fix: Add Control Tower 4.0 compatibility (#344)

* Add Control Tower 4.0 compatibility fixes

* Update sra-easy-setup template

* Add CT 4.0 Landing Zone API fallback for account discovery

* Auto-discover Config delivery bucket name from CT StackSet

* Auto-discover Config delivery bucket from CT StackSet and pass via dynamic reference

* Remove dynamic SSM reference from Easy Setup - let nested stack resolve its own SSM parameters

* Handle missing Config Aggregator gracefully in CT 4.0 environments

* Gate config delivery bucket SSM parameter to CT-only environments

* Fix linter issues: extract CT 4.0 helper, fix mypy type annotation, remove analysis docs

* Fix remaining flake8 plugin errors: docstrings, string concat, raise chaining, else-after-return

---------

Co-authored-by: Pavan Kumar Vooturi <pvooturi@amazon.com>

Author: pavanvooturi31

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -2365,6 +2365,7 @@ Resources:
                   - ssm:GetParameters
                   - ssm:PutParameter
                   - ssm:AddTagsToResource
+                  - ssm:ListTagsForResource
                 Resource:
                   - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*"
 

aws_sra_examples/solutions/common/common_prerequisites/lambda/src/app.py

@@ -280,6 +280,12 @@ Resources:
                   - cloudformation:DescribeStackSet
                   - cloudformation:ListStackInstances
                 Resource: '*'
+              - Sid: ControlTowerRead
+                Effect: Allow
+                Action:
+                  - controltower:ListLandingZones
+                  - controltower:GetLandingZone
+                Resource: '*'
               - Sid: SSMParameterRead
                 Effect: Allow
                 Action: ssm:DescribeParameters

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml

@@ -68,20 +68,26 @@ def assume_role(role: str, role_session_name: str, account: str = None, session:
     )
 
 
-def get_existing_account_aggregation_sources(config_client: ConfigServiceClient, aggregator: str) -> List[AccountAggregationSourceTypeDef]:
+def get_existing_account_aggregation_sources(
+    config_client: ConfigServiceClient, aggregator: str
+) -> Optional[List[AccountAggregationSourceTypeDef]]:
     """Get existing list of source accounts/regions being aggregated.
 
     Args:
         config_client: Boto3 client config
         aggregator: Name of the configuration aggregator
 
     Returns:
-        Existing list of source accounts/regions being aggregated
+        Existing list of source accounts/regions being aggregated, or None if aggregator doesn't exist
     """
-    response: Any = config_client.describe_configuration_aggregators(ConfigurationAggregatorNames=[aggregator])
-    api_call_details = {"API_Call": "config:DescribeConfigurationAggregators", "API_Response": response}
-    LOGGER.info(api_call_details)
-    return response["ConfigurationAggregators"][0]["AccountAggregationSources"]
+    try:
+        response: Any = config_client.describe_configuration_aggregators(ConfigurationAggregatorNames=[aggregator])
+        api_call_details = {"API_Call": "config:DescribeConfigurationAggregators", "API_Response": response}
+        LOGGER.info(api_call_details)
+        return response["ConfigurationAggregators"][0]["AccountAggregationSources"]
+    except config_client.exceptions.NoSuchConfigurationAggregatorException:
+        LOGGER.info(f"Configuration aggregator '{aggregator}' does not exist.")
+        return None
 
 
 def get_updated_account_aggregation_sources(aggregation_sources: list, account: str, action: str) -> List[Any]:
@@ -150,7 +156,7 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict:
     actions = {"Create": "Add", "Update": "Add", "Delete": "Remove"}
     params["action"] = actions[event["RequestType"]]
 
-    parameter_pattern_validator("AGGREGATOR_NAME", params.get("AGGREGATOR_NAME"), pattern=r"^aws-controltower-GuardrailsComplianceAggregator$")
+    parameter_pattern_validator("AGGREGATOR_NAME", params.get("AGGREGATOR_NAME"), pattern=r"^[\w-]{1,256}$")
     parameter_pattern_validator("AUDIT_ACCOUNT_ID", params.get("AUDIT_ACCOUNT_ID"), pattern=r"^\d{12}$")
     parameter_pattern_validator("ROLE_SESSION_NAME", params.get("ROLE_SESSION_NAME"), pattern=r"^[\w=,@.-]+$")
     parameter_pattern_validator("ROLE_TO_ASSUME", params.get("ROLE_TO_ASSUME"), pattern=r"^[\w+=,.@-]{1,64}$")
@@ -178,6 +184,12 @@ def process_event(event: CloudFormationCustomResourceEvent, context: Context) ->
     config_client: ConfigServiceClient = audit_account_session.client("config", config=BOTO3_CONFIG)
 
