {{ MadDnsName }} targetIps: - ip: 1.1.1.1 @@ -170,7 +169,7 @@ centralNetworkServices: firewallRuleGroups: - name: accelerator-block-group regions: - - *HOME_REGION + - {{ AcceleratorHomeRegion }} rules: - name: managed-rule action: BLOCK @@ -193,6 +192,28 @@ prefixLists: maxEntries: 1 entries: - 10.1.0.1/32 +################################################################################### +# Self signed certificates are deployed as an example. # +# Replace by your own certificate or request them with Amazon Certificate Manager # +################################################################################### +certificates: + - name: PerimSelf-SignedCert + type: import + privKey: certs/example1-cert.key + cert: certs/example1-cert.crt + deploymentTargets: + accounts: + - Perimeter + - name: DevSelf-SignedCert + type: import + privKey: certs/example1-cert.key + cert: certs/example1-cert.crt + deploymentTargets: + organizationalUnits: + - Dev + accounts: + - Network +################################################################################### endpointPolicies: - name: Default document: vpc-endpoint-policies/default.json @@ -204,7 +225,7 @@ vpcs: - key: Name value: Endpoint account: Network - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} cidrs: - {{ VpcEndpointCidr }} defaultSecurityGroupRulesDeletion: true @@ -331,13 +352,13 @@ vpcs: # - service: transfer.server # - service: workspaces resolverRules: - - AWSAccelerator-Endpoint-mad-example-local + - "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" - name: Perimeter tags: - key: Name value: Perimeter account: Perimeter - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} cidrs: - {{ VpcPerimeterCidr }} defaultSecurityGroupRulesDeletion: true @@ -348,34 +369,34 @@ vpcs: - name: NfwRoute destination: 0.0.0.0/0 type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: a - name: NfwRouteToNatA destination: 10.7.7.176/28 type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: a - name: NfwRouteToNatB destination: 10.7.7.192/28 type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: b - name: Perimeter-Tgw-B routes: - name: NfwRoute destination: 0.0.0.0/0 type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: b - name: NfwRouteToNatA destination: 10.7.7.176/28 type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: a - name: NfwRouteToNatB destination: 10.7.7.192/28 type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: b - name: Perimeter-A routes: @@ -414,7 +435,7 @@ vpcs: - name: NfwNatRoute destination: {{ AwsRangeCidr }} type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: a - name: IgwRoute destination: 0.0.0.0/0 @@ -425,7 +446,7 @@ vpcs: - name: NfwNatRoute destination: {{ AwsRangeCidr }} type: networkFirewall - target: AWSAccelerator-firewall + target: "{{ AcceleratorPrefix }}-firewall" targetAvailabilityZone: b - name: IgwRoute destination: 0.0.0.0/0 @@ -461,6 +482,35 @@ vpcs: subnet: PerimeterNat-A - name: Nat-Perimeter-B subnet: PerimeterNat-B + securityGroups: + - name: "Public-Prod-ALB" + description: "Perimeter ALB Security Group for prod" + inboundRules: + - description: "HTTPS Traffic Inbound" + types: + - HTTPS + sources: + - 0.0.0.0/0 + outboundRules: + - description: "All Outbound" + types: + - ALL + sources: + - 0.0.0.0/0 + - name: "Public-DevTest-ALB" + description: "Perimeter ALB Security Group for dev-test" + inboundRules: + - description: "HTTPS Traffic Inbound" + types: + - HTTPS + sources: + - 0.0.0.0/0 + outboundRules: + - description: "All Outbound" + types: + - ALL + sources: + - 0.0.0.0/0 transitGatewayAttachments: - name: Perimeter transitGateway: @@ -480,12 +530,59 @@ vpcs: - service: s3 - service: dynamodb useCentralEndpoints: true + loadBalancers: + applicationLoadBalancers: + - name: Public-Prod + scheme: internet-facing + subnets: + - PerimeterNat-A + - PerimeterNat-B + securityGroups: + - Public-Prod-ALB + listeners: + - name: alb-listener + port: 443 + protocol: HTTPS + targetGroup: Public-Prod-tg + type: forward + certificate: PerimSelf-SignedCert + sslPolicy: ELBSecurityPolicy-FS-1-2-Res-2019-08 + - name: Public-DevTest + scheme: internet-facing + subnets: + - PerimeterNat-A + - PerimeterNat-B + securityGroups: + - Public-DevTest-ALB + listeners: + - name: alb-listener + port: 443 + protocol: HTTPS + targetGroup: Public-DevTest-tg + type: forward + certificate: PerimSelf-SignedCert + sslPolicy: ELBSecurityPolicy-FS-1-2-Res-2019-08 + targetGroups: + - name: Public-Prod-tg + port: 443 + protocol: HTTPS + type: instance + connectionTermination: true + preserveClientIp: true + proxyProtocolV2: true + - name: Public-DevTest-tg + port: 443 + protocol: HTTPS + type: instance + connectionTermination: true + preserveClientIp: true + proxyProtocolV2: true - name: Dev tags: - key: Name value: Dev account: Network - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} cidrs: - {{ VpcDevCidr }} defaultSecurityGroupRulesDeletion: true @@ -794,13 +891,49 @@ vpcs: - service: dynamodb useCentralEndpoints: true resolverRules: - - AWSAccelerator-Endpoint-mad-example-local + - "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" + ####################################################################### + # Example config to deploy backend ALB to multiple workload accounts # + ####################################################################### + # loadBalancers: + # applicationLoadBalancers: + # - name: core-dev-alb + # scheme: internal + # subnets: + # - Dev-Web-A + # - Dev-Web-B + # securityGroups: + # - Web + # listeners: + # - name: appA-listener-1 + # port: 443 + # protocol: HTTPS + # order: 1 + # type: forward + # targetGroup: core-dev-tg + # certificate: DevSelf-SignedCert + # sslPolicy: ELBSecurityPolicy-FS-1-2-Res-2019-08 + # shareTargets: + # organizationalUnits: + # - Dev + # targetGroups: + # - name: core-dev-tg + # port: 443 + # protocol: HTTPS + # type: instance + # connectionTermination: true + # preserveClientIp: true + # proxyProtocolV2: true + # shareTargets: + # organizationalUnits: + # - Dev + ########################################### - name: Central tags: - key: Name value: Central account: Network - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} cidrs: - {{ VpcCentralCidr }} defaultSecurityGroupRulesDeletion: true @@ -1060,29 +1193,6 @@ vpcs: availabilityZone: b routeTable: Central ipv4CidrBlock: 10.1.208.0/21 - - ## App2 subnets are shared only with Operations account. These are used - ## to deploy Managed AD instances, or other centrally managed, routable, resources. - - name: Central-App2-A - tags: - - key: Name - value: Central-App2-A - availabilityZone: a - routeTable: Central - ipv4CidrBlock: 10.1.0.128/25 - shareTargets: - accounts: - - Operations - - name: Central-App2-B - tags: - - key: Name - value: Central-App2-B - availabilityZone: b - routeTable: Central - ipv4CidrBlock: 10.1.1.0/25 - shareTargets: - accounts: - - Operations transitGatewayAttachments: - name: Central-Main transitGateway: @@ -1104,13 +1214,13 @@ vpcs: - service: dynamodb useCentralEndpoints: true resolverRules: - - AWSAccelerator-Endpoint-mad-example-local + - "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" - name: Test tags: - key: Name value: Test account: Network - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} cidrs: - {{ VpcTestCidr }} defaultSecurityGroupRulesDeletion: true @@ -1417,13 +1527,13 @@ vpcs: - service: dynamodb useCentralEndpoints: true resolverRules: - - AWSAccelerator-Endpoint-mad-example-local + - "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" - name: Prod tags: - key: Name value: Prod account: Network - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} cidrs: - {{ VpcProdCidr }} defaultSecurityGroupRulesDeletion: true @@ -1730,10 +1840,10 @@ vpcs: - service: dynamodb useCentralEndpoints: true resolverRules: - - AWSAccelerator-Endpoint-mad-example-local + - "{{ AcceleratorPrefix }}-Endpoint-mad-example-local" vpcTemplates: - name: Sandbox-Template - region: *HOME_REGION + region: {{ AcceleratorHomeRegion }} deploymentTargets: organizationalUnits: - Sandbox diff --git a/config/organization-config.yaml b/config/organization-config.yaml index 0ffe8a0..a3a78f2 100644 --- a/config/organization-config.yaml +++ b/config/organization-config.yaml @@ -77,7 +77,7 @@ serviceControlPolicies: # - Audit # - LogArchive ## END - - name: AWSAccelerator-Guardrails-Unclass + - name: "{{ AcceleratorPrefix }}-Guardrails-Unclass" description: > LZA Guardrails Unclassified Environment Specific policy: service-control-policies/LZA-Guardrails-Unclass.json @@ -85,7 +85,7 @@ serviceControlPolicies: deploymentTargets: organizationalUnits: - UnClass - - name: AWSAccelerator-Guardrails-Sandbox + - name: "{{ AcceleratorPrefix }}-Guardrails-Sandbox" description: > LZA Guardrails Sandbox Environment Specific policy: service-control-policies/LZA-Guardrails-Sandbox.json @@ -93,14 +93,14 @@ serviceControlPolicies: deploymentTargets: organizationalUnits: - Sandbox - - name: AWSAccelerator-Quarantine-New-Object + - name: "{{ AcceleratorPrefix }}-Quarantine-New-Object" description: > LZA Quarantine policy - Apply to ACCOUNTS that need to be quarantined policy: service-control-policies/Quarantine-New-Object.json type: customerManaged deploymentTargets: organizationalUnits: [] - - name: AWSAccelerator-Guardrails-Part-0-Core + - name: "{{ AcceleratorPrefix }}-Guardrails-Part-0-Core" description: > LZA Guardrails Part 0 Core Accounts policy: service-control-policies/LZA-Guardrails-Part0-CoreOUs.json diff --git a/config/replacements-config.yaml b/config/replacements-config.yaml index 347ddc8..fd87eae 100644 --- a/config/replacements-config.yaml +++ b/config/replacements-config.yaml @@ -6,19 +6,53 @@ ## https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/latest/classes/_aws_accelerator_config.ParameterReplacementConfigV2.html ###### globalReplacements: -# Name of CloudWatch log group that centralizes CloudTrail logs. Referenced by CloudWatch metrics and alarms + # Accelerator Prefix + - key: AcceleratorPrefix + type: String + value: AWSAccelerator + # Home Region + - key: AcceleratorHomeRegion + type: String + value: ca-central-1 + # Security notification emails + - key: SecurityHigh + type: String + value: @example.com + - key: SecurityMedium + type: String + value: @example.com + - key: SecurityLow + type: String + value: @example.com + - key: SecurityIgnore + type: String + value: @example.com + # Budget notification emails + - key: BudgetEmail + type: String + value: @example.com + # Name of CloudWatch log group that centralizes CloudTrail logs. Referenced by CloudWatch metrics and alarms - key: CloudTrailLogGroup type: String value: aws-accelerator-cloudtrail-logs # UPDATE If using ControlTower change this to 'aws-controltower/CloudTrailLogs' -# Domain name for Managed Active Directory + # Managed Active Directory settings - key: MadDnsName type: String value: example.local - key: MadNetbiosDomainName type: String value: example -###### -# VPC CIDR definition. If you change these values you also need to update individual subnets range in network-config.yaml + - key: ActiveDirectoryConnectorEmail + type: String + value: example-adconnector-user@example.com + - key: ActiveDirectoryUserEmail + type: String + value: example-user1@example.com + - key: ActiveDirectoryReadonlyUserEmail + type: String + value: example-user2@example.com + ###### + # VPC CIDR definition. If you change these values you also need to update individual subnets range in network-config.yaml - key: VpcCentralCidr type: String value: 10.1.0.0/16 diff --git a/config/security-config.yaml b/config/security-config.yaml index 4f17eee..7eee24c 100644 --- a/config/security-config.yaml +++ b/config/security-config.yaml @@ -1,9 +1,24 @@ -homeRegion: &HOME_REGION ca-central-1 centralSecurityServices: delegatedAdminAccount: Audit ebsDefaultVolumeEncryption: enable: true - excludeRegions: [] + excludeRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 scpRevertChangesConfig: enable: true snsTopicName: SecurityHigh @@ -12,7 +27,8 @@ centralSecurityServices: excludeAccounts: [] macie: enable: true - excludeRegions: [] + excludeRegions: + - ca-west-1 # does not support macie policyFindingsPublishingFrequency: FIFTEEN_MINUTES publishSensitiveDataFindings: true guardduty: @@ -30,7 +46,8 @@ centralSecurityServices: exportFrequency: FIFTEEN_MINUTES auditManager: enable: false - excludeRegions: [] + excludeRegions: + - ca-west-1 # Does not support Audit Manager defaultReportsConfiguration: enable: true destinationType: S3 @@ -67,6 +84,23 @@ centralSecurityServices: cloudWatch: enable: true ssmAutomation: + excludeRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 documentSets: - shareTargets: organizationalUnits: @@ -82,19 +116,19 @@ centralSecurityServices: - Management documents: # Calls the AWS CLI to enable access logs on a specified ELB - - name: AWSAccelerator-SSM-ELB-Enable-Logging + - name: "{{ AcceleratorPrefix }}-SSM-ELB-Enable-Logging" template: ssm-documents/ssm-elb-enable-logging.yaml # Enables S3 encryption using KMS - - name: AWSAccelerator-Put-S3-Encryption + - name: "{{ AcceleratorPrefix }}-Put-S3-Encryption" template: ssm-documents/s3-encryption.yaml # Attaches instance profiles to an EC2 instance - - name: AWSAccelerator-Attach-IAM-Instance-Profile + - name: "{{ AcceleratorPrefix }}-Attach-IAM-Instance-Profile" template: ssm-documents/attach-iam-instance-profile.yaml # Attaches Aws IAM Managed Policy to IAM Role - - name: AWSAccelerator-Attach-IAM-Role-Policy + - name: "{{ AcceleratorPrefix }}-Attach-IAM-Role-Policy" template: ssm-documents/attach-iam-role-policy.yaml # Enforces HTTPS on S3 Buckets - - name: AWSAccelerator-S3-Enforce-HTTPS + - name: "{{ AcceleratorPrefix }}-S3-Enforce-HTTPS" template: ssm-documents/s3-enforce-https.yaml accessAnalyzer: enable: