Release 3.3.16 (#151)

Author: gsingh04

CHANGELOG.md

@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.3.16] - 2025-05-30
+
+### Security
+
+- Bump http-proxy-middleware to `2.0.9` to mitigate [CVE-2025-32997](https://github.com/advisories/GHSA-9gqv-wp59-fq42)
+
+### Fixed
+
+- Remove setuptools and pkg_resources from lambda packaging
+- Remove event verbose log at `INFO` level
+- Respect tag case when copying vpc tags on TGW attachments
+- Add dependency for CSP resource on `DeployWebUiCondition`
+
 ## [3.3.15] - 2025-04-05
 
 ### Security
@@ -66,7 +79,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
-- Bumped micromatch to `4.0.8` to mitigate [CVE-2024-4067](https://github.com/advisories/GHSA-952p-6rrq-rcjv) 
+- Bumped micromatch to `4.0.8` to mitigate [CVE-2024-4067](https://github.com/advisories/GHSA-952p-6rrq-rcjv)
 - Bumped webpack to `5.94.0` to mitigate [CVE-2024-43788](https://github.com/advisories/GHSA-4vvj-4cpr-p986)
 - Bumped express to `4.21.0` to mitigate CVEs in sub-dependencies
 - Bump path-to-regexp to `6.3.0` to address [CVE-2024-45296](https://github.com/advisories/GHSA-9wv6-86v2-598j)
@@ -81,8 +94,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- `resource_exception_handler` decorator does not catch `IncorrectState` 
-  exception, allowing the exception to be raised as `ResourceBusyException ` 
+- `resource_exception_handler` decorator does not catch `IncorrectState`
+  exception, allowing the exception to be raised as `ResourceBusyException `
   by `service_exception_handler` decorator
 
 ### Security
@@ -107,9 +120,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Security
 
 - Bumped ejs to `3.1.10` to mitigate [CVE-2024-33883](https://avd.aquasec.com/nvd/cve-2024-33883)
-- Bumped `ws` to resolve [CVE-2024-37890] 
+- Bumped `ws` to resolve [CVE-2024-37890]
 
-## [3.3.5] - 2024-04
+## [3.3.5] - 2024-04-24
 
 ### Added
 
@@ -119,39 +132,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Removed dependency on 'requests' library to mitigate CVE-2024-3651
 
-## [3.3.4] - 2024-04
+## [3.3.4] - 2024-04-03
 
 ### Fixed
+
 - Upgrade webpack-dev-middleware to mitigate CVE-2024-29180
 
-## [3.3.3] - 2023-10
+## [3.3.3] - 2023-10-25
 
 ### Changed
+
 - Updated Lambda Function runtime to Python 3.11 and Node.js 18
 - Tags for Application in AppRegistry
 
 ### Fixed
+
 - Upgrade @babel/traverse to mitigate CVE-2023-45133
 - Upgrade urllib3 to mitigate CVE-2023-45803
 
-## [3.3.2] - 2023-10
+## [3.3.2] - 2023-10-03
 
 ### Added
-New CloudFormation parameter to allow users to skip transit gateway registration with the global network. 
+
+- New CloudFormation parameter to allow users to skip transit gateway
+  registration with the global network.
 
 ### Fixed
-Updated package versions to resolve security vulnerabilities. 
+
+- Updated package versions to resolve security vulnerabilities.
 
 ## [3.3.1] - 2023-07-21
 
 ### Changed
-- Move the service linked roles from hub and spoke stacks to separate stacks to allow 
-  multi-region deployments and avoid 'AlreadyExists' error. 
 