     existing_aggregation_sources = get_existing_account_aggregation_sources(config_client, params["AGGREGATOR_NAME"])
+    if existing_aggregation_sources is None:
+        LOGGER.info(
+            f"Config Aggregator '{params['AGGREGATOR_NAME']}' does not exist in account {params['AUDIT_ACCOUNT_ID']}. "
+            + "Skipping aggregator update. This is expected for Control Tower 4.0+ environments."
+        )
+        return f"{params['AUDIT_ACCOUNT_ID']}-{params['AGGREGATOR_NAME']}-skipped"
     updated_aggregation_sources = get_updated_account_aggregation_sources(existing_aggregation_sources, management_account, params["action"])
     if existing_aggregation_sources == updated_aggregation_sources:
         LOGGER.info(f"{params['action']} {management_account} account in Aggregator was not necessary, as it was already in that state.")

aws_sra_examples/solutions/config/config_management_account/lambda/src/app.py

@@ -30,6 +30,7 @@ Metadata:
         Parameters:
           - pStackSetAdminRole
           - pStackExecutionRole
+          - pCreateConfigServiceLinkedRole
       - Label:
           default: Config Recorder Properties
         Parameters:
@@ -42,6 +43,12 @@ Metadata:
         Parameters:
           - pFrequency
           - pKmsKeyArn
+          - pConfigDeliveryS3BucketName
+      - Label:
+          default: Config Aggregator Properties
+        Parameters:
+          - pUpdateConfigAggregator
+          - pConfigAggregatorName
       - Label:
           default: General Lambda Function Properties
         Parameters:
@@ -54,6 +61,8 @@ Metadata:
         default: Stack Set Role
       pStackExecutionRole:
         default: Stack execution role
+      pCreateConfigServiceLinkedRole:
+        default: Create Config Service-Linked Role
       pAllSupported:
         default: All Supported
       pAuditAccountId:
@@ -88,6 +97,12 @@ Metadata:
         default: SRA Solution Version
       pSRAStagingS3BucketName:
         default: SRA Staging S3 Bucket Name
+      pConfigDeliveryS3BucketName:
+        default: (Optional) Config Delivery S3 Bucket Name
+      pUpdateConfigAggregator:
+        default: Update Config Aggregator
+      pConfigAggregatorName:
+        default: Config Aggregator Name
 
 Parameters:
   pStackSetAdminRole:
@@ -100,6 +115,11 @@ Parameters:
     Default: sra-execution
     Description: The execution role name that is used in the stack.
     Type: String
+  pCreateConfigServiceLinkedRole:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Set to false if the Config service-linked role already exists in the account.
+    Type: String
   pAllSupported:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -209,6 +229,28 @@ Parameters:
       SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket
       name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
     Type: AWS::SSM::Parameter::Value<String>
+  pConfigDeliveryS3BucketName:
+    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
+    ConstraintDescription:
+      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
+    Default: /sra/control-tower/config-delivery-bucket-name
+    Description:
+      SSM Parameter for the Config delivery S3 bucket name (auto-populated by Common Prerequisites).
+      For standalone deployment without Common Prerequisites, create this SSM parameter first with the bucket name value.
+    Type: AWS::SSM::Parameter::Value<String>
+  pUpdateConfigAggregator:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description:
+      Set to false to skip updating the Config Aggregator in the Audit account. Set to false if using Control Tower 4.0+
+      with an org-level aggregator that already aggregates from all accounts.
+    Type: String
+  pConfigAggregatorName:
+    AllowedPattern: '^[\w-]{1,256}$'
+    Default: aws-controltower-GuardrailsComplianceAggregator
+    Description:
+      Name of the Config Aggregator in the Audit account. For Control Tower 4.0+, use aws-controltower-ConfigAggregatorForOrganization.
+    Type: String
 
 Rules:
   ResourceTypesValidation:
@@ -217,6 +259,9 @@ Rules:
       - AssertDescription: "'Resource Types' parameter is required if the 'All Supported' parameter is set to 'true'."
         Assert: !Equals [!Ref pAllSupported, 'true']
 