true @@ -119,7 +153,8 @@ awsConfig: ## END ruleSets: - deploymentTargets: - ## GLOBAL Section for config rules across all OUs + Management Account + ## GLOBAL Section for config rules across all OUs + Management Account. + ## Applicable to all regions with workloads organizationalUnits: - Security - Infrastructure @@ -131,15 +166,32 @@ awsConfig: - Sandbox accounts: - Management + excludedRegions: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 rules: - - name: AWSAccelerator-s3-bucket-server-side-encryption-enabled + - name: "{{ AcceleratorPrefix }}-s3-bucket-server-side-encryption-enabled" identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED complianceResourceTypes: - AWS::S3::Bucket remediation: rolePolicyFile: custom-config-rules/bucket-sse-enabled-remediation-role.json automatic: true - targetId: AWSAccelerator-Put-S3-Encryption + targetId: "{{ AcceleratorPrefix }}-Put-S3-Encryption" retryAttemptSeconds: 60 maximumAutomaticAttempts: 5 parameters: @@ -149,34 +201,21 @@ awsConfig: - name: KMSMasterKey value: ${ACCEL_LOOKUP::KMS} type: StringList - - name: AWSAccelerator-s3-bucket-enforce-https + - name: "{{ AcceleratorPrefix }}-s3-bucket-enforce-https" identifier: S3_BUCKET_SSL_REQUESTS_ONLY complianceResourceTypes: - AWS::S3::Bucket remediation: rolePolicyFile: custom-config-rules/bucket-enforce-https-remediation-role.json automatic: true - targetId: AWSAccelerator-S3-Enforce-HTTPS + targetId: "{{ AcceleratorPrefix }}-S3-Enforce-HTTPS" retryAttemptSeconds: 60 maximumAutomaticAttempts: 5 parameters: - name: BucketName value: RESOURCE_ID type: String - - deploymentTargets: - ## Section for config rules across all OUs except Sandbox + Management Account - organizationalUnits: - - Security - - Infrastructure - - Central - - Dev - - Test - - Prod - - UnClass - accounts: - - Management - rules: - - name: AWSAccelerator-attach-ec2-instance-profile + - name: "{{ AcceleratorPrefix }}-attach-ec2-instance-profile" type: Custom description: Custom rule for checking EC2 instance IAM profile attachment inputParameters: @@ -184,7 +223,7 @@ awsConfig: lambda: sourceFilePath: custom-config-rules/attach-ec2-instance-profile.zip handler: index.handler - runtime: nodejs16.x + runtime: nodejs18.x rolePolicyFile: custom-config-rules/attach-ec2-instance-profile-detection-role.json periodic: true maximumExecutionFrequency: Six_Hours @@ -197,7 +236,7 @@ awsConfig: remediation: rolePolicyFile: custom-config-rules/attach-ec2-instance-profile-remediation-role.json automatic: true - targetId: AWSAccelerator-Attach-IAM-Instance-Profile + targetId: "{{ AcceleratorPrefix }}-Attach-IAM-Instance-Profile" retryAttemptSeconds: 60 maximumAutomaticAttempts: 5 parameters: @@ -207,7 +246,7 @@ awsConfig: - name: IamInstanceProfile value: ${ACCEL_LOOKUP::InstanceProfile:EC2-Default-SSM-AD-Role} type: StringList - - name: AWSAccelerator-ec2-instance-profile-permission + - name: "{{ AcceleratorPrefix }}-ec2-instance-profile-permission" type: Custom description: Custom role to remediate EC2 instance profile permission inputParameters: @@ -217,7 +256,7 @@ awsConfig: lambda: sourceFilePath: custom-config-rules/ec2-instance-profile-permissions.zip handler: index.handler - runtime: nodejs16.x + runtime: nodejs18.x rolePolicyFile: custom-config-rules/ec2-instance-profile-permissions-detection-role.json periodic: true maximumExecutionFrequency: Six_Hours @@ -230,7 +269,7 @@ awsConfig: remediation: rolePolicyFile: custom-config-rules/ec2-instance-profile-permissions-remediation-role.json automatic: true - targetId: AWSAccelerator-Attach-IAM-Role-Policy + targetId: "{{ AcceleratorPrefix }}-Attach-IAM-Role-Policy" targetAccountName: Audit retryAttemptSeconds: 60 maximumAutomaticAttempts: 5 @@ -241,7 +280,7 @@ awsConfig: - name: AWSManagedPolicies value: AmazonSSMManagedInstanceCore,AmazonSSMDirectoryServiceAccess,CloudWatchAgentServerPolicy type: StringList - - name: AWSAccelerator-elb-logging-enabled + - name: "{{ AcceleratorPrefix }}-elb-logging-enabled" identifier: ELB_LOGGING_ENABLED complianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer @@ -251,7 +290,7 @@ awsConfig: remediation: rolePolicyFile: custom-config-rules/elb-logging-enabled-remediation-role.json automatic: true - targetId: AWSAccelerator-SSM-ELB-Enable-Logging + targetId: "{{ AcceleratorPrefix }}-SSM-ELB-Enable-Logging" retryAttemptSeconds: 60 maximumAutomaticAttempts: 5 parameters: @@ -261,23 +300,78 @@ awsConfig: - name: LogDestination value: ${ACCEL_LOOKUP::Bucket:elbLogs} type: StringList - - name: AWSAccelerator-acm-certificate-expiration-check + - deploymentTargets: + ## Section for config rules across all OUs except Sandbox + Management Account + ## Rules not supported in ap-northeast-3 AND ca-west-1 + organizationalUnits: + - Security + - Infrastructure + - Central + - Dev + - Test + - Prod + - UnClass + accounts: + - Management + excludedRegions: + - ap-northeast-3 + - ca-west-1 + rules: + - name: "{{ AcceleratorPrefix }}-sagemaker-notebook-instance-kms-key-configured" + identifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED + - name: "{{ AcceleratorPrefix }}-wafv2-logging-enabled" + identifier: WAFV2_LOGGING_ENABLED + - name: "{{ AcceleratorPrefix }}-dynamodb-in-backup-plan" + identifier: DYNAMODB_IN_BACKUP_PLAN + - name: "{{ AcceleratorPrefix }}-sagemaker-endpoint-configuration-kms-key-configured" + identifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED + - name: "{{ AcceleratorPrefix }}-ebs-in-backup-plan" + identifier: EBS_IN_BACKUP_PLAN + - name: "{{ AcceleratorPrefix }}-rds-in-backup-plan" + identifier: RDS_IN_BACKUP_PLAN + - name: "{{ AcceleratorPrefix }}-elb-acm-certificate-required" + complianceResourceTypes: + - AWS::ElasticLoadBalancing::LoadBalancer + identifier: ELB_ACM_CERTIFICATE_REQUIRED + - name: "{{ AcceleratorPrefix }}-securityhub-enabled" + identifier: SECURITYHUB_ENABLED + - name: "{{ AcceleratorPrefix }}-ec2-managedinstance-patch-compliance-status-check" + identifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK + - name: "{{ AcceleratorPrefix }}-internet-gateway-authorized-vpc-only" + complianceResourceTypes: + - AWS::EC2::InternetGateway + identifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY + - name: "{{ AcceleratorPrefix }}-dynamodb-table-encrypted-kms" + complianceResourceTypes: + - AWS::DynamoDB::Table + identifier: DYNAMODB_TABLE_ENCRYPTED_KMS + - name: "{{ AcceleratorPrefix }}-acm-certificate-expiration-check" inputParameters: daysToExpiration: "90" identifier: ACM_CERTIFICATE_EXPIRATION_CHECK - - name: AWSAccelerator-alb-waf-enabled + - name: "{{ AcceleratorPrefix }}-alb-waf-enabled" identifier: ALB_WAF_ENABLED - - name: AWSAccelerator-api-gw-cache-enabled-and-encrypted - complianceResourceTypes: - - AWS::ApiGateway::Stage - identifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED - - name: AWSAccelerator-cloudtrail-enabled + - deploymentTargets: + ## Section for config rules across all OUs except Sandbox + Management Account + ## Rules not supported in ap-northeast-3 ONLY + organizationalUnits: + - Security + - Infrastructure + - Central + - Dev + - Test + - Prod + - UnClass + accounts: + - Management + excludedRegions: + - ap-northeast-3 + rules: + - name: "{{ AcceleratorPrefix }}-cloudtrail-enabled" identifier: CLOUD_TRAIL_ENABLED - - name: AWSAccelerator-cloudtrail-s3-dataevents-enabled - identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED - - name: AWSAccelerator-cloudtrail-security-trail-enabled + - name: "{{ AcceleratorPrefix }}-cloudtrail-security-trail-enabled" identifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED - - name: AWSAccelerator-cloudwatch-alarm-action-check + - name: "{{ AcceleratorPrefix }}-cloudwatch-alarm-action-check" complianceResourceTypes: - AWS::CloudWatch::Alarm inputParameters: @@ -285,76 +379,31 @@ awsConfig: insufficientDataActionRequired: "TRUE" okActionRequired: "FALSE" identifier: CLOUDWATCH_ALARM_ACTION_CHECK - - name: AWSAccelerator-cw-loggroup-retention-period-check + - name: "{{ AcceleratorPrefix }}-cw-loggroup-retention-period-check" identifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK - - name: AWSAccelerator-db-instance-backup-enabled + - name: "{{ AcceleratorPrefix }}-db-instance-backup-enabled" identifier: DB_INSTANCE_BACKUP_ENABLED - - name: AWSAccelerator-dynamodb-in-backup-plan - identifier: DYNAMODB_IN_BACKUP_PLAN - - name: AWSAccelerator-dynamodb-table-encrypted-kms - complianceResourceTypes: - - AWS::DynamoDB::Table - identifier: DYNAMODB_TABLE_ENCRYPTED_KMS - - name: AWSAccelerator-ebs-in-backup-plan - identifier: EBS_IN_BACKUP_PLAN - - name: AWSAccelerator-ec2-instance-detailed-monitoring-enabled + - name: "{{ AcceleratorPrefix }}-ec2-instance-detailed-monitoring-enabled" complianceResourceTypes: - AWS::EC2::Instance identifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED - - name: AWSAccelerator-ec2-managedinstance-patch-compliance-status-check - identifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK - - name: AWSAccelerator-ec2-volume-inuse-check - inputParameters: - deleteOnTermination: "TRUE" - complianceResourceTypes: - - AWS::EC2::Volume - identifier: EC2_VOLUME_INUSE_CHECK - - name: AWSAccelerator-elasticache-redis-cluster-automatic-backup-check - identifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK - - name: AWSAccelerator-elb-acm-certificate-required - complianceResourceTypes: - - AWS::ElasticLoadBalancing::LoadBalancer - identifier: ELB_ACM_CERTIFICATE_REQUIRED - - name: AWSAccelerator-elb-cross-zone-load-balancing-enabled + - name: "{{ AcceleratorPrefix }}-elb-cross-zone-load-balancing-enabled" complianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer identifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED - - name: AWSAccelerator-emr-kerberos-enabled - identifier: EMR_KERBEROS_ENABLED - - name: AWSAccelerator-guardduty-non-archived-findings + - name: "{{ AcceleratorPrefix }}-guardduty-non-archived-findings" inputParameters: daysHighSev: "1" daysLowSev: "30" daysMediumSev: "7" identifier: GUARDDUTY_NON_ARCHIVED_FINDINGS - - name: AWSAccelerator-iam-group-has-users-check - complianceResourceTypes: - - AWS::IAM::Group - identifier: IAM_GROUP_HAS_USERS_CHECK - - name: AWSAccelerator-iam-user-group-membership-check - complianceResourceTypes: - - AWS::IAM::User - identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK - - name: AWSAccelerator-incoming-ssh-disabled + - name: "{{ AcceleratorPrefix }}-incoming-ssh-disabled" identifier: INCOMING_SSH_DISABLED - - name: AWSAccelerator-ec2-instances-in-vpc + - name: "{{ AcceleratorPrefix }}-ec2-instances-in-vpc" complianceResourceTypes: - AWS::EC2::Instance identifier: INSTANCES_IN_VPC - - name: AWSAccelerator-internet-gateway-authorized-vpc-only - complianceResourceTypes: - - AWS::EC2::InternetGateway - identifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY - - name: AWSAccelerator-rds-in-backup-plan - identifier: RDS_IN_BACKUP_PLAN - - name: AWSAccelerator-redshift-cluster-configuration-check - inputParameters: - clusterDbEncrypted: "TRUE" - loggingEnabled: "TRUE" - complianceResourceTypes: - - AWS::Redshift::Cluster - identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK - - name: AWSAccelerator-restricted-incoming-traffic + - name: "{{ AcceleratorPrefix }}-restricted-incoming-traffic" inputParameters: blockedPort1: "20" blockedPort2: "21" @@ -362,179 +411,218 @@ awsConfig: blockedPort4: "3306" blockedPort5: "4333" identifier: RESTRICTED_INCOMING_TRAFFIC - - name: AWSAccelerator-s3-bucket-policy-grantee-check - complianceResourceTypes: - - AWS::S3::Bucket - identifier: S3_BUCKET_POLICY_GRANTEE_CHECK - - name: AWSAccelerator-s3-bucket-versioning-enabled + - name: "{{ AcceleratorPrefix }}-s3-bucket-versioning-enabled" complianceResourceTypes: - AWS::S3::Bucket identifier: S3_BUCKET_VERSIONING_ENABLED - - name: AWSAccelerator-sagemaker-endpoint-configuration-kms-key-configured - identifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED - - name: AWSAccelerator-sagemaker-notebook-instance-kms-key-configured - identifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED - - name: AWSAccelerator-securityhub-enabled - identifier: SECURITYHUB_ENABLED - - name: AWSAccelerator-vpc-sg-open-only-to-authorized-ports + - name: "{{ AcceleratorPrefix }}-vpc-sg-open-only-to-authorized-ports" inputParameters: authorizedTcpPorts: "443" authorizedUdpPorts: "1020-1025" complianceResourceTypes: - AWS::EC2::SecurityGroup identifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS - - name: AWSAccelerator-wafv2-logging-enabled - identifier: WAFV2_LOGGING_ENABLED + - deploymentTargets: + ## Section for config rules across all OUs except Sandbox + Management Account + ## Rules not supported in ca-west-1 ONLY + organizationalUnits: + - UnClass + - Security + - Prod + - Dev + - Test + - Central + - Infrastructure + accounts: + - Management + excludedRegions: + - ca-west-1 + rules: + - name: "{{ AcceleratorPrefix }}-redshift-cluster-configuration-check" + inputParameters: + clusterDbEncrypted: "TRUE" + loggingEnabled: "TRUE" + complianceResourceTypes: + - AWS::Redshift::Cluster + identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK + - name: "{{ AcceleratorPrefix }}-s3-bucket-policy-grantee-check" + complianceResourceTypes: + - AWS::S3::Bucket + identifier: S3_BUCKET_POLICY_GRANTEE_CHECK + - name: "{{ AcceleratorPrefix }}-iam-user-group-membership-check" + complianceResourceTypes: + - AWS::IAM::User + identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK + - name: "{{ AcceleratorPrefix }}-cloudtrail-s3-dataevents-enabled" + identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED + - name: "{{ AcceleratorPrefix }}-iam-group-has-users-check" + complianceResourceTypes: + - AWS::IAM::Group + identifier: IAM_GROUP_HAS_USERS_CHECK + - name: "{{ AcceleratorPrefix }}-api-gw-cache-enabled-and-encrypted" + complianceResourceTypes: + - AWS::ApiGateway::Stage + identifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED + - name: "{{ AcceleratorPrefix }}-ec2-volume-inuse-check" + inputParameters: + deleteOnTermination: "TRUE" + complianceResourceTypes: + - AWS::EC2::Volume + identifier: EC2_VOLUME_INUSE_CHECK + - name: "{{ AcceleratorPrefix }}-elasticache-redis-cluster-automatic-backup-check" + identifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK + - name: "{{ AcceleratorPrefix }}-emr-kerberos-enabled" + identifier: EMR_KERBEROS_ENABLED cloudWatch: metricSets: - regions: - - *HOME_REGION + - "{{AcceleratorHomeRegion}}" deploymentTargets: accounts: - Management metrics: # CIS 1.1 – Avoid the use of the "root" account - - filterName: AWSAccelerator-RootAccountMetricFilter + - filterName: "{{ AcceleratorPrefix }}-RootAccountMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}' metricNamespace: CloudTrailMetrics metricName: RootAccount metricValue: "1" # CIS 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls - - filterName: AWSAccelerator-UnauthorizedAPICallsMetricFilter + - filterName: "{{ AcceleratorPrefix }}-UnauthorizedAPICallsMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: '{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}' metricNamespace: CloudTrailMetrics metricName: UnauthorizedAPICalls metricValue: "1" # CIS 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA - - filterName: AWSAccelerator-ConsoleSigninWithoutMFAMetricFilter + - filterName: "{{ AcceleratorPrefix }}-ConsoleSigninWithoutMFAMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: '{($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success")}' metricNamespace: CloudTrailMetrics metricName: ConsoleSigninWithoutMFA metricValue: "1" # CIS 3.3 – Ensure a log metric filter and alarm exist for usage of "root" account - # - filterName: AWSAccelerator-MetricFilter + # - filterName: {{ AcceleratorPrefix }}-MetricFilter # logGroupName: {{ CloudTrailLogGroup }} # filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}' # metricNamespace: CloudTrailMetrics # metricName: RootAccountUsage # metricValue: "1" # CIS 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes - - filterName: AWSAccelerator-IAMPolicyChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-IAMPolicyChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}" metricNamespace: CloudTrailMetrics metricName: IAMPolicyChanges metricValue: "1" # CIS 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes - - filterName: AWSAccelerator-CloudTrailChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-CloudTrailChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}" metricNamespace: CloudTrailMetrics metricName: CloudTrailChanges metricValue: "1" # CIS 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - - filterName: AWSAccelerator-ConsoleAuthenticationFailureMetricFilter + - filterName: "{{ AcceleratorPrefix }}-ConsoleAuthenticationFailureMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: '{($.eventName=ConsoleLogin) && ($.errorMessage="Failed authentication")}' metricNamespace: CloudTrailMetrics metricName: ConsoleAuthenticationFailure metricValue: "1" # CIS 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - - filterName: AWSAccelerator-DisableOrDeleteCMKMetricFilter + - filterName: "{{ AcceleratorPrefix }}-DisableOrDeleteCMKMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}" metricNamespace: CloudTrailMetrics metricName: DisableOrDeleteCMK metricValue: "1" # CIS 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes - - filterName: AWSAccelerator-S3BucketPolicyChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-S3BucketPolicyChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}" metricNamespace: CloudTrailMetrics metricName: S3BucketPolicyChanges metricValue: "1" # CIS 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes - - filterName: AWSAccelerator-AWSConfigChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-AWSConfigChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}" metricNamespace: CloudTrailMetrics metricName: AWSConfigChanges metricValue: "1" # CIS 3.10 – Ensure a log metric filter and alarm exist for security group changes - - filterName: AWSAccelerator-SecurityGroupChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-SecurityGroupChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}" metricNamespace: CloudTrailMetrics metricName: SecurityGroupChanges metricValue: "1" # CIS 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - - filterName: AWSAccelerator-NetworkACLChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-NetworkACLChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}" metricNamespace: CloudTrailMetrics metricName: NetworkACLChanges metricValue: "1" # CIS 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways - - filterName: AWSAccelerator-NetworkGatewayChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-NetworkGatewayChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}" metricNamespace: CloudTrailMetrics metricName: NetworkGatewayChanges metricValue: "1" # CIS 3.13 – Ensure a log metric filter and alarm exist for route table changes - - filterName: AWSAccelerator-RouteTableChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-RouteTableChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}" metricNamespace: CloudTrailMetrics metricName: RouteTableChanges metricValue: "1" # CIS 3.14 – Ensure a log metric filter and alarm exist for VPC changes - - filterName: AWSAccelerator-VPCChangesMetricFilter + - filterName: "{{ AcceleratorPrefix }}-VPCChangesMetricFilter" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}" metricNamespace: CloudTrailMetrics metricName: VPCChanges metricValue: "1" - - filterName: AWSAccelerator-Ec2InstanceChangeMetric + - filterName: "{{ AcceleratorPrefix }}-Ec2InstanceChangeMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances) }" metricNamespace: CloudTrailMetrics metricName: EC2InstanceEventCount metricValue: "1" - - filterName: AWSAccelerator-Ec2LargeInstanceChangeMetric + - filterName: "{{ AcceleratorPrefix }}-Ec2LargeInstanceChangeMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{ (($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances)) && (($.requestParameters.instanceType= *.32xlarge) || ($.requestParameters.instanceType= *.24xlarge) || ($.requestParameters.instanceType= *.18xlarge) || ($.requestParameters.instanceType= *.16xlarge) || ($.requestParameters.instanceType= *.12xlarge) || ($.requestParameters.instanceType= *.10xlarge) || ($.requestParameters.instanceType= *.9xlarge) || ($.requestParameters.instanceType= *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }" metricNamespace: CloudTrailMetrics metricName: EC2LargeInstanceEventCount metricValue: "1" - - filterName: AWSAccelerator-SSOAuthUnapprovedIPMetric + - filterName: "{{ AcceleratorPrefix }}-SSOAuthUnapprovedIPMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }" # Needs Updating metricNamespace: CloudTrailMetrics metricName: SSOAuthUnapprovedIPCount metricValue: "1" - - filterName: AWSAccelerator-IAMAuthUnapprovedIPMetric + - filterName: "{{ AcceleratorPrefix }}-IAMAuthUnapprovedIPMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }" # Needs Updating metricNamespace: CloudTrailMetrics metricName: IAMAuthUnapprovedIPCount metricValue: "1" - - filterName: AWSAccelerator-UnencryptedFilesystemCreatedMetric + - filterName: "{{ AcceleratorPrefix }}-UnencryptedFilesystemCreatedMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{ ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) }" metricNamespace: CloudTrailMetrics metricName: UnencryptedFilesystemCreatedCount metricValue: "1" - - filterName: AWSAccelerator-IgnoreAuthorizationFailureMetric + - filterName: "{{ AcceleratorPrefix }}-IgnoreAuthorizationFailureMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}" metricNamespace: CloudTrailMetrics metricName: IgnoreAuthorizationFailureCount metricValue: "1" - - filterName: AWSAccelerator-IgnoreConsoleSignInWithoutMfaMetric + - filterName: "{{ AcceleratorPrefix }}-IgnoreConsoleSignInWithoutMfaMetric" logGroupName: {{ CloudTrailLogGroup }} filterPattern: "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}" metricNamespace: CloudTrailMetrics @@ -542,13 +630,13 @@ cloudWatch: metricValue: "1" alarmSets: - regions: - - *HOME_REGION + - {{ AcceleratorHomeRegion }} deploymentTargets: accounts: - Management alarms: # CIS 1.1 – Avoid the use of the "root" account - - alarmName: AWSAccelerator-CIS-1.1-RootAccountUsage + - alarmName: "{{ AcceleratorPrefix }}-CIS-1.1-RootAccountUsage" alarmDescription: Alarm for usage of "root" account snsTopicName: SecurityLow metricName: RootAccountUsage @@ -560,7 +648,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls - - alarmName: AWSAccelerator-CIS-3.1-UnauthorizedAPICalls + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.1-UnauthorizedAPICalls" alarmDescription: Alarm for unauthorized API calls snsTopicName: SecurityLow metricName: UnauthorizedAPICalls @@ -572,7 +660,7 @@ cloudWatch: threshold: 5 treatMissingData: notBreaching # CIS 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA - - alarmName: AWSAccelerator-CIS-3.2-ConsoleSigninWithoutMFA + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.2-ConsoleSigninWithoutMFA" alarmDescription: Alarm for AWS Management Console sign-in without MFA snsTopicName: SecurityHigh metricName: ConsoleSigninWithoutMFA @@ -597,7 +685,7 @@ cloudWatch: # threshold: 1 # treatMissingData: notBreaching # CIS 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes - - alarmName: AWSAccelerator-CIS-3.4-IAMPolicyChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.4-IAMPolicyChanges" alarmDescription: Alarm for IAM policy changes snsTopicName: SecurityMedium metricName: IAMPolicyChanges @@ -609,7 +697,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes - - alarmName: AWSAccelerator-CIS-3.5-CloudTrailChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.5-CloudTrailChanges" alarmDescription: Alarm for CloudTrail configuration changes snsTopicName: SecurityHigh metricName: CloudTrailChanges @@ -621,7 +709,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - - alarmName: AWSAccelerator-CIS-3.6-ConsoleAuthenticationFailure + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.6-ConsoleAuthenticationFailure" alarmDescription: Alarm exist for AWS Management Console authentication failures snsTopicName: SecurityLow metricName: ConsoleAuthenticationFailure @@ -633,7 +721,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - - alarmName: AWSAccelerator-CIS-3.7-DisableOrDeleteCMK + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.7-DisableOrDeleteCMK" alarmDescription: Alarm for disabling or scheduled deletion of customer created CMKs snsTopicName: SecurityHigh metricName: DisableOrDeleteCMK @@ -645,7 +733,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes - - alarmName: AWSAccelerator-CIS-3.8-S3BucketPolicyChanges. + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.8-S3BucketPolicyChanges" alarmDescription: Alarm for S3 bucket policy changes snsTopicName: SecurityMedium metricName: S3BucketPolicyChanges @@ -657,7 +745,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes - - alarmName: AWSAccelerator-CIS-3.9-AWSConfigChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.9-AWSConfigChanges" alarmDescription: Alarm for AWS Config configuration changes snsTopicName: SecurityHigh metricName: AWSConfigChanges @@ -669,7 +757,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.10 – Ensure a log metric filter and alarm exist for security group changes - - alarmName: AWSAccelerator-CIS-3.10-SecurityGroupChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.10-SecurityGroupChanges" alarmDescription: Alarm for security group changes snsTopicName: SecurityLow metricName: SecurityGroupChanges @@ -681,7 +769,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - - alarmName: AWSAccelerator-CIS-3.11-NetworkACLChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.11-NetworkACLChanges" alarmDescription: Alarm for changes to Network Access Control Lists (NACL) snsTopicName: SecurityMedium metricName: NetworkACLChanges @@ -693,7 +781,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways - - alarmName: AWSAccelerator-CIS-3.12-NetworkGatewayChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.12-NetworkGatewayChanges" alarmDescription: Alarm for changes to network gateways snsTopicName: SecurityMedium metricName: NetworkGatewayChanges @@ -705,7 +793,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.13 – Ensure a log metric filter and alarm exist for route table changes - - alarmName: AWSAccelerator-CIS-3.13-RouteTableChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.13-RouteTableChanges" alarmDescription: Alarm for route table changes snsTopicName: SecurityMedium metricName: RouteTableChanges @@ -717,7 +805,7 @@ cloudWatch: threshold: 1 treatMissingData: notBreaching # CIS 3.14 – Ensure a log metric filter and alarm exist for VPC changes - - alarmName: AWSAccelerator-CIS-3.14-VPCChanges + - alarmName: "{{ AcceleratorPrefix }}-CIS-3.14-VPCChanges" alarmDescription: Alarm for VPC changes snsTopicName: SecurityMedium metricName: VPCChanges @@ -728,7 +816,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-EC2-Instances-Changed + - alarmName: "{{ AcceleratorPrefix }}-AWS-EC2-Instances-Changed" alarmDescription: Alarms when one or more API calls are made to create, terminate, start, stop or reboot any EC2 instance (in any account, any region of your AWS Organization). snsTopicName: SecurityLow metricName: EC2InstanceEventCount @@ -739,7 +827,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-EC2-Large-Instance-Changed + - alarmName: "{{ AcceleratorPrefix }}-AWS-EC2-Large-Instance-Changed" alarmDescription: