Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add /adf params prefix and other SSM Parameter improvements (#695)
* Fix missing deployment_account_id and initial deployment global IAM bootstrap **Why?** Issues: #659 and #594. When installing ADF the first time, the global IAM bootstrap stack that gets deployed is sourced from the `adf-bootstrap/global-iam.yml`. The reason for this behaviour is the absence of the `global-iam.yml` file in the deployment OU bootstrap folder (`adf-bootstrap/deployment/global-iam.yml`). It iterates to the parent directory until it finds a `global-iam.yml` to deploy. Hence, when the `adf-bootstrap/global-iam.yml` gets deployed in the deployment account, it was looking for the `deployment_account_id` SSM parameter. That did not get deployed in the deployment account. **What?** * Add the creation of the `deployment_account_id` in the deployment account, so if the global IAM bootstrap stack failed to deploy before, it will work in the next release. This would be the case if the previous deployment failed but the same `aws-deployment-framework-bootstrap` repository is used in the upgrade. * When installing the first time, it creates the bootstrap repository. At the time of creation, it will copy the `adf-bootstrap/deployment/example-global-iam.yml` to `adf-bootstrap/deployment/global-iam.yml`. The same logic as how ADF creates the initial `adf-bootstrap/global-iam.yml`. * Add tests to verify deployment_account_id gets created --- * Ensure tox fails at first pytest failure **Why?** At the moment, pytest failures were ignored due to a change in the Makefile used to execute tests. The ADF CI GitHub Workflow would result in a success, even when a test case failed. **What?** Fixed by exiting on the first failure using Makefile foreach instead. --- * Add /adf/ prefix to parameters managed by ADF **Why?** At the moment, some of the parameters ADF created would be placed in the root of the SSM Parameter Store. **What?** Add a `/adf/` prefix to parameter names to ease access management and making it easier to distinguish ADF parameters from other solutions. To enable upgrades, the account handler function that performs the lookup or creation of the deployment account is updated to rely on the AWS Organizations API to check if there are any deployment accounts in the `/deployment` organization unit path. Upon an update, it will use the AWS account if only one is in that specific OU. If there are more, it will error and instruct the user to move unnecessary accounts out of the `/deployment` organization unit first and try again. * Refactor master references to management or main * Create missing parameters on update where needed * Allow ADF param access and fix concurrency of EnableCrossAccountAccess --- **Why?** ADF parameters should be accessed in multiple regions. EnableCrossAccount access changes IAM policies. However, the way it is executed might have multiple invocations attempt to update the same IAM policy. This could lead to overwriting a concurrent update. --- * Allow generate_params.py to lookup of parameters outside of /adf **Why?** Pipelines that need to read SSM parameters at different locations would not be able to read outside of the /adf parameter path. --- * Fix default_scm_codecommit_account_id and put/delete parameter paths * Store parameters with consistent paths * Ensure setting /adf in the name of the param does not lead to double /adf/adf **Why?** If an end-user defines a parameter to `/adf/something`, it would render to `/adf/adf/something`. This should autofix itself.
- Loading branch information