fix(core): Peering connection role construct issue (#743)

* Fixing peerign connection role construct issue

- Creating only one role per account in default region with all targets in assume policy
- To make it work for existing installs didn't change name formation, it will still have source and target in role name but role belongs to a source with all targets defined in configuration.

* fixing staticRoutesOnly for vpnconnection

* Peering connection routes

* Fixing tgw and natgw routes for multiple routes defined in config

Author: naveenkoppula

src/deployments/cdk/src/apps/phase-1.ts

@@ -27,14 +27,15 @@ import * as ssm from '../deployments/ssm/session-manager';
 import * as macie from '../deployments/macie';
 import * as guardDutyDeployment from '../deployments/guardduty';
 import { PhaseInput } from './shared';
-import { getIamUserPasswordSecretValue } from '../deployments/iam';
+import { createIamRoleOutput, getIamUserPasswordSecretValue } from '../deployments/iam';
 import * as cwlCentralLoggingToS3 from '../deployments/central-services/central-logging-s3';
 import * as vpcDeployment from '../deployments/vpc';
 import * as transitGateway from '../deployments/transit-gateway';
 import * as centralEndpoints from '../deployments/central-endpoints';
 import { CfnResourceStackCleanupOutput } from '../deployments/cleanup/outputs';
 import { VpcOutputFinder, VpcSubnetOutput } from '@aws-accelerator/common-outputs/src/vpc';
 import { TransitGatewayAttachmentOutputFinder } from '@aws-accelerator/common-outputs/src/transit-gateway';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 
 export interface IamPolicyArtifactsOutput {
   bucketArn: string;
@@ -82,7 +83,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     throw new Error(`Cannot find mandatory primary account ${masterAccountKey}`);
   }
 
-  const { acceleratorName, installerVersion } = context;
+  const { acceleratorName, installerVersion, defaultRegion, acceleratorExecutionRoleName } = context;
   // Find the central bucket in the outputs
   const centralBucket = CentralBucketOutput.getBucket({
     accountStacks,
@@ -110,25 +111,29 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
    * @param sourceAccount : Source Account Key, Role will be created in this
    * @param accountKey : Target Account Key, Access will be provided to this account
    */
-  const createIamRoleForPCXAcceptence = (
-    roleName: string,
-    sourceAccount: string,
-    sourceVpcConfig: VpcConfig,
-    targetAccount: string,
-  ) => {
-    const accountStack = accountStacks.tryGetOrCreateAccountStack(sourceAccount, sourceVpcConfig.region);
+  const createIamRoleForPCXAcceptence = (roleName: string, sourceAccount: string) => {
+    const accountStack = accountStacks.tryGetOrCreateAccountStack(sourceAccount, defaultRegion);
     if (!accountStack) {
       console.warn(`Cannot find account stack ${sourceAccount}`);
       return;
     }
-    const existing = accountStack.node.tryFindChild(roleName);
+    const existing = accountStack.node.tryFindChild('PeeringRole');
     if (existing) {
       return;
     }
+    const targetAccounts = acceleratorConfig
+      .getVpcConfigs()
+      .filter(rsv => PeeringConnectionConfig.is(rsv.vpcConfig.pcx) && rsv.vpcConfig.pcx.source === sourceAccount);
+    const targetAccountKeys = Array.from(new Set(targetAccounts.map(rsv => rsv.accountKey)));
     const peeringRole = new iam.Role(accountStack, 'PeeringRole', {
       roleName,
-      assumedBy: new iam.ArnPrincipal(
-        `arn:aws:iam::${getAccountId(accounts, targetAccount)}:role/${context.acceleratorExecutionRoleName}`,
+      assumedBy: new iam.CompositePrincipal(
+        ...targetAccountKeys.map(
+          targetAccountKey =>
+            new iam.ArnPrincipal(
+              `arn:aws:iam::${getAccountId(accounts, targetAccountKey)}:role/${acceleratorExecutionRoleName}`,
+            ),
+        ),
       ),
     });
 
@@ -138,6 +143,8 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
         actions: ['ec2:AcceptVpcPeeringConnection'],
       }),
     );
+
+    createIamRoleOutput(accountStack, peeringRole, 'PeeringConnectionAcceptRole');
   };
 
   // Auxiliary method to create a VPC in the account with given account key
@@ -246,9 +253,16 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
         console.warn(`Cannot find PCX source VPC ${pcxConfig['source-vpc']} in account ${pcxConfig.source}`);
       } else {
         // Create Accepter Role for Peering Connection **WITHOUT** random suffix
-        // TODO Region support
-        const roleName = createRoleName(`VPC-PCX-${pascalCase(accountKey)}To${pascalCase(pcxConfig.source)}`, 0);
-        createIamRoleForPCXAcceptence(roleName, pcxConfig.source, sourceVpcConfig.vpcConfig, accountKey);
+        const pcxAcceptRole = IamRoleOutputFinder.tryFindOneByName({
+          outputs,
+          accountKey: pcxConfig.source,
+          roleKey: 'PeeringConnectionAcceptRole',
+        });
+        let roleName = createRoleName(`VPC-PCX-${pascalCase(accountKey)}To${pascalCase(pcxConfig.source)}`, 0);
+        if (pcxAcceptRole) {
+          roleName = pcxAcceptRole.roleName;
+        }
+        createIamRoleForPCXAcceptence(roleName, pcxConfig.source);
       }
     }
 

src/deployments/cdk/src/apps/phase-2.ts

@@ -28,6 +28,7 @@ import * as snsDeployment from '../deployments/sns';
 import * as ssmDeployment from '../deployments/ssm';
 import { getStackJsonOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 import { logArchiveReadOnlyAccess } from '../deployments/s3/log-archive-read-access';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 
 /**
  * This is the main entry point to deploy phase 2
@@ -86,10 +87,18 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       continue;
     }
 