Alarms when one or more API calls are made to create, terminate, start, stop or reboot a 4x, 8x, 9x, 10x, 12x, 16x, 18x, 24x, 32x-large EC2 instance (in any account, any region of your AWS Organization). snsTopicName: SecurityMedium metricName: EC2LargeInstanceEventCount @@ -750,7 +838,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-SSO-Authentication-From-Unapproved-IP + - alarmName: "{{ AcceleratorPrefix }}-AWS-SSO-Authentication-From-Unapproved-IP" alarmDescription: Alarms when someone authenticates using AWS SSO from an unauthorized IP address range. snsTopicName: SecurityHigh metricName: SSOAuthUnapprovedIPCount @@ -761,7 +849,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-IAM-Authentication-From-Unapproved-IP + - alarmName: "{{ AcceleratorPrefix }}-AWS-IAM-Authentication-From-Unapproved-IP" alarmDescription: Alarms when someone authenticates using AWS IAM from an unauthorized IP address range. snsTopicName: SecurityHigh metricName: IAMAuthUnapprovedIPCount @@ -772,7 +860,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-Unencrypted-Filesystem-Created + - alarmName: "{{ AcceleratorPrefix }}-AWS-Unencrypted-Filesystem-Created" alarmDescription: Alarms when one or more API calls are made to create an Unencrypted filesystem (i.e. EFS) (in any account, any region of your AWS Organization). snsTopicName: SecurityHigh metricName: UnencryptedFilesystemCreatedCount @@ -783,7 +871,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-IGNORE-AWS-Authorization-Failure + - alarmName: "{{ AcceleratorPrefix }}-IGNORE-AWS-Authorization-Failure" alarmDescription: Alarms when one or more unauthorized API calls are made (in any account, any region of your AWS Organization). snsTopicName: SecurityIgnore metricName: IgnoreAuthorizationFailureCount @@ -794,7 +882,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-IGNORE-AWS-Console-SignIn-Without-MFA + - alarmName: "{{ AcceleratorPrefix }}-IGNORE-AWS-Console-SignIn-Without-MFA" alarmDescription: Alarms when MFA is NOT used to sign into the console with IAM (in any account, any region of your AWS Organization). snsTopicName: SecurityIgnore metricName: IgnoreConsoleSignInWithoutMfaCount @@ -805,7 +893,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-Console-SignIn-Failure + - alarmName: "{{ AcceleratorPrefix }}-AWS-Console-SignIn-Failure" alarmDescription: Alarms when one or more unauthenticated API calls are made to sign into the console (in any account, any region of your AWS Organization). snsTopicName: SecurityHigh metricName: ConsoleSignInFailureCount @@ -816,7 +904,7 @@ cloudWatch: statistic: Sum threshold: 3 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-Authorization-Failure + - alarmName: "{{ AcceleratorPrefix }}-AWS-Authorization-Failure" alarmDescription: Alarms when one or more unauthorized API calls are made (in any account, any region of your AWS Organization). snsTopicName: SecurityLow metricName: AuthorizationFailureCount @@ -827,7 +915,7 @@ cloudWatch: statistic: Sum threshold: 1 treatMissingData: notBreaching - - alarmName: AWSAccelerator-AWS-Root-Login + - alarmName: "{{ AcceleratorPrefix }}-AWS-Root-Login" alarmDescription: Alarms when the root user successfully logs in one or more times (in any account, any region of your AWS Organization). snsTopicName: SecurityHigh metricName: RootLoginEventCount diff --git a/config/ssm-documents/s3-enforce-https.yaml b/config/ssm-documents/s3-enforce-https.yaml index 564f014..40ccc7c 100644 --- a/config/ssm-documents/s3-enforce-https.yaml +++ b/config/ssm-documents/s3-enforce-https.yaml @@ -97,7 +97,7 @@ mainSteps: s3_client = boto3.client("s3") bucket_name = event["BucketName"] region = os.environ['AWS_REGION'] - + bucket_policy = get_bucket_policy(s3_client, bucket_name) policy_sid = generate_random_policy_statement_id() partition = get_partition(region) diff --git a/documentation/FAQ.md b/documentation/FAQ.md index b0adc60..f88c186 100644 --- a/documentation/FAQ.md +++ b/documentation/FAQ.md @@ -28,9 +28,64 @@ For existing deployments, before making this change in your configuration and ru If you didn't previously used or enabled Identity Center, you need to enable it in your management account before running the LZA pipeline. -**If you are already operating Identity Center from the Audit account with provisionned permission sets and assignements you should carefully review the impact of this change. Making this change can remove all existing Identity Center configurations**. To continue using the Audit Account as the delegated adminstrator for Identity Center you can use the following configuration instead: +**If you are already operating Identity Center from the Audit account with provisionned permission sets and assignements you should carefully review the impact of this change. Making this change can remove all existing Identity Center configurations**. To continue using the Audit Account as the delegated administrator for Identity Center you can use the following configuration instead: ``` identityCenter: name: OrgIdentityCenter delegatedAdminAccount: Audit ``` + +## AWS Regions + +### What is the Home Region? + +The [homeRegion](https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/v1.6.0/classes/_aws_accelerator_config.GlobalConfig.html#homeRegion) is where the accelerator pipeline is deployed and the region in which you will most often operate in. This reference architecture deploys the networking resources in that region by default. + +### What are Enabled Regions? +[enabledRegions](https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/v1.6.0/classes/_aws_accelerator_config.GlobalConfig.html#enabledRegions) is the list of regions where accelerator resources will be deployed. Home region must be part of this list. + +### Why should all regions be enabled in my configuration even if I don't intend to deploy workloads outside the Home Region? + +We highly recommend to add all AWS regions that are enabled by default to the list of `enabledRegions` in LZA to deploy all the guardrails and detective controls configured by this reference architecture. Service Control Policies are in place to prevent users to deploy resources outside of the home region, the deployment of detective controls in every region serves as a defense in depth measure. Multiple `excludeRegions:` statements are included in the reference configuration to avoid deploying unnecessary resources to all enabled regions and limit cost. + +### What if I want to deploy workloads in another region than the home region? + +The exact steps required to enable an additional region within the reference architecture may vary based on the type of workload and use of the region (e.g. used for disaster recovery only are as the main region for specific applications). The high-level steps are: + +1. Update the accelerator Service Control Policies to allow the use of the additional region. More precisely the `GBL1` and `GBL2` statements that denies the use of most services outside the Home Region. +2. Remove the additional region from the `excludeRegions:` directives throughout the configuration files. +3. Deploy the appropriate networking and other supporting resources in the additional region. + +### What about deploying workloads to an opt-in region? + +AWS Regions added after March 20, 2019 are disabled by default and need to be enabled before resources can be created in those regions. In addition to the steps from the previous section you will need to enable the opt-in region by following the steps in [Enable or disable a Region in your organization](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-organization) + +## Application Load Balancers Forwarding + +Since the `1.7.0-a` release of the configuration, Application Load Balancers are deployed in the Perimeter VPC. Sample configuration is also provided to automate the deployment of Application Load Balancers in workload accounts. AWS ALBs are published using DNS names which resolve to backing IPs which could silently change at any time due to a scaling event, maintenance, or a hardware failure. While published as a DNS name, ALBs can only target IP addresses. This presents a challenge as we need the ALBs in the perimeter account to target ALB's in the various back-end workload accounts. + +ALB Forwarding solves this problem by executing a small snippet of code every 60 seconds which updates managed ALB listeners with any IP changes, ensuring any managed flows do not go offline. This removes the requirement to leverage a 3rd party appliance to perform NAT to a DNS name. + +See the [post-deployment](../post-deployment.md) instructions for more details on how to configure the ALB forwarding rules + +### Why was a target group not created for an ALB Forwarding entry? + +When an entry is added to the ALB Forwarding table, a lookup is performed to validate and configure the target group. Additional information is then inserted to the DynamoDB table, specifically to the newly added entry with the key `metadata`. If this `metadata` key is not added and populated and/or a target group is not added, this could indicate an error in the parameters provided for the entry. + +To troubleshoot ALB Forwarding target group creation, consult the CloudWatch logs for the ALB Forwarding Lambda functions. The CloudWatch Log Groups are named `-AlbIPForwa-*`. If necessary, remove the affected entry from the DynamoDB table and re-add, ensuring that any information provided is correct. + +### Why can I not reach resources behind my workload ALB through the external ALB? + +The reachability of resources in workload accounts relies on several factors: + +1. The ALB targets in the workload account are healthy. + +Since the external ALB in the Perimeter account relies on health checks against the internal ALB in workload accounts, verify that the targets attached to the workload internal ALB are healthy. + +2. Routing from the Perimeter ALBs to the workload ALBs, and return traffic, through the Transit Gateway. + +Verify that the Transit Gateway is configured in the Landing Zone Accelerator to route traffic between the Perimeter and workload VPCs, and that the corresponding Transit Gateway attachments are present in the Network account. + +3. Network security configuration permitting the required traffic to the workload ALBs and resources. + +Verify that any Network ACLs (NACLS) and security groups are configured to permit the required traffic from the ALB Forwarding resources in the Perimeter account. \ No newline at end of file diff --git a/install-controltower.md b/install-controltower.md index 487a99e..2e329b2 100644 --- a/install-controltower.md +++ b/install-controltower.md @@ -5,22 +5,9 @@ _Note: Government of Canada customers are required to skip this step and [deploy ## 2.1 Configure AWS Control Tower -You should first configure AWS Control Tower in your home region using the documentation from [Getting started with AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) - -- Be sure you've correctly designated the AWS Region that you select for your home Region. After you've deployed AWS Control Tower, you can't change the home Region. -- Leave the Region deny setting set to Not enabled - the Accelerator needs a customized region deny policy. -- Select all regions for Additional AWS Regions for governance -- For the Foundational OU, leave the default value Security -- For the Additional OU provide the value Infrastructure, click Next -- When configuring the shared accounts, keep the default names, use the email addresses defined in the prerequisites: - * **Management Account:** Use the "Management Account" email defined in the prerequisites - * **Log Archive Account:** Use the "Log Archive Account" email defined in the prerequisites - * **Audit Account:** Use the "Security Account" email defined in the prerequisites -- Select Enabled for AWS CloudTrail configuration - -After Control Tower deployment you should have a Security and Infrastructure OU as well as the three mandatory accounts. Go to Control Tower Account Factory and edit the Network configuration - - Set the Maximum number of private subnets to 0 - - Uncheck all regions for VPC creations (VPC creation will be handled by the accelerator) +Starting with version v1.7.0 of Landing Zone Accelerator, Control Tower can be setup as part of the LZA installation by setting the appropriate parameters when deploying the CloudFormation stack in the next step. + +You first need to [enable AWS Organizations in your home Region](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) by going to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) and choosing **Create an organization**. ## 2.2 Deploy the installer CloudFormation stack Click the **Launch Solution** button on [Step 1. Launch the stack](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/step-1.