Merge pull request #90 from aws-samples/bugfix/graviton-region-support

Bugfix/graviton region support

Author: andywick-aws

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2022-04-04](#2022-04-04)
 - [2022-03-29](#2022-03-29)
 - [2022-03-16](#2022-03-16)
 - [2022-03-14](#2022-03-14)
@@ -23,6 +24,16 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2022-04-04
+
+### Changed<!-- omit in toc -->
+
+- Updated the [DOWNLOAD-AND-STAGE-SOLUTIONS.md](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md) document to change the order of the steps to have the authenticate step before deploying the staging S3 bucket.
+
+### Fixed<!-- omit in toc -->
+
+- Fixed all solution templates that deploy Lambda functions to include a condition that determines if the region supports Graviton (arm64) architecture.
+
 ## 2022-03-29
 
 ### Changed<!-- omit in toc -->

aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md

@@ -14,14 +14,14 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
    cd $HOME/aws-sra-examples
    ```
 
-3. In the `management account (home region)`, launch an AWS CloudFormation **Stack** using the [sra-common-prerequisites-staging-s3-bucket.yaml](../solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml)
+3. [Authenticate to the AWS management account](#authenticate-to-the-aws-management-account).
+4. In the `management account (home region)`, launch an AWS CloudFormation **Stack** using the [sra-common-prerequisites-staging-s3-bucket.yaml](../solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml)
    template file as the source.
 
    ```bash
    aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name sra-common-prerequisites-staging-s3-bucket --capabilities CAPABILITY_NAMED_IAM
    ```
 
-4. [Authenticate to the AWS management account](#authenticate-to-the-aws-management-account).
 5. Package and stage all the AWS SRA example solutions. For more information see [Staging script details](#staging-script-details).
    <!-- markdownlint-disable-next-line MD031 -->
 

aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml

@@ -195,6 +195,17 @@ Conditions:
   cCreateCloudTrailLogGroup: !Equals [!Ref pCreateCloudTrailLogGroup, true]
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
   cLambdaCloudWatchLogsUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rCloudTrailCloudWatchLogGroupRole:
@@ -378,7 +389,10 @@ Resources:
             comment: Environment variables are not sensitive
     Properties:
       Description: Creates an Organization CloudTrail
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       FunctionName: !Ref pCloudTrailLambdaFunctionName
       Handler: app.lambda_handler
       Role: !GetAtt rCloudTrailLambdaRole.Arn

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml

@@ -112,6 +112,17 @@ Conditions:
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
   cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cUseSRAStagingS3BucketNameSSMParameter: !Equals [!Ref pSRAStagingS3BucketName, '']
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rManagementAccountParametersLambdaCustomResource:
@@ -142,7 +153,10 @@ Resources:
     Properties:
       FunctionName: !Ref pManagementAccountParametersLambdaFunctionName
       Description: Creates Control Tower account SSM Parameters in the Management Account
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: app.lambda_handler
       Role: !GetAtt rManagementAccountParametersLambdaRole.Arn
       Runtime: python3.9

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml

@@ -128,6 +128,17 @@ Conditions:
     - !Condition cCreateCustomResource
     - !Condition cCreateLambdaLogGroup
   cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rOrgIdLambdaCustomResource:
@@ -158,7 +169,10 @@ Resources:
     Properties:
       FunctionName: !Ref pOrgIdLambdaFunctionName
       Description: Get AWS Organization ID
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: index.lambda_handler
       Role: !GetAtt rOrgIdLambdaRole.Arn
       Runtime: python3.9

aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml

@@ -131,6 +131,17 @@ Parameters:
 Conditions:
   cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rRegisterDelegatedAdminLambdaLogGroup:
@@ -223,7 +234,10 @@ Resources:
       FunctionName: !Ref pRegisterDelegatedAdminLambdaFunctionName
       Description: Enable service access and register delegated admin account
       Role: !GetAtt rRegisterDelegatedAdminLambdaRole.Arn
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: app.lambda_handler
       Runtime: python3.9
       Timeout: 300

aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml

@@ -128,6 +128,17 @@ Parameters:
 Conditions:
   cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rRegisterDelegatedAdminLambdaLogGroup:
@@ -220,7 +231,10 @@ Resources:
       FunctionName: !Ref pRegisterDelegatedAdminLambdaFunctionName
       Description: Enable service access and register delegated admin account
       Role: !GetAtt rRegisterDelegatedAdminLambdaRole.Arn
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: app.lambda_handler
       Runtime: python3.9
       Timeout: 300

aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml

@@ -144,6 +144,17 @@ Parameters:
 Conditions:
   cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rConfigUpdateAggregatorLambdaCustomResource:
@@ -176,7 +187,10 @@ Resources:
     Properties:
       FunctionName: !Ref pConfigUpdateAggregatorLambdaFunctionName
       Description: Update Config Aggregator Accounts in the Control Tower audit account.
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: app.lambda_handler
       Role: !GetAtt rConfigUpdateAggregatorLambdaRole.Arn
       Runtime: python3.9

aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml

@@ -169,6 +169,17 @@ Parameters:
 Conditions:
   cIsUsingKmsKey: !Not [!Equals [!Ref pEC2DefaultEBSEncryptionLambdaLogGroupKmsKey, '']]
   cIsCreateEC2DefaultEBSEncryptionLambdaLogGroup: !Equals [!Ref pCreateEC2DefaultEBSEncryptionLambdaLogGroup, 'true']
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   # Trigger Lambda after account is vended by AWS Control Tower
@@ -296,7 +307,10 @@ Resources:
     Properties:
       FunctionName: !Ref pEC2DefaultEBSEncryptionLambdaFunctionName
       Description: SRA Set the EC2 Default EBS encryption account setting
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: app.lambda_handler
       Role: !GetAtt rEC2DefaultEBSEncryptionLambdaRole.Arn
       MemorySize: 2048

aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml

@@ -124,6 +124,17 @@ Parameters:
 Conditions:
   cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
+  cUseGraviton: !Or
+    - !Equals [!Ref 'AWS::Region', ap-northeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-south-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-1]
+    - !Equals [!Ref 'AWS::Region', ap-southeast-2]
+    - !Equals [!Ref 'AWS::Region', eu-central-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-1]
+    - !Equals [!Ref 'AWS::Region', eu-west-2]
+    - !Equals [!Ref 'AWS::Region', us-east-1]
+    - !Equals [!Ref 'AWS::Region', us-east-2]
+    - !Equals [!Ref 'AWS::Region', us-west-2]
 
 Resources:
   rFirewallManagerDelegateAdminLambdaLogGroup:
@@ -148,6 +159,12 @@ Resources:
             reason: Actions require wildcard in resource
           - id: W28
             reason: The role name is defined
+      checkov:
+        skip:
+          - id: CKV_AWS_109
+            comment: Actions require wildcard in resource or condition provides constraints.
+          - id: CKV_AWS_111
+            comment: Actions require wildcard in resource or condition provides constraints.
     Properties:
       RoleName: !Ref pFirewallManagerDelegateAdminLambdaRoleName
       AssumeRolePolicyDocument:
@@ -258,7 +275,10 @@ Resources:
     Properties:
       FunctionName: !Ref pFirewallManagerDelegateAdminLambdaFunctionName
       Description: Delegates an administrator account for Firewall Manager
-      Architectures: [arm64]
+      Architectures: !If
+        - cUseGraviton
+        - [arm64]
+        - !Ref AWS::NoValue
       Handler: app.lambda_handler
       Role: !GetAtt rFirewallManagerDelegateAdminLambdaRole.Arn
       Runtime: python3.9