-    // TODO store role name in outputs
-    // Get the exact same role name as in phase 1
-    const roleName = createRoleName(`VPC-PCX-${pascalCase(accountKey)}To${pascalCase(pcxConfig.source)}`, 0);
-    const peerRoleArn = `arn:aws:iam::${getAccountId(accounts, pcxConfig.source)}:role/${roleName}`;
+    const pcxAcceptRole = IamRoleOutputFinder.tryFindOneByName({
+      outputs,
+      accountKey: pcxConfig.source,
+      roleKey: 'PeeringConnectionAcceptRole',
+    });
+    let peerRoleArn = '';
+    if (pcxAcceptRole) {
+      peerRoleArn = pcxAcceptRole.roleArn;
+    } else {
+      const roleName = createRoleName(`VPC-PCX-${pascalCase(accountKey)}To${pascalCase(pcxConfig.source)}`, 0);
+      peerRoleArn = `arn:aws:iam::${getAccountId(accounts, pcxConfig.source)}:role/${roleName}`;
+    }
 
     // Get Peer VPC Configuration
     const pcxSourceVpc = pcxConfig['source-vpc'];

src/deployments/cdk/src/common/peering-connection.ts

@@ -73,8 +73,13 @@ export namespace PeeringConnection {
         });
         // Find the PCX output that contains the PCX route's VPC
         const peerVpcOutput = peerVpcOutputs.find(output => {
-          const pcxVpc = output.vpcs.find(vpc => vpc.accountKey === pcxRoute.account && vpc.vpcName === pcxRoute.vpc);
-          return !!pcxVpc;
+          const sourcePcxVpc = output.vpcs.find(
+            vpc => vpc.accountKey === pcxRoute.account && vpc.vpcName === pcxRoute.vpc,
+          );
+          const targetPcxVpc = output.vpcs.find(
+            vpc => vpc.accountKey === accountKey && vpc.vpcName === vpcConfig?.name!,
+          );
+          return !!sourcePcxVpc && !!targetPcxVpc;
         });
         const pcxId = peerVpcOutput?.pcxId;
         if (!pcxId) {

src/deployments/cdk/src/common/vpc.ts

@@ -526,20 +526,36 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
             dynamoRoutes.push(routeTableObj);
             continue;
           } else if (route.target === 'TGW' && tgw && tgwAttachment) {
-            const tgwRoute = new ec2.CfnRoute(this, `${routeTableName}_${route.target}`, {
+            let constructName = `${routeTableName}_${route.target}`;
+            if (typeof route.destination !== 'string') {
+              console.warn(`Route for TGW only supports cidr as destination`);
+              continue;
+            }
+            if (route.destination !== '0.0.0.0/0') {
+              constructName = `${routeTableName}_${route.target}_${route.destination}`;
+            }
+            const tgwRoute = new ec2.CfnRoute(this, constructName, {
               routeTableId: routeTableObj,
-              destinationCidrBlock: route.destination as string,
+              destinationCidrBlock: route.destination,
               transitGatewayId: tgw.tgwId,
             });
             tgwRoute.addDependsOn(tgwAttachment.resource);
             continue;
           } else if (route.target.startsWith('NATGW_')) {
+            if (typeof route.destination !== 'string') {
+              console.warn(`Route for NATGW only supports cidr as destination`);
+              continue;
+            }
+            let constructName = `${routeTableName}_natgw_route`;
+            if (route.destination !== '0.0.0.0/0') {
+              constructName = `${routeTableName}_natgw_${route.destination}_route`;
+            }
             const routeParams: ec2.CfnRouteProps = {
               routeTableId: routeTableObj,
-              destinationCidrBlock: typeof route.destination === 'string' ? route.destination : '0.0.0.0/0',
+              destinationCidrBlock: route.destination,
               natGatewayId: this.natgwNameToIdMap[route.target.toLowerCase()],
             };
-            new ec2.CfnRoute(this, `${routeTableName}_natgw_route`, routeParams);
+            new ec2.CfnRoute(this, constructName, routeParams);
             continue;
           } else {
             // Need to add for different Routes

src/deployments/cdk/src/deployments/firewall/cluster/step-2.ts

@@ -135,7 +135,7 @@ async function createCustomerGateways(props: {
         type: 'ipsec.1',
         transitGatewayId: transitGateway.tgwId,
         customerGatewayId: customerGateway.ref,
-        staticRoutesOnly: firewallCgwRouting === 'static' ? true : false,
+        staticRoutesOnly: firewallCgwRouting === 'static' ? true : undefined,
       });
 
       const options = new VpnTunnelOptions(scope, `VpnTunnelOptions${index}`, {