-launch-the-stack.html) page. **Ensure the Region is set to your desired home Region, as it typically defaults to US East (N. Virginia)** @@ -42,9 +29,18 @@ Leave all other values as default, unless you have specific reasons to customize - Wait for the successful completion of the `AWSAccelerator-Pipeline` pipeline. +## 2.4 Verify Control Tower deployment and update configuration + +After Control Tower deployment you should have a Security and Infrastructure OU as well as the three mandatory accounts. + +### 2.4.1 Disable Control Tower VPC creation +Go to Control Tower Account Factory and edit the Network configuration + - Set the Maximum number of private subnets to 0 + - Uncheck all regions for VPC creations (VPC creation will be handled by the accelerator) + # 3. Deploy the reference architecture -The Landing Zone Accelerator on AWS solution deploys an AWS CodeCommit repository called `aws-accelerator-config`, along with six customizable YAML configuration files. The YAML files are pre-populated with a minimal configuration for the solution. The configuration files found in this directory should replace the files in the default AWS CodeCommit repository after adjusting environment specific configurations. +The Landing Zone Accelerator on AWS solution deploys an AWS CodeCommit repository called `aws-accelerator-config`, along with six customizable YAML configuration files. The YAML files are pre-populated with a minimal configuration for the solution. The configuration files found in this repo's '[config](./config/)' should replace the files in the default AWS CodeCommit repository after adjusting environment specific configurations. We recommend you read the LZA guidance on [using the configuration files](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/using-configuration-files.html), before continuing with the deployment of the reference architecture. @@ -56,30 +52,38 @@ We recommend you go through every configuration file and confirm the default val 2. Clone this repository (`landing-zone-accelerator-on-aws-for-cccs-medium`) 3. Copy the contents from the `config` folder in the repository `landing-zone-accelerator-on-aws-for-cccs-medium` to your local `aws-accelerator-config` repo. You may be prompted to overwrite duplicate configs, such as accounts-config.yaml. -## 3.2 Create and register additional organizational units +## 3.2 Mandatory customization + +Using the IDE of your choice, in your local `aws-accelerator-config` repo, update the following values: +- replacements-config.yaml - This file contains global variables that can be referenced from all other configuration files. Review the value of each variable to confirm it is appropriate to your deployment. **Note: ** the passwords for the active directory accounts will be available via [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). +- accounts-config.yaml - Update the config email addresses to match the email addresses you assigned in the prerequisites section. -Every Organization Unit defined in the `organization-config.yaml` file needs to be registered in Control Tower. Follow the steps to [create a new OU](https://docs.aws.amazon.com/controltower/latest/userguide/create-new-ou.html) for each OU defined in your configuration. +### 3.2.1 Changing the home Region -When using this reference architecture, the OUs are: -- Security: Already created when you setup Control Tower -- Infrastructure: Already created when you setup Control Tower -- Central -- Dev -- Test -- Prod -- UnClass -- Sandbox +If you are changing the home region from *ca-central-1* to different region, you need to make the following configuration file modifications. -## 3.3 Mandatory customization +- global-config.yaml - **homeRegion: &HOME_REGION ca-central-1** must be updated from *ca-central-1* to the region you are using as your home region, e.g. *homeRegion: &HOME_REGION eu-west-2* +- global-config.yaml - all references to your home region in any **excludeRegions** blocks must be deleted and *ca-central-1* must be added. -Using the IDE of your choice, in your local `aws-accelerator-config` repo, update the following values: -- replacements-config.yaml - This file contains global variables that can be referenced from all other configuration files. Review the value of each variable to confirm it is appropriate to your deployment. -- accounts-config.yaml - Replace all the AWS Account email addresses with valid emails for the deployment. These are used to create AWS Accounts. -- global-config.yaml - Replace all emails used for AWS Budgets and security notifications to match the email you allocated in the prerequisites. -- iam-config.yaml - Replace the groupName and Active Directory user account details with those specified in the prerequisites. **Note: ** the passwords for these accounts will be available via [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). -- This sample configuration is built using the **ca-central-1** AWS Region as the home or installation Region. If installing to a different home Region, then the five references to **ca-central-1** must be updated to reference your desired home Region in the following four configuration files (global-config, iam-config, network-config, security-config). +### 3.2.2 Changing the accelerator prefix + +If you changed the [accelerator prefix](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/step-1.-launch-the-stack.html) from **AWSAccelerator** during the LZA deployment, you need to make the following configuration file modifications. -### 3.3.1 Customizations specific to ControlTower +- global-config.yaml - update the **cdkOptions/customDeploymentRole** to *-PipelineRole* e.g. *ExamplePrefix-PipelineRole*. +- iam-config.yaml - update the **managedActiveDirectories/logs/groupName** to *-/MAD/{{MadDnsName}}* e.g. */ExamplePrefix/MAD/{{MadDnsName}}*. +- **dynamic-partitioning/log-filters.json** - update the acceleratorPrefix to **. For example if your prefix is *TSEProd*, the config file should look like the following: +``` +[ + { "logGroupPattern": "/TSEProd/MAD", "s3Prefix": "managed-ad" }, + { "logGroupPattern": "/TSEProd/rql", "s3Prefix": "rql" }, + { "logGroupPattern": "/TSEProd-SecurityHub", "s3Prefix": "security-hub" }, + { "logGroupPattern": "TSEProdFirewallFlowLogGroup", "s3Prefix": "nfw" }, + { "logGroupPattern": "/TSEProd/rsyslog", "s3Prefix": "rsyslog" }, + { "logGroupPattern": "TSEProd-sessionmanager-logs", "s3Prefix": "ssm" } +] +``` + +### 3.2.3 Customizations specific to ControlTower Some configuration elements need to be updated when using ControlTower @@ -88,6 +92,7 @@ Some configuration elements need to be updated when using ControlTower - global-config.yaml * Update `managementAccountAccessRole` value to `AWSControlTowerExecution * Update `controlTower` to `enable: true` + * Uncomment the `landingZone` block * Under `logging/cloudtrail/organizationTrailSettings` set `managementEvents` to `false`, an Organizational Trail was already setup by CloudTrail. - organization-config.yaml * Uncomment the proper configuration block under the `AWSAccelerator-Guardrails-Sensitive-Part-1` configuration to have the following configuration @@ -113,13 +118,13 @@ Some configuration elements need to be updated when using ControlTower If you are deploying a demo environment for experimentation purposes, and don't need to perform any specific customization such as defining specific CIDR ranges that don't overlap with on-premises networks, you may wish to skip to the section on running the pipeline. -## 3.4 Network customization +## 3.3 Network customization It is common for customers to want to assert control over their networking, based on existing on-premises requirements, such as CIDR ranges and the specific workload requirements, e.g. a VPN to integrate with on-premises services. By default reference architecture deploys a fully working shared network, isolated between development, test and production environments. The following section describes how to modify the CIDR ranges for the shared networking if necessary. -### 3.4.1 Customizing the shared network +### 3.3.1 Customizing the shared network The shared network makes use of a contiguous CIDR. The is currently specified as `10.0.0.0/8`. This is subdivided into @@ -135,6 +140,20 @@ The shared network makes use of a contiguous CIDR. The is currently specified as You can choose to customize these ranges in the `replacements-config.yaml`, however take careful note when updating the config to also update subnet range, NACLs, Security Groups, Firewall rules and routing appropriately in `network-config.yaml`. +## 3.4 Copy assets to assets buckets + +The sample configuration file uses self-signed certificates to attach to Application Load Balancers. Valid certificates need to be copied to the S3 assets bucket of your management account. (e.g. `aws-accelerator-assets--`) + +The `network-config.yaml` references certificates used by the Application Load Balancers (ALB), but the sample certificates must be generated locally. Follow these instructions to generate sample certificates for the initial deployment and demonstration purposes. Ideally you would generate real certificates using your existing certificate authority. Note that the config references the sample certs in a `certs` folder, therefore, the sample certs must be in uploaded into a `certs` folder in the S3 bucket. + +``` +Example1: +openssl req -newkey rsa:2048 -nodes -keyout example1-cert.key -out example1-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.ca" +openssl x509 -signkey example1-cert.key -in example1-cert.csr -req -days 1095 -out example1-cert.crt +``` + +You can also update the configuration to automatically request certificates from Amazon Certificate Manager (ACM). See the [CertificateConfig](https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/v1.6.2/classes/_aws_accelerator_config.CertificateConfig.html) documentation from LZA. + ## 3.5 Running the pipeline - Commit and push all your change to the `aws-accelerator-config` AWS CodeCommit repository. diff --git a/install-organizations.md b/install-organizations.md index c518480..d80e4b3 100644 --- a/install-organizations.md +++ b/install-organizations.md @@ -36,13 +36,22 @@ Leave all other values as default, unless you have specific reasons to customize - Wait for the successful completion of the `AWSAccelerator-Pipeline` pipeline. +## 2.4 Enable IAM Identity Center in the management account + +1. Login into the management account +2. Make sure the region in the console is set to your home AWS Region +3. Follow the guidance on [enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html) + +> **Note:** +> Don't configure delegated administration, this will be done by the LZA pipeline in the next steps. + # 3. Deploy the reference architecture -The Landing Zone Accelerator on AWS solution deploys an AWS CodeCommit repository called `aws-accelerator-config`, along with six customizable YAML configuration files. The YAML files are pre-populated with a minimal configuration for the solution. The configuration files found in this directory should replace the files in the default AWS CodeCommit repository after adjusting environment specific configurations. +The Landing Zone Accelerator on AWS solution deploys an AWS CodeCommit repository called `aws-accelerator-config`, along with six customizable YAML configuration files. The YAML files are pre-populated with a minimal configuration for the solution. The configuration files found in this repo's '[config](./config/)' should replace the files in the default AWS CodeCommit repository after adjusting environment specific configurations. We recommend you read the LZA guidance on [using the configuration files](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/using-configuration-files.html), before continuing with the deployment of the reference architecture. -We recommend you go through every configuration file and confirm the default values correspond to your needs. Pay careful attention to any comments provided in the configuration files. To facilitate futur updates of the reference configuration, we suggest you keep the same file structure and comment out parts that you don't need instead of removing them. +We recommend you go through every configuration file and confirm the default values correspond to your needs. Pay careful attention to any comments provided in the configuration files. To facilitate future updates of the reference configuration, we suggest you keep the same file structure and comment out parts that you don't need instead of removing them. ## 3.1 Prepare the reference architecture configuration files @@ -63,11 +72,33 @@ You can run the [`setup-organizational-units`](./reference-artifacts/organizatio ## 3.3 Mandatory customization Using the IDE of your choice, in your local `aws-accelerator-config` repo, update the following values: -- replacements-config.yaml - This file contains global variables that can be referenced from all other configuration files. Review the value of each variable to confirm it is appropriate to your deployment. -- accounts-config.yaml - Replace all the AWS Account email addresses with valid emails for the deployment. These are used to create AWS Accounts. -- global-config.yaml - Replace all emails used for AWS Budgets and security notifications to match the email you allocated in the prerequisites. -- iam-config.yaml - Replace the groupName and Active Directory user account details with those specified in the prerequisites. **Note: ** the passwords for these accounts will be available via [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). -- This sample configuration is built using the **ca-central-1** AWS Region as the home or installation Region. If installing to a different home Region, then the five references to **ca-central-1** must be updated to reference your desired home Region in the following four configuration files (global-config, iam-config, network-config, security-config). +- replacements-config.yaml - This file contains global variables that can be referenced from all other configuration files. Review the value of each variable to confirm it is appropriate to your deployment. **Note: ** the passwords for the active directory accounts will be available via [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). +- accounts-config.yaml - Update the config email addresses to match the email addresses you assigned in the prerequisites section. + +### 3.3.1 Changing the home Region + +If you are changing the home region from *ca-central-1* to different region, you need to make the following configuration file modifications. + +- global-config.yaml - **homeRegion: &HOME_REGION ca-central-1** must be updated from *ca-central-1* to the region you are using as your home region, e.g. *homeRegion: &HOME_REGION eu-west-2* +- global-config.yaml - all references to your home region in any **excludeRegions** blocks must be deleted and *ca-central-1* must be added. + +### 3.3.2 Changing the accelerator prefix + +If you changed the [accelerator prefix](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/step-1.