+Conditions:
+  cUpdateConfigAggregator: !Equals [!Ref pUpdateConfigAggregator, 'true']
+
 Resources:
   rConfigRoleStack:
     Type: AWS::CloudFormation::Stack
@@ -227,6 +272,8 @@ Resources:
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
+      Parameters:
+        pCreateConfigServiceLinkedRole: !Ref pCreateConfigServiceLinkedRole
 
   rConfigStackSet:
     DependsOn: rConfigRoleStack
@@ -272,9 +319,12 @@ Resources:
           ParameterValue: !Ref pOrganizationId
         - ParameterKey: pResourceTypes
           ParameterValue: !Ref pResourceTypes
+        - ParameterKey: pConfigDeliveryS3BucketName
+          ParameterValue: !Ref pConfigDeliveryS3BucketName
 
   rConfigAggregatorStack:
     Type: AWS::CloudFormation::Stack
+    Condition: cUpdateConfigAggregator
     DeletionPolicy: Delete
     DependsOn: rConfigStackSet
     UpdateReplacePolicy: Delete
@@ -285,6 +335,7 @@ Resources:
           Value: !Ref pSRASolutionName
       Parameters:
         pAuditAccountId: !Ref pAuditAccountId
+        pConfigAggregatorName: !Ref pConfigAggregatorName
         pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
         pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
         pLambdaLogLevel: !Ref pLambdaLogLevel

aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml

@@ -42,10 +42,19 @@ Parameters:
     Default: sra-solution
     Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName.
     Type: String
+  pCreateConfigServiceLinkedRole:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Set to false if the Config service-linked role already exists in the account.
+    Type: String
+
+Conditions:
+  cCreateConfigServiceLinkedRole: !Equals [!Ref pCreateConfigServiceLinkedRole, 'true']
 
 Resources:
   rConfigServiceLinkedRole:
     Type: AWS::IAM::ServiceLinkedRole
+    Condition: cCreateConfigServiceLinkedRole
     Properties:
       AWSServiceName: config.amazonaws.com
       Description: A service-linked role for the ConfigRecorder.

aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml

@@ -72,9 +72,9 @@ Parameters:
     Description: AWS Account ID of the Control Tower Audit account.
     Type: String
   pConfigAggregatorName:
-    AllowedValues: [aws-controltower-GuardrailsComplianceAggregator]
+    AllowedPattern: '^[\w-]{1,256}$'
     Default: aws-controltower-GuardrailsComplianceAggregator
-    Description: AWS Config Aggregator Name in the Control Tower Audit Account
+    Description: AWS Config Aggregator Name in the Control Tower Audit Account. For CT 4.0+, use aws-controltower-ConfigAggregatorForOrganization.
     Type: String
   pConfigUpdateAggregatorLambdaFunctionName:
     AllowedPattern: '^[\w-]{1,64}$'

aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml

@@ -55,12 +55,16 @@ Metadata:
         default: Organization ID
       pResourceTypes:
         default: (Optional) Resource Types
+      pConfigDeliveryS3BucketName:
+        default: (Optional) Config Delivery S3 Bucket Name
 
 Parameters:
   pAllConfigTopicName:
-    AllowedValues: [aws-controltower-AllConfigNotifications]
+    AllowedPattern: '^[a-zA-Z0-9_-]{1,256}$'
     Default: aws-controltower-AllConfigNotifications
-    Description: All Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
+    Description:
+      All Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
+      For Control Tower 4.0+, verify the topic name in your Audit account.
     Type: String
   pAllSupported:
     AllowedValues: ['true', 'false']
@@ -115,6 +119,10 @@ Parameters:
       (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is
       set to 'false', then this parameter becomes required.
     Type: String
+  pConfigDeliveryS3BucketName:
+    AllowedPattern: '^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$'
+    Description: S3 bucket name for Config delivery.
+    Type: String
 
 Rules:
   ResourceTypesValidation:
@@ -153,7 +161,7 @@ Resources:
           - mSettings
           - FrequencyMap
           - !Ref pFrequency
-      S3BucketName: !Sub aws-controltower-logs-${pLogArchiveAccountId}-${pHomeRegion}
+      S3BucketName: !Ref pConfigDeliveryS3BucketName
       S3KeyPrefix: !Ref pOrganizationId
       S3KmsKeyArn: !If
         - cIsUsingKmsKey

aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml

@@ -553,7 +553,7 @@ Resources:
         pRecorderName: !Ref pRecorderName
         pKMSKeyArnSecretName: !Ref pKMSKeyArnSecretName
         pDeliveryChannelName: !Ref pDeliveryChannelName
-        pPublishingDestinationBucketName: !Sub ${pConfigOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region}	
+        pPublishingDestinationBucketName: !Sub ${pConfigOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region}
         pKMSKeyArn: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/config_org_delivery_key_arn:SecretString:ConfigDeliveryKeyArn:AWSCURRENT}}'
       Tags:
         - Key: sra-solution