-## [3.3] - 2023-06-28
+- Move the service linked roles from hub and spoke stacks to separate stacks to allow
+  multi-region deployments and avoid 'AlreadyExists' error.
+
+## [3.3.0] - 2023-06-28
 
 ### Added
-- Support for new routing tag (route-to-tgw) that allows users to update route table for secondary subnets in the 
+
+- Support for new routing tag (route-to-tgw) that allows users to update route table for secondary subnets in the
   same availability zone.
 - Support to update main route table associated with the subnets in the VPC.
 - Support for new regions - Beijing, Ningxia and Stockholm.
@@ -161,6 +182,7 @@ Updated package versions to resolve security vulnerabilities.
 - Ability to enable MFA for Cognito User Pool
 
 ### Changed
+
 - Updated Web UI console using CloudScape design system.
 - Step Function execution name to reflect create or delete tagging action.
 - Enabled X-Ray for Step Functions and AppSync GraphQL API
@@ -170,6 +192,7 @@ Updated package versions to resolve security vulnerabilities.
 - AppRegistry Attribute Group name with a unique string.
 
 ### Fixed
+
 - Allow spaces in CloudFormation parameters - CIDR blocks and Prefix Lists.
 - Ability to register new and existing transit gateways with existing global network.
 - GitHub Issues: #38, #39, #49, #50, #56, #60, #73, #77, #78, #81
@@ -184,7 +207,10 @@ Updated package versions to resolve security vulnerabilities.
 
 ### Changed
 
-- Updated python requests to 2.28.1 due to security patch required for certifi module which is a dependency. Using the latest requests version 2.28.1 installs the latest patched version of certifi v2022.12.07. For details please refer to https://nvd.nist.gov/vuln/detail/cve-2022-23491.
+- Updated python requests to 2.28.1 due to security patch required for
+  certifi module which is a dependency. Using the latest requests version 2.
+  28.1 installs the latest patched version of certifi v2022.12.07. For
+  details please refer to [CVE-2022-23491](https://nvd.nist.gov/vuln/detail/cve-2022-23491).
 - package-lock.json to address dependabot identified vulnerabilities
 
 ## [3.2.0] - 2022-11-25
@@ -209,12 +235,14 @@ Updated package versions to resolve security vulnerabilities.
 ## [3.1.0] - 2022-06-17
 
 ### Added
+
 - CF template allows to connect external SAML identity provider to cognito user pool
 - If SAML IdP is used, cognito-trigger function will add any federated user to ReadOnlyUserGroup after first login
 - Added WAF protection to the CloudFront distribution
 - Added Security relevant http headers in CloudFront responses
 
 ### Changed
+
 - Creation of ServiceLinkedRole can be skipped if it exists in spoke account
 - Web UI will utilize Cognito Hosted UI instead of Amplify Authenticator component
 

CODE_OF_CONDUCT.md

@@ -1,4 +1,4 @@
-## Code of Conduct 
-This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
-For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
-opensource-codeofconduct@amazon.com with any additional questions or comments. 
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
+opensource-codeofconduct@amazon.com with any additional questions or comments.

CONTRIBUTING.md

@@ -10,33 +10,35 @@ information to effectively respond to your bug report or contribution.
 
 We welcome you to use the GitHub issue tracker to report bugs or suggest features.
 
-When filing an issue, please check [existing open](https://github.com/aws-solutions/network-orchestration-for-aws-transit-gateway/issues), or [recently closed](https://github.com/aws-solutions/network-orchestration-for-aws-transit-gateway/issues?q=is%3Aissue+is%3Aclosed), issues to make sure somebody else hasn't already
-reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
+When filing an issue, please check [existing open](https://github.com/aws-solutions/network-orchestration-for-aws-transit-gateway/issues), or [recently closed](https://github.com/aws-solutions/network-orchestration-for-aws-transit-gateway/issues?q=is%3Aissue%20state%3Aclosed), issues to make sure somebody else hasn't already reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
 
 - A reproducible test case or series of steps
 - The version of our code being used
+- The region being used
 - Any modifications you've made relevant to the bug
 - Anything unusual about your environment or deployment
 
 ## Contributing via Pull Requests
 
 Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
 
-1. You are working against the latest source on the _master_ branch.
-2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
-3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
+1. You are working against the latest source on the _main_ branch.
+1. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
+1. You open an issue to discuss any significant work - we would hate for your time to be wasted.
 