-launch-the-stack.html) from **AWSAccelerator** during the LZA deployment, you need to make the following configuration file modifications. + +- global-config.yaml - update the **cdkOptions/customDeploymentRole** to *-PipelineRole* e.g. *ExamplePrefix-PipelineRole*. +- iam-config.yaml - update the **managedActiveDirectories/logs/groupName** to *-/MAD/{{MadDnsName}}* e.g. */ExamplePrefix/MAD/{{MadDnsName}}*. +- **dynamic-partitioning/log-filters.json** - update the acceleratorPrefix to **. For example if your prefix is *TSEProd*, the config file should look like the following: +``` +[ + { "logGroupPattern": "/TSEProd/MAD", "s3Prefix": "managed-ad" }, + { "logGroupPattern": "/TSEProd/rql", "s3Prefix": "rql" }, + { "logGroupPattern": "/TSEProd-SecurityHub", "s3Prefix": "security-hub" }, + { "logGroupPattern": "TSEProdFirewallFlowLogGroup", "s3Prefix": "nfw" }, + { "logGroupPattern": "/TSEProd/rsyslog", "s3Prefix": "rsyslog" }, + { "logGroupPattern": "TSEProd-sessionmanager-logs", "s3Prefix": "ssm" } +] +``` If you are deploying a demo environment for experimentation purposes, and don't need to perform any specific customization such as defining specific CIDR ranges that don't overlap with on-premises networks, you may wish to skip to the section on running the pipeline. @@ -93,7 +124,21 @@ The shared network makes use of a contiguous CIDR. The is currently specified as You can choose to customize these ranges in the `replacements-config.yaml`, however take careful note when updating the config to also update subnet range, NACLs, Security Groups, Firewall rules and routing appropriately in `network-config.yaml`. -## 3.5 Running the pipeline +## 3.5 Copy assets to assets buckets + +The sample configuration file uses self-signed certificates to attach to Application Load Balancers. Valid certificates need to be copied to the S3 assets bucket of your management account. (e.g. `aws-accelerator-assets--`) + +The `network-config.yaml` references certificates used by the Application Load Balancers (ALB), but the sample certificates must be generated locally. Follow these instructions to generate sample certificates for the initial deployment and demonstration purposes. Ideally you would generate real certificates using your existing certificate authority. Note that the config references the sample certs in a `certs` folder, therefore, the sample certs must be in uploaded into a `certs` folder in the S3 bucket. + +``` +Example1: +openssl req -newkey rsa:2048 -nodes -keyout example1-cert.key -out example1-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.ca" +openssl x509 -signkey example1-cert.key -in example1-cert.csr -req -days 1095 -out example1-cert.crt +``` + +You can also update the configuration to automatically request certificates from Amazon Certificate Manager (ACM). See the [CertificateConfig](https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/v1.6.2/classes/_aws_accelerator_config.CertificateConfig.html) documentation from LZA. + +## 3.6 Running the pipeline - Commit and push all your change to the `aws-accelerator-config` AWS CodeCommit repository. - Release a change manually to the `AWSAccelerator-Pipeline` pipeline. diff --git a/install.md b/install.md index ed070b5..c10b900 100644 --- a/install.md +++ b/install.md @@ -98,12 +98,6 @@ Following the guidance on [enabling AWS Cost Explorer](https://docs.aws.amazon.c If you are using the GitHub source for the LZA code, you will need to follow the prerequisite step to [store a github token in secrets manager](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html#create-a-github-personal-access-token-and-store-in-secrets-manager) -### 1.5.12 Enable IAM Identity Center in the management account - -1. Login into the management account -2. Make sure the region in the console is set to your home AWS Region -3. Follow the guidance on [enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html) - # 2. Deploy LZA We recommend you first read the [LZA guidance on troubleshooting and known issues](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/troubleshooting.html) prior to running the installation. diff --git a/post-deployment.md b/post-deployment.md index 1116790..f988788 100644 --- a/post-deployment.md +++ b/post-deployment.md @@ -2,8 +2,8 @@ ## 4.1 Access AWS IAM Identity Centre and configure your identity source -1. Log into the Operations account that is the delegated adminisration account for AWS IAM Identity Center. -2. If you plan to use the AWS Directory that the reference architecture deploys follow the [IAM Identity centre guidance to configure AD](https://docs.aws.amazon.com/singlesignon/latest/userguide/connectawsad.html). If you plan to use an external IDP follow the IAM Identity centre guidance to configure an external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html). +1. Log into the Operations account that is the delegated administration account for AWS IAM Identity Center. +2. If you plan to use the AWS Directory that the reference architecture deploys follow the [IAM Identity centre guidance to configure AD](https://docs.aws.amazon.com/singlesignon/latest/userguide/connectawsad.html). If you plan to use an external IDP follow the [IAM Identity centre guidance to configure an external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html). ## 4.2 Configure Multi-factor authentication for IAM Identity Centre: @@ -20,3 +20,82 @@ We recommend the following minimum settings: The breakglass users are highly privileged user accounts. Login to the management and follow the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) to configure MFA on both breakglass accounts. We recommend that you use hardware MFA for these accounts. + +## 4.4 Configure Application Load Balancer forwarding + +Since the `1.7.0-a` release of the configuration, Application Load Balancers are deployed in the Perimeter VPC. Sample configuration is also provided to automate the deployment of Application Load Balancers in workload accounts. AWS ALBs are published using DNS names which resolve to backing IPs which could silently change at any time due to a scaling event, maintenance, or a hardware failure. While published as a DNS name, ALBs can only target IP addresses. This presents a challenge as we need the ALBs in the perimeter account to target ALB's in the various back-end workload accounts. + +ALB Forwarding solves this problem by executing a small snippet of code every 60 seconds which updates managed ALB listeners with any IP changes, ensuring any managed flows do not go offline. This removes the requirement to leverage a 3rd party appliance to perform NAT to a DNS name. + +### Architecture Overview + +![ALB Forwarding Architecture](./architecture-doc/images/alb-forwarding-architecture.png "ALB Forwarding Architecture") + +### Deploying ALB Forwarding + +The CloudFormation stack to deploy the ALB forwarding is provided in `customizations/AlbIpForwardingStack.template.json`. The configuration to deploy this stack to the Perimeter account is provided in `customizations-config.yaml`. This stack creates a new DynamoDB table named `-Alb-Ip-Forwarding-vpc-*` in the Perimeter account. + +### How do I configure an ALB Forwarding Rule? + +When using the default configuration file, an external ALB is already provisioned in the Perimeter account with a listener on port 443. For each application that needs to be published, a record needs to be added to the DynamoDB table, see sample below. + +Records can be added to the table for any ALB in the account running the ALB Forwarding component (by default, the Perimeter account). Records can be added at any time. DynamoDB change logs will trigger the initial creation of the appropriate target group(s) and IP addresses will be verified and updated every 60 seconds thereafter. + +#### Sample JSON to add an entry to the ALB Forwarding table + +__Note__: The sample below is in standard JSON format, not DynamoDB JSON. When adding an entry via the console, ensure that __JSON view__ is selected and that __View DynamoDB JSON__ is disabled. + +```json +{ + "id": "App1", + "targetAlbDnsName": "internal-Core-mydevacct1-alb-123456789.ca-central-1.elb.amazonaws.com", + "targetGroupDestinationPort": 443, + "targetGroupProtocol": "HTTPS", + "vpcId": "vpc-0a6f44a80514daaaf", + "rule": { + "sourceListenerArn": "arn:aws:elasticloadbalancing:ca-central-1:123456789012:listener/app/Public-DevTest/b1b12e7a0c412bf3/ef9b022a4fdd8bdf", + "condition": { + "paths": ["/img/*", "/myApp2"], + "hosts": ["aws.amazon.com"], + "priority": 30 + } + } +} +``` + +- `id` is any unique text +- `targetAlbDnsName` is the DNS address for the internal ALB for this application (in workload account) +- `vpcId` is the vpc ID containing the external ALB (in perimeter account) +- `sourceListenerArn` is the ARN of the listener of the external ALB (in Perimeter account) +- `paths` and `hosts` are both optional, but one of the two must be supplied +- `priority` must be unique and is used to order the listener rules. Priorities should be spaced at least 40 apart to allow for easy insertion of new applications and forwarder rules. +- the provided `targetAlbDnsName` must resolve to addresses within a [supported](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html) IP address space. + +### Troubleshooting ALB forwarding +For tips on troubleshooting issues with ALB forwarding rules see the [FAQ about Application Load Balancers Forwarding](./documentation/FAQ.md#Application-Load-Balancers-Forwarding) + +## 4.5 Enable security controls in every region + +During the initial installation only the home region was enabled. We highly recommend guardrail deployment for all AWS regions that are enabled by default. For more details see the [FAQ about AWS Regions](./documentation/FAQ.md#aws-regions). + +Edit the `global-config.yaml` file and un-comment all regions under the `enabledRegions` property. Commit and push your change to your CodeCommit repository and release the Accelerator pipeline. +``` +enabledRegions: + - *HOME_REGION + - "ap-northeast-1" + - "ap-northeast-2" + - "ap-northeast-3" + - "ap-south-1" + - "ap-southeast-1" + - "ap-southeast-2" + - "eu-central-1" + - "eu-north-1" + - "eu-west-1" + - "eu-west-2" + - "eu-west-3" + - "sa-east-1" + - "us-east-1" + - "us-east-2" + - "us-west-1" + - "us-west-2" +``` diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..7221a80 --- /dev/null +++ b/readme.md @@ -0,0 +1,24 @@ +# Canadian Centre for Cyber Security (CCCS) Cloud Medium (CCCS Medium) + +## Overview +**The Landing Zone Accelerator on AWS (LZA)** for _Canadian Centre for Cyber Security (CCCS) Cloud Medium_ is an industry specific deployment of the [Landing Zone Accelerator on AWS](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/) solution designed in collaboration with our national security; defence; national law enforcement; and federal, provincial, and municipal government customers to accelerate compliance with their strict and unique security and compliance requirements. The _Canadian Centre for Cyber Security Cloud Medium (CCCS Medium) Reference Architecture_ is a comprehensive, multi-account AWS cloud architecture targeting sensitive level workloads. It was designed to help customers address central identity and access management, governance, data security, comprehensive logging, and network design/segmentation in alignment with security frameworks such as NIST 800-53, ITSG-33, FEDRAMP Moderate, CCCS-Medium, IRAP, and other [sensitive][sensitive] or medium level security profiles. + +Please refer to the CCCS Medium [Reference Architecture document](./architecture-doc/readme.md) for the full detailed design. + +## Deployment overview +AWS developed the sample config files herein for use with the Landing Zone Accelerator on AWS (LZA) solution. Using these sample config files with LZA will automate the deployment of [CCCS Medium](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html) (formerly PBMM) security controls. + +LZA will deploy an opinionated architecture that has been designed in consultation with CCCS and Government of Canada’s Treasury Board Secretariat. Inheriting the controls from the [CCCS assessment of AWS](https://aws.amazon.com/compliance/services-in-scope/CCCS/) and deploying additional controls using LZA with the sample config files allow customers to meet up to 70% of the controls that have a technical element. This reduces security control implementation time, allowing customers to focus on operational capabilities and the evidentiary exercise in a [Security Assessment and Authorization](https://www.cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105) (SA&A) process like that used by the Government of Canada. + +The sample config files define a log retention period of 2 years based on [guidance](https://www.canada.ca/en/government/system/digital-government/online-security-privacy/event-logging-guidance.html) provided by the Treasury Board Secretariat. Customers are encouraged to consider defining longer retention periods, such as 10 years, so that you'll have the data you need to investigate and reconstruct events long after they occur. + +Customers are encouraged to work with their local AWS Account Teams to learn more about customizing this configuration, to learn more about the CCCS-Medium reference architecture, and the Landing Zone Accelerator on AWS solution. + +**NOTE: The initial release of the CCCS-Medium LZA sample configuration files included as part of LZA v1.3 do not yet fully automate the delivery of this architecture. This will be resolved in subsequent LZA releases.