fix(core): Suspended accounts failure with respect to construct name change of nested stacks in phase-2 (#546)

* fix(core): Maintaining same construct name when a account is suspended by saving in DDB outputs 
  - (security groups on shared VPC's)

Author: naveenkoppula

src/deployments/cdk/src/apps/phase-2.ts

@@ -3,7 +3,7 @@ import * as cfn from '@aws-cdk/aws-cloudformation';
 import { getAccountId } from '../utils/accounts';
 import { JsonOutputValue } from '../common/json-output';
 import { getVpcConfig } from '../common/get-all-vpcs';
-import { VpcOutputFinder } from '@aws-accelerator/common-outputs/src/vpc';
+import { VpcOutputFinder, SharedSecurityGroupIndexOutput } from '@aws-accelerator/common-outputs/src/vpc';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import { PeeringConnectionConfig, VpcConfigType } from '@aws-accelerator/common-config/src';
 import { getVpcSharedAccountKeys } from '../common/vpc-subnet-sharing';
@@ -26,6 +26,7 @@ import * as centralServices from '../deployments/central-services';
 import * as guardDutyDeployment from '../deployments/guardduty';
 import * as snsDeployment from '../deployments/sns';
 import * as ssmDeployment from '../deployments/ssm';
+import { getStackJsonOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 
 /**
  * This is the main entry point to deploy phase 2
@@ -170,11 +171,23 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
         continue;
       }
 
-      const securityGroupStack = new cfn.NestedStack(
-        accountStack,
-        `SecurityGroups${vpcConfig.name}-Shared-${index + 1}`,
-      );
-      const securityGroups = new SecurityGroup(securityGroupStack, `SecurityGroups-SharedAccount-${index + 1}`, {
+      /* **********************************************************
+       * Saving index in outputs to handle nasty bug occur while
+       * changing construct name when account is suspended
+       * *********************************************************/
+      const sgOutputs: SharedSecurityGroupIndexOutput[] = getStackJsonOutput(outputs, {
+        accountKey: sharedAccountKey,
+        outputType: 'SecurityGroupIndexOutput',
+        region: vpcConfig.region,
+      });
+
+      const vpcSgIndex = sgOutputs.find(sgO => sgO.vpcName === vpcConfig.name);
+      let sgIndex = index + 1;
+      if (vpcSgIndex) {
+        sgIndex = vpcSgIndex.index;
+      }
+      const securityGroupStack = new cfn.NestedStack(accountStack, `SecurityGroups${vpcConfig.name}-Shared-${sgIndex}`);
+      const securityGroups = new SecurityGroup(securityGroupStack, `SecurityGroups-SharedAccount-${sgIndex}`, {
         securityGroups: vpcConfig['security-groups']!,
         vpcName: vpcConfig.name,
         vpcId: vpcOutput.vpcId,
@@ -184,16 +197,10 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
         installerVersion: context.installerVersion,
       });
 
-      const accountId = getAccountId(accounts, accountKey);
-      if (!accountId) {
-        console.warn(`Cannot find account with key ${accountKey}`);
-        continue;
-      }
-
       // Add Tags Output
       const securityGroupsResources = Object.values(securityGroups.securityGroupNameMapping);
 
-      new JsonOutputValue(securityGroupStack, `SecurityGroupOutput${vpcConfig.name}-${index}`, {
+      new JsonOutputValue(securityGroupStack, `SecurityGroupOutput  `, {
         type: 'SecurityGroupsOutput',
         value: {
           vpcId: vpcOutput.vpcId,
@@ -205,6 +212,20 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
         },
       });
 
+      new JsonOutputValue(securityGroupStack, `SecurityGroupIndexOutput`, {
+        type: 'SecurityGroupIndexOutput',
+        value: {
+          vpcName: vpcConfig.name,
+          index: sgIndex,
+        },
+      });
+
+      const accountId = getAccountId(accounts, accountKey);
+      if (!accountId) {
+        console.warn(`Cannot find account with key ${accountKey}`);
+        continue;
+      }
+
       new AddTagsToResourcesOutput(securityGroupStack, `OutputSharedResources${vpcConfig.name}-Shared-${index}`, {
         dependencies: securityGroupsResources,
         produceResources: () =>

src/lib/common-outputs/src/stack-output.ts

@@ -41,6 +41,7 @@ export function getStackOutput(outputs: StackOutput[], accountKey: string, outpu
 export interface StackJsonOutputFilter {
   accountKey?: string;
   outputType?: string;
+  region?: string;
 }
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -50,6 +51,9 @@ export function getStackJsonOutput(outputs: StackOutput[], filter: StackJsonOutp
       if (filter.accountKey && output.accountKey !== filter.accountKey) {
         return null;
       }
+      if (filter.region && output.region !== filter.region) {
+        return null;
+      }
       try {
         if (output.outputValue && output.outputValue.startsWith('{')) {
           const json = JSON.parse(output.outputValue);

src/lib/common-outputs/src/vpc.ts

@@ -14,6 +14,11 @@ export interface SecurityGroupsOutput {
   securityGroupIds: VpcSecurityGroupOutput[];
 }
 
+export interface SharedSecurityGroupIndexOutput {
+  vpcName: string;
+  index: number;
+}
+
 export const VpcSubnetOutput = t.interface({
   subnetId: t.string,
   subnetName: t.string,