 To send us a pull request, please:
 
 1. Fork the repository.
-2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
-3. Ensure local tests pass.
-4. Commit to your fork using clear commit messages.
-5. Send us a pull request, answering any default questions in the pull request interface.
-6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
+1. Modify the source; please focus on the specific change you are contributing.
+1. Add new unit tests for the new code.
+1. Run _npx npm run prettier-format_ in _source_ to ensure that code format standards are maintained.
+1. If your changes include new capabilities, include in the PR description text that can be folded into the solution documentation.
+1. Commit to your fork using clear commit messages.
+1. In your repository _Security_ section, ensure that security advisories are enabled and address any Dependabot issues that appear.
+1. Send us a pull request, answering any default questions in the pull request interface.
+1. If the changes are complex or may involve additional communication, we may create a feature branch specific to your PR and ask you to rebase using that branch.
 
-GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
-[creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
+GitHub provides additional documentation on [forking a repository](https://help.github.com/articles/fork-a-repo/) and [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
 
 ## Finding contributions to work on
 
@@ -45,8 +47,7 @@ Looking at the existing issues is a great way to find something to contribute on
 ## Code of Conduct
 
 This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
-For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
-opensource-codeofconduct@amazon.com with any additional questions or comments.
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments.
 
 ## Security issue notifications
 

NOTICE.txt

@@ -1550,6 +1550,7 @@ decode-uri-component under the MIT license.
 ts-node under the MIT license.
 ts-jest under the MIT license.
 aws-sdk-client-mock under the MIT license.
+typing_extensions
 
 ********************
 OPEN SOURCE LICENSES

SECURITY.md

@@ -1,11 +1,5 @@
 # Reporting Security Issues
 
-We take all security reports seriously.
-When we receive such reports,
-we will investigate and subsequently address
-any potential vulnerabilities as quickly as possible.
-If you discover a potential security issue in this project,
-please notify AWS/Amazon Security via our
-[vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/)
-or directly via email to [AWS Security](mailto:aws-security@amazon.com).
-Please do *not* create a public GitHub issue in this project.
+We take all security reports seriously. When we receive such reports, we will investigate and subsequently address any potential vulnerabilities as quickly as possible.
+If you discover a potential security issue in this project, please notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/)
+or directly via email to [AWS Security](mailto:aws-security@amazon.com). Please do *not* create a public GitHub issue in this project.

deployment/build-s3-dist.sh

@@ -72,7 +72,7 @@ for microservices in */ ; do
   microservice_name=$(basename $microservices)
   cd $lambda_dir/$microservice_name
   mkdir -p dist/$microservice_name
-  rsync -aq $lambda_dir/.venv/lib/python3.11/site-packages/ ./dist/
+  rsync -aq --exclude 'setuptools/' --exclude 'setuptools-*.dist-info/' --exclude 'pkg_resources/' $lambda_dir/.venv/lib/python3.11/site-packages/ ./dist/
   cp -R lib __init__.py main.py ./dist/$microservice_name/
   cd dist
   zip -rq "$microservice_name.zip" .

deployment/manifest-generator/package.json

@@ -13,4 +13,4 @@
     "dependencies": {
         "minimist": "*"
     }
-}
+}

deployment/network-orchestration-hub.template

@@ -3071,6 +3071,7 @@ Resources:
 
   CloudFrontResponseHeadersPolicy:
     Type: AWS::CloudFront::ResponseHeadersPolicy
+    Condition: DeployWebUiCondition
     Properties:
       ResponseHeadersPolicyConfig:
         Name: !Sub CSP-for-Network-Orchestrator-${AWS::Region}

source/cognito-trigger/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "cognito-trigger",
-  "version": "3.3.15",
+  "version": "3.3.16",
   "description": "Triggered when a new user is confirmed in the user pool to allow for custom actions to be taken",
   "author": {
     "name": "Amazon Web Services",