** + +- [Configuration files and installation instructions](./install.md) +- [Instructions for version updates](./update-instructions.md) +- [FAQ](./documentation/FAQ.md) + + +[sensitive]: https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html#toc4 \ No newline at end of file diff --git a/reference-artifacts/organizations-setup/setup-prerequisites.yaml b/reference-artifacts/organizations-setup/setup-prerequisites.yaml index c3c31ca..7681923 100644 --- a/reference-artifacts/organizations-setup/setup-prerequisites.yaml +++ b/reference-artifacts/organizations-setup/setup-prerequisites.yaml @@ -47,7 +47,7 @@ Resources: Properties: AccountName: Audit Email: !Ref SecurityAccountEmail - ParentIds: + ParentIds: - !Ref SecurityOU RoleName: OrganizationAccountAccessRole @@ -57,7 +57,7 @@ Resources: Properties: AccountName: LogArchive Email: !Ref LogArchiveAccountEmail - ParentIds: + ParentIds: - !Ref SecurityOU RoleName: OrganizationAccountAccessRole @@ -67,7 +67,7 @@ Resources: # Properties: # AccountName: LandingZoneDeployment # Email: !Ref LandingZoneDeploymentAccountEmail - # ParentIds: + # ParentIds: # - !Ref LandingZoneDeploymentOU # RoleName: OrganizationAccountAccessRole @@ -75,10 +75,10 @@ Outputs: OrgId: Description: Organisation ID Value: !Ref AWSOrganization - Export: + Export: Name: OrgId OrgRootId: Description: Organisation ID Value: !GetAtt AWSOrganization.RootId - Export: + Export: Name: OrgRootId \ No newline at end of file diff --git a/source/alb-forwarder/alb-ip-monitor.ts b/source/alb-forwarder/alb-ip-monitor.ts new file mode 100644 index 0000000..d87b6f7 --- /dev/null +++ b/source/alb-forwarder/alb-ip-monitor.ts @@ -0,0 +1,211 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import * as dns from 'dns'; + +import { DynamoDBDocument, PutCommandInput, ScanCommandInput } from '@aws-sdk/lib-dynamodb'; +import { DynamoDB } from '@aws-sdk/client-dynamodb'; + +import { + DeregisterTargetsCommandInput, + DeregisterTargetsCommandOutput, + ElasticLoadBalancingV2, + RegisterTargetsCommandInput, + RegisterTargetsCommandOutput, +} from '@aws-sdk/client-elastic-load-balancing-v2'; + + +const routeLookupTable = process.env['LOOKUP_TABLE'] ?? ''; + +const docClient = DynamoDBDocument.from(new DynamoDB()); +const elbv2 = new ElasticLoadBalancingV2({ + logger: console, +}); + +export interface dnsForwardItem { + id: string; + ipAddList?: string[]; + ipRemoveList?: string[]; + dnsLookupIps?: string[]; + targetAlbDnsName: string; + targetGroupDestinationPort: number; + metadata: { + targetGroupArn: string; + targetGroupIpAddresses: string[]; + }; +} + +const scanTable = async (tableName: string): Promise => { + console.log(`Scanning route lookup table ${routeLookupTable}`); + const scanParams: ScanCommandInput = { + TableName: tableName, + }; + const scanResults: Record[] = []; + let results; + do { + results = await docClient.scan(scanParams); + results.Items?.forEach(item => scanResults.push(item)); + scanParams.ExclusiveStartKey = results.LastEvaluatedKey; + } while (typeof results.LastEvaluatedKey != 'undefined'); + + return scanResults as dnsForwardItem[]; +}; + +const registerTargets = async ( + targetGroupArn: string, + ips: string[], + port: number, +): Promise => { + const targets = ips.map(ip => { + return { + Id: ip, + Port: port, + AvailabilityZone: 'all', + }; + }); + + const registerTargetsParams: RegisterTargetsCommandInput = { + TargetGroupArn: targetGroupArn, + Targets: targets, + }; + + return elbv2.registerTargets(registerTargetsParams); +}; + +const deregisterTargets = async (targetGroupArn: string, ips: string[]): Promise => { + console.log(`Deregistering IP addresses ${JSON.stringify(ips)} from target group ${targetGroupArn}`); + const targets = ips.map(ip => { + return { + Id: ip, + }; + }); + + const deregisterTargetsParams: DeregisterTargetsCommandInput = { + TargetGroupArn: targetGroupArn, + Targets: targets, + }; + + return elbv2.deregisterTargets(deregisterTargetsParams); +}; + +const dnslookup = async (host: string): Promise => { + return new Promise((resolve, reject) => { + dns.lookup(host, { all: true, family: 4 }, (err, addresses) => { + if (err) { + reject(err); + } else { + resolve( + addresses + .map(item => { + return item.address; + }) + .sort(), + ); + } + }); + }); +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const removeItem = (arr: any[], item: any) => { + const index = arr.indexOf(item); + if (index > -1) { + arr.splice(index, 1); + } + return arr; +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const putRecord = async (record: any) => { + const putParams: PutCommandInput = { + TableName: routeLookupTable, + Item: record, + }; + return docClient.put(putParams); +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unused-vars +export const handler = async (_event: any, _context: any) => { + const targetGroupRecords = (await scanTable(routeLookupTable)) ?? []; + + for (const targetGroupRecord of targetGroupRecords) { + try { + // Get Hostname Lookup + targetGroupRecord.dnsLookupIps = []; + try { + targetGroupRecord.dnsLookupIps = await dnslookup(targetGroupRecord.targetAlbDnsName); + } catch (err) { + console.log(err); + } + // Get Ip Addresses to add to current IP List + targetGroupRecord.ipAddList = + targetGroupRecord.dnsLookupIps?.filter(ip => { + return !targetGroupRecord.metadata?.targetGroupIpAddresses?.includes(ip); + }) ?? []; + // Get Ip addresses to remove from current list + targetGroupRecord.ipRemoveList = + targetGroupRecord.metadata?.targetGroupIpAddresses?.filter(ip => { + return !targetGroupRecord.dnsLookupIps?.includes(ip); + }) ?? []; + + if (targetGroupRecord.ipAddList?.length > 0) { + // Register new ips + console.log( + `Registering new ips ${JSON.stringify(targetGroupRecord.ipAddList)} to target ${ + targetGroupRecord.metadata.targetGroupArn + } with port ${targetGroupRecord.targetGroupDestinationPort}`, + ); + await registerTargets( + targetGroupRecord.metadata.targetGroupArn, + targetGroupRecord.ipAddList, + targetGroupRecord.targetGroupDestinationPort, + ); + // Add new ips to record + targetGroupRecord.metadata.targetGroupIpAddresses.push(...targetGroupRecord.ipAddList); + } else { + console.log('No new Ip addresses to register'); + } + if (targetGroupRecord.ipRemoveList?.length > 0) { + // Deregister old ips + console.log( + `Deregistering old ip addresses ${JSON.stringify( + targetGroupRecord.ipRemoveList, + )} from target group targetGroupRecord.metadata.targetGroupArn`, + ); + await deregisterTargets(targetGroupRecord.metadata.targetGroupArn, targetGroupRecord.ipRemoveList); + // Remove old ips from record + targetGroupRecord.ipRemoveList?.forEach(ip => { + console.log(targetGroupRecord.metadata.targetGroupIpAddresses, ip); + targetGroupRecord.metadata.targetGroupIpAddresses = removeItem( + targetGroupRecord.metadata.targetGroupIpAddresses, + ip, + ); + }); + } else { + console.log('No old ip addresses to deregister'); + } + + // Delete add, remove, and dnslookup list before writing to table + delete targetGroupRecord.ipAddList; + delete targetGroupRecord.ipRemoveList; + delete targetGroupRecord.dnsLookupIps; + console.log('Writing record to DDB table ', JSON.stringify(targetGroupRecord, null, 4)); + await putRecord(targetGroupRecord); + } catch (err) { + console.log('There was a problem updating the record ', JSON.stringify(targetGroupRecord, null, 4)); + + console.log(err); + } + } + return 'Done'; +}; diff --git a/source/alb-forwarder/alb-target-record-monitor.ts b/source/alb-forwarder/alb-target-record-monitor.ts new file mode 100644 index 0000000..0c19725 --- /dev/null +++ b/source/alb-forwarder/alb-target-record-monitor.ts @@ -0,0 +1,396 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + + +import { DynamoDBDocument } from '@aws-sdk/lib-dynamodb'; +import { DynamoDB } from '@aws-sdk/client-dynamodb'; +import { unmarshall } from '@aws-sdk/util-dynamodb'; + +import { + CreateRuleCommandInput, + DescribeListenersCommandInput, + ElasticLoadBalancingV2, + ModifyRuleCommandInput, + ProtocolEnum, + TargetTypeEnum, +} from '@aws-sdk/client-elastic-load-balancing-v2'; + +import * as _ from 'lodash'; + +const elbv2 = new ElasticLoadBalancingV2(); +const docClient = DynamoDBDocument.from(new DynamoDB()); +const ddbTable = process.env['LOOKUP_TABLE'] || ''; + +const sleep = (ms: number) => { + return new Promise(resolve => { + setTimeout(resolve, ms); + }); +}; + +const createTargetGroup = async (name: string, port: number, vpcId: string, protocol: ProtocolEnum) => { + const targetGroupParams = { + Name: name, + Port: port, + Protocol: protocol, + VpcId: vpcId, + TargetType: TargetTypeEnum.IP, + }; + + return elbv2.createTargetGroup(targetGroupParams); +}; + +const enableTargetStickyness = async (targetGroupArn: string) => { + const targetGroupAttributesParams = { + Attributes: [{ Key: 'stickiness.enabled', Value: 'true' }], + TargetGroupArn: targetGroupArn, + }; + + return elbv2.modifyTargetGroupAttributes(targetGroupAttributesParams); +}; + +const isValidPriority = async (priority: number, listenerArn: string) => { + const ruleParams = { + ListenerArn: listenerArn, + }; + + const ruleList = await elbv2.describeRules(ruleParams); + const priorityExists = + ruleList.Rules?.filter(rule => { + return rule.Priority === priority.toString(); + }) || []; + return priorityExists.length === 0; +}; + +const listenerExists = async (listenerArn: string): Promise => { + try { + const listenerParams: DescribeListenersCommandInput = { + ListenerArns: [listenerArn], + }; + await elbv2.describeListeners(listenerParams); + return Promise.resolve(true); + } catch (err) { + console.log(err); + return Promise.resolve(false); + } +}; + +const createListenerRule = async ( + listenerArn: string, + paths: string[], + hosts: string[], + targetGroupArn: string, + priority: number, +) => { + console.log('trying to create listener rule'); + console.log(hosts, paths, listenerArn, targetGroupArn, priority); + const ruleParams: CreateRuleCommandInput = { + Actions: [ + { + TargetGroupArn: targetGroupArn, + Type: 'forward', + }, + ], + ListenerArn: listenerArn, + Priority: priority, + Conditions: [], + }; + + if (paths?.length > 0) { + const pathConfig = { + Field: 'path-pattern', + Values: paths, + }; + ruleParams.Conditions?.push(pathConfig); + } + + if (hosts?.length > 0) { + const hostConfig = { + Field: 'host-header', + Values: hosts, + }; + ruleParams.Conditions?.push(hostConfig); + } + + return elbv2.createRule(ruleParams); +}; + +const updateListenerRule = async (ruleArn: string, paths: string[], hosts: string[], targetGroupArn: string) => { + const ruleParams: ModifyRuleCommandInput = { + Actions: [ + { + TargetGroupArn: targetGroupArn, + Type: 'forward', + }, + ], + RuleArn: ruleArn, + Conditions: [], + }; + + if (paths?.length > 0) { + const pathConfig = { + Field: 'path-pattern', + Values: paths, + }; + ruleParams?.Conditions?.push(pathConfig); + } + + if (hosts?.length > 0) { + const hostConfig = { + Field: 'host-header', + Values: hosts, + }; + ruleParams?.Conditions?.push(hostConfig); + } + + return elbv2.modifyRule(ruleParams); +}; + +const deleteListenerRule = async (ruleArn: string) => { + const ruleParams = { + RuleArn: ruleArn, + }; + + return elbv2.deleteRule(ruleParams); +}; + +const deleteTargetGroup = async (targetGroupArn: string) => { + const targetGroupParams = { + TargetGroupArn: targetGroupArn, + }; + + return elbv2.deleteTargetGroup(targetGroupParams); +}; + +const updateRulePriority = async (ruleArn: string, priority: number) => { + const rulePriorityParams = { + RulePriorities: [ + { + Priority: priority, + RuleArn: ruleArn, + }, + ], + }; + return elbv2.setRulePriorities(rulePriorityParams); +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const putRecord = async (table: string, record: any) => { + const putParams = { + TableName: table, + Item: record, + }; + return docClient.put(putParams); +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const targetGroupChange = (oldRecord: any, newRecord: any) => { + const oldTargetGroupAttributes = { + vpcId: oldRecord.vpcId, + destinationPort: oldRecord.targetGroupDestinationPort, + protocol: oldRecord.targetGroupProtocol, + }; + + const newTargetGroupAttributes = { + vpcId: newRecord.vpcId, + destinationPort: newRecord.targetGroupDestinationPort, + protocol: newRecord.targetGroupProtocol, + }; + return !_.isEqual(oldTargetGroupAttributes, newTargetGroupAttributes); +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const listenerRulesChange = (oldRecord: any, newRecord: any) => { + const oldListenerRules = { + sourceListenerArn: oldRecord.rule.sourceListenerArn, + priority: oldRecord.rule.condition.priority, + paths: oldRecord.rule.condition.paths?.sort(), + hosts: oldRecord.rule.condition.hosts?.sort(), + }; + + const newListenerRules = { + sourceListenerArn: newRecord.rule.sourceListenerArn, + priority: newRecord.rule.condition.priority, + paths: newRecord.rule.condition.paths?.sort(), + hosts: newRecord.rule.condition.hosts?.sort(), + }; + + return !_.isEqual(oldListenerRules, newListenerRules); +}; +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const priorityChange = (oldRecord: any, newRecord: any) => { + const oldPriority = oldRecord.rule.condition.priority; + const newPriority = newRecord.rule.condition.priority; + + return !(oldPriority === newPriority); +}; +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const createRecordHandler = async (record: any) => { + console.log('Record creation detected.'); + try { + if (!(await listenerExists(record.rule.sourceListenerArn))) { + throw new Error(`The ALB Listener ARN: ${record.rule.sourceListenerArn} does not exist. Exiting`); + } + + console.log('Checking if priority is valid'); + if (!(await isValidPriority(record.rule.condition.priority, record.rule.sourceListenerArn))) { + throw new Error( + `The priority ${record.rule.condition.priority.toString()} matches an existing rule priority on the listener arn ${ + record.rule.sourceListenerArn + }. Priorities must not match. Exiting`, + ); + } + const targetGroup = await createTargetGroup( + record.id, + record.targetGroupDestinationPort, + record.vpcId, + record.targetGroupProtocol, + ); + + const targetGroupArn = targetGroup?.TargetGroups?.[0].TargetGroupArn ?? ''; + + await enableTargetStickyness(targetGroupArn); + + const rule = await createListenerRule( + record.rule.sourceListenerArn, + record.rule.condition.paths, + record.rule.condition.hosts, + targetGroupArn, + record.rule.condition.priority, + ); + const ruleArn = rule?.Rules?.[0].RuleArn ?? ''; + if (!targetGroupArn || !ruleArn) { + throw new Error( + `There was an error getting the target group arn or listener rule arn. \nTarget Group Arn: ${targetGroupArn}\nRule Arn: ${ruleArn}`, + ); + } + record.metadata = { + targetGroupArn, + ruleArn, + targetGroupIpAddresses: [], + }; + await putRecord(ddbTable, record); + console.log('Added metadata to table'); + return record; + } catch (err) { + console.log('There was a problem creating resources for the following record', JSON.stringify(record, null, 4)); + throw err; + } +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const deleteRecordHandler = async (record: any) => { + try { + console.log(`Deleting listener rule and target group for ${record.id}`); + + await deleteListenerRule(record.metadata.ruleArn); + console.log('Deleted listener rule.'); + } catch (err) { + console.log(err); + console.log('Could not delete listener rule for record. Continuing...', JSON.stringify(record, null, 4)); + } + try { + await deleteTargetGroup(record.metadata.targetGroupArn); + console.log('Deleted target group'); + return; + } catch (err) { + console.log('Could not delete target group for record', JSON.stringify(record, null, 4)); + console.log(err); + } +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const updateRecordHandler = async (newRecord: any, oldRecord: any) => { + try { + console.log(`The record with id ${newRecord.id} was updated. Performing comparison.`); + if (!(await listenerExists(newRecord.rule.sourceListenerArn))) { + throw new Error(`The ALB Listener ARN: ${newRecord.rule.sourceListenerArn} does not exist. Exiting`); + } + + const newRecordClone = _.cloneDeep(newRecord); + const oldRecordClone = _.cloneDeep(oldRecord); + delete newRecordClone.metadata; + delete oldRecordClone.metadata; + + if (_.isEqual(newRecordClone, oldRecordClone)) { + console.log(`Update Record handler found no changes made for record with Id ${newRecord.id}`); + return; + } + + if (!oldRecord.metadata) { + console.log('No previous metadata detected for record. Creating metadata based off of new entry'); + await createRecordHandler(newRecord); + return; + } + + if (listenerRulesChange(oldRecord, newRecord)) { + console.log(`Detected a listener rule change. Modifying rule ${newRecord.metadata.ruleArn}`); + await updateListenerRule( + newRecord.metadata.ruleArn, + newRecord.rule.condition.paths, + newRecord.rule.condition.hosts, + newRecord.metadata.targetGroupArn, + ); + } + if (priorityChange(oldRecord, newRecord)) { + if (!(await isValidPriority(newRecord.rule.condition.priority, newRecord.rule.sourceListenerArn))) { + throw new Error( + `The priority ${newRecord.rule.condition.priority.toString()} matches an existing rule priority on the listener arn ${ + newRecord.rule.sourceListenerArn + }. Priorities must not match.`, + ); + } + await updateRulePriority(newRecord.metadata.ruleArn, newRecord.rule.condition.priority); + } + if (targetGroupChange(oldRecord, newRecord)) { + console.log( + `Detected a target group change. deleting target group ${newRecord.metadata.targetGroupArn} and creating a new target group`, + ); + await deleteRecordHandler(newRecord); + await sleep(10000); + await createRecordHandler(newRecord); + } + } catch (err) { + console.log('There was a problem updating a target group or listener rule for the records:'); + console.log('Old Record: ', JSON.stringify(oldRecord, null, 4)); + console.log('New Record: ', JSON.stringify(newRecord, null, 4)); + throw err; + } +}; + +// eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unused-vars +export const handler = async (event: any, _context: any) => { + console.log(JSON.stringify(event, null, 2)); + // eslint-disable-next-line @typescript-eslint/no-explicit-any + const records = event.Records.map((record: any) => { + if (record.dynamodb.OldImage) { + record.dynamodb.OldImage = unmarshall(record.dynamodb.OldImage); + } + if (record.dynamodb.NewImage) { + record.dynamodb.NewImage = unmarshall(record.dynamodb.NewImage); + } + return record; + }); + + for (const record of records) { + if (record.eventName === 'INSERT') { + await createRecordHandler(record.dynamodb.NewImage); + } + if (record.eventName === 'MODIFY') { + await updateRecordHandler(record.dynamodb.NewImage, record.dynamodb.OldImage); + } + + if (record.eventName === 'REMOVE') { + await deleteRecordHandler(record.dynamodb.OldImage); + } + } +}; diff --git a/source/alb-forwarder/index.ts b/source/alb-forwarder/index.ts new file mode 100644 index 0000000..da8eb92 --- /dev/null +++ b/source/alb-forwarder/index.ts @@ -0,0 +1,15 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +export { handler as albIpMonitor } from './alb-ip-monitor'; +export { handler as albTargetRecordMonitor } from './alb-target-record-monitor'; diff --git a/source/custom-config-rules/attach-ec2-instance-profile/index.js b/source/custom-config-rules/attach-ec2-instance-profile/index.js index 1955774..2075d4b 100644 --- a/source/custom-config-rules/attach-ec2-instance-profile/index.js +++ b/source/custom-config-rules/attach-ec2-instance-profile/index.js @@ -1,7 +1,5 @@ -const AWS = require('aws-sdk'); -AWS.config.logger = console; - -const config = new AWS.ConfigService(); +const { ConfigServiceClient, PutEvaluationsCommand } = require("@aws-sdk/client-config-service"); +const client = new ConfigServiceClient(); const APPLICABLE_RESOURCES = ['AWS::EC2::Instance']; @@ -23,18 +21,20 @@ exports.handler = async function(event, context) { console.debug(`Evaluation`); console.debug(JSON.stringify(evaluation, null, 2)); - await config.putEvaluations({ + const payload = { ResultToken: event.resultToken, Evaluations: [ { ComplianceResourceId: configurationItem.resourceId, ComplianceResourceType: configurationItem.resourceType, ComplianceType: evaluation.complianceType, - OrderingTimestamp: configurationItem.configurationItemCaptureTime, + OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime), Annotation: evaluation.annotation, }, ], - }).promise(); + }; + const putEvaluationsCommand = new PutEvaluationsCommand(payload); + await client.send(putEvaluationsCommand); }; async function evaluateCompliance(props) { diff --git a/source/custom-config-rules/ec2-instance-profile-permissions/index.js b/source/custom-config-rules/ec2-instance-profile-permissions/index.js index fd88ba2..a143e89 100644 --- a/source/custom-config-rules/ec2-instance-profile-permissions/index.js +++ b/source/custom-config-rules/ec2-instance-profile-permissions/index.js @@ -1,12 +1,10 @@ -const AWS = require('aws-sdk'); -AWS.config.logger = console; - -const config = new AWS.ConfigService(); +const { ConfigServiceClient, PutEvaluationsCommand } = require("@aws-sdk/client-config-service"); +const client = new ConfigServiceClient(); const APPLICABLE_RESOURCES = ['AWS::IAM::Role']; exports.handler = async function (event, context) { - console.log(`Custom Rule for checking policies attached to IAM role used under Instance Profile...`); + console.log(`Custom Rule for checking Policies attached to IAM role used under Instance Profile...`); console.log(JSON.stringify(event, null, 2)); const invokingEvent = JSON.parse(event.invokingEvent); @@ -28,25 +26,24 @@ exports.handler = async function (event, context) { console.debug(`Evaluation`); console.debug(JSON.stringify(evaluation, null, 2)); - await config - .putEvaluations({ - ResultToken: event.resultToken, - Evaluations: [ - { - ComplianceResourceId: configurationItem.resourceId, - ComplianceResourceType: configurationItem.resourceType, - ComplianceType: evaluation.complianceType, - OrderingTimestamp: configurationItem.configurationItemCaptureTime, - Annotation: evaluation.annotation, - }, - ], - }) - .promise(); + const payload = { + ResultToken: event.resultToken, + Evaluations: [ + { + ComplianceResourceId: configurationItem.resourceId, + ComplianceResourceType: configurationItem.resourceType, + ComplianceType: evaluation.complianceType, + OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime), + Annotation: evaluation.annotation, + }, + ], + }; + const putEvaluationsCommand = new PutEvaluationsCommand(payload); + await client.send(putEvaluationsCommand); }; async function evaluateCompliance(props) { const { configurationItem, ruleParams } = props; - if (!APPLICABLE_RESOURCES.includes(configurationItem.resourceType)) { return { complianceType: 'NOT_APPLICABLE', @@ -57,6 +54,11 @@ async function evaluateCompliance(props) { complianceType: 'NOT_APPLICABLE', annotation: 'The configuration item was deleted and could not be validated', }; + } else if (configurationItem.configurationItemStatus === 'ResourceNotRecorded' || configurationItem.configurationItemStatus === 'ResourceDeletedNotRecorded') { + return { + complianceType: 'NOT_APPLICABLE', + annotation: 'The configuration item is not recorded in this region and need not be validated', + }; } if (configurationItem.configuration && !configurationItem.configuration.instanceProfileList) { @@ -112,4 +114,4 @@ async function evaluateCompliance(props) { complianceType: 'NON_COMPLIANT', annotation: 'The resource logging destination is incorrect', }; -} +} \ No newline at end of file diff --git a/update-instructions.md b/update-instructions.md index 51db77f..d12d517 100644 --- a/update-instructions.md +++ b/update-instructions.md @@ -2,23 +2,30 @@ To upgrade your LZA to the latest version you should follow the [update instructions from the LZA implementation guide](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/update-the-solution.html). The current page contains additional instructions specific to this reference configuration. +Landing Zone Accelerator and reference configurations have their own release cycle and versioning scheme. +- Versions of the configuration files (this repository) aligns with the Landing Zone Accelerator semantic version scheme +- An alphabetic suffix is added to the configuration version when more than one release aligns with the same LZA version (i.e. 1.6.1-a, 1.6.1-b) +- Git Tags are used to track the versions of the configuration files +- Only the main branch is maintained and customers should always install the latest version of LZA and configurations +- For example `1.6.0-a` is the first release of the configuration after the LZA v1.6.0 release. It has been tested with LZA v1.6.0 and must be applied on a LZA environment with v1.6.0 as a minimum + ### Update Preparation Before proceeding with the update you should carefully review the release notes for every version and identify any configuration changes that are mandatory or recommended. - Review the [LZA release notes](https://github.com/awslabs/landing-zone-accelerator-on-aws/releases) -- Review new configuration items from the LZA release notes, assess the new defaults and integrate them into your configuration - Review configuration changes to the [default configuration files](./config/) and determine which change you need to apply to your configuration - Review this configuration [CHANGELOG](CHANGELOG.md) +**Tip** To facilitate the identification of configuration changes between two releases of the configuration files, you can use the built-in comparison of GitHub. e.g. This link will show differences between the `v1.6.0-a` and `v1.6.1-a` tags: https://github.com/aws-samples/landing-zone-accelerator-on-aws-for-cccs-medium/compare/release/v1.6.0-a...release/v1.6.1-a + ### General update steps 1. Login to your Organization Management (root) AWS account with administrative privileges 2. Either: a) Ensure a valid Github token is stored in secrets manager ([per the installation guide](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html#create-a-github-personal-access-token-and-store-in-secrets-manager)), or b) Ensure the latest release is in a valid branch of CodeCommit in the Organization Management account -3. Before updating: Run the pipeline with the current version and confirm a sucessful execution +3. Before updating: Run the pipeline with the current version and confirm a successful execution 4. Review and implement any relevant tasks noted in the **Update Preparation** section above 5. Update the configuration files in the `aws-accelerator-config` **CodeCommit** repository as outlined in the **Update Preparation** section above 6. Sign in to the AWS CloudFormation console, select your existing Landing Zone Accelerator on AWS CloudFormation stack and Update the stack with the latest template available from the release page. ([refer to the LZA implementation guide for detailed steps](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/update-the-solution.html)) 7. When reviewing the Stack Parameters, make sure to update the `RepositoryBranchName` value to point to the branch of the latest release (i.e. release/v.X.Y.Z) 8. Wait for successful execution of the Landing Zone Accelerator stack update and the `AWSAccelerator-Installer` and `AWSAccelerator-Pipeline` pipelines -