feature(core): 7.70 updated cdk version from 1.46 to 1.66 and deploy vpc dns query logging (#414)

Author: nachundu-amzn

docs/developer/developer-guide.md

@@ -398,7 +398,7 @@ The following example illustrates its purpose.
 ```typescript
 const stack = new cdk.Stack();
 new ec2.CfnVpc(stack, 'SharedNetwork', {});
-stack.node.applyAspect(new AcceleratorNameTagger());
+Aspects.of(stack).add(new AcceleratorNameTagger());
 ```
 
 The example above synthesizes to the following CloudFormation template.

reference-artifacts/master-config-sample-snippets/sample_snippets.md

@@ -4,6 +4,16 @@
 
 ---
 
+- Creates DNS query logging and associate to the VPC
+
+```
+    "vpc": {
+	  "dns-resolver-logging": true
+    }
+```
+
+---
+
 - Update Central Logging Kinesis stream shard count as accounts are added
 
 ```

src/core/cdk/package.json

@@ -11,7 +11,7 @@
   "devDependencies": {
     "@types/jest": "25.1.4",
     "@types/node": "12.12.6",
-    "aws-cdk": "1.46.0",
+    "aws-cdk": "1.66.0",
     "babel-jest": "25.2.0",
     "jest": "25.2.4",
     "prettier": "1.19.1",
@@ -25,25 +25,25 @@
   "dependencies": {
     "@aws-accelerator/accelerator-runtime": "workspace:^0.0.1",
     "@aws-accelerator/cdk-accelerator": "workspace:^0.0.1",
-    "@aws-cdk/aws-cloudformation": "1.46.0",
-    "@aws-cdk/aws-codebuild": "1.46.0",
-    "@aws-cdk/aws-codepipeline": "1.46.0",
-    "@aws-cdk/aws-codepipeline-actions": "1.46.0",
-    "@aws-cdk/aws-dynamodb": "1.46.0",
-    "@aws-cdk/aws-events": "1.46.0",
-    "@aws-cdk/aws-events-targets": "1.46.0",
-    "@aws-cdk/aws-iam": "1.46.0",
-    "@aws-cdk/aws-kms": "1.46.0",
-    "@aws-cdk/aws-lambda": "1.46.0",
-    "@aws-cdk/aws-route53resolver": "1.46.0",
-    "@aws-cdk/aws-s3": "1.46.0",
-    "@aws-cdk/aws-s3-assets": "1.46.0",
-    "@aws-cdk/aws-s3-deployment": "1.46.0",
-    "@aws-cdk/aws-secretsmanager": "1.46.0",
-    "@aws-cdk/aws-sns": "1.46.0",
-    "@aws-cdk/aws-stepfunctions": "1.46.0",
-    "@aws-cdk/aws-stepfunctions-tasks": "1.46.0",
-    "@aws-cdk/core": "1.46.0",
+    "@aws-cdk/aws-cloudformation": "1.66.0",
+    "@aws-cdk/aws-codebuild": "1.66.0",
+    "@aws-cdk/aws-codepipeline": "1.66.0",
+    "@aws-cdk/aws-codepipeline-actions": "1.66.0",
+    "@aws-cdk/aws-dynamodb": "1.66.0",
+    "@aws-cdk/aws-events": "1.66.0",
+    "@aws-cdk/aws-events-targets": "1.66.0",
+    "@aws-cdk/aws-iam": "1.66.0",
+    "@aws-cdk/aws-kms": "1.66.0",
+    "@aws-cdk/aws-lambda": "1.66.0",
+    "@aws-cdk/aws-route53resolver": "1.66.0",
+    "@aws-cdk/aws-s3": "1.66.0",
+    "@aws-cdk/aws-s3-assets": "1.66.0",
+    "@aws-cdk/aws-s3-deployment": "1.66.0",
+    "@aws-cdk/aws-secretsmanager": "1.66.0",
+    "@aws-cdk/aws-sns": "1.66.0",
+    "@aws-cdk/aws-stepfunctions": "1.66.0",
+    "@aws-cdk/aws-stepfunctions-tasks": "1.66.0",
+    "@aws-cdk/core": "1.66.0",
     "@types/cfn-response": "^1.0.3",
     "aws-sdk": "2.668.0",
     "cfn-response": "^1.0.1",

src/core/cdk/src/initial-setup.ts

@@ -76,7 +76,6 @@ export namespace InitialSetup {
           suffixLength: 0,
         }),
         partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
-        encryption: dynamodb.TableEncryption.DEFAULT,
       });
 
       const outputsTable = new dynamodb.Table(this, 'Outputs', {
@@ -88,7 +87,6 @@ export namespace InitialSetup {
           name: 'id',
           type: dynamodb.AttributeType.STRING,
         },
-        encryption: dynamodb.TableEncryption.DEFAULT,
       });
 
       const outputUtilsTable = new dynamodb.Table(this, 'OutputUtils', {
@@ -100,7 +98,6 @@ export namespace InitialSetup {
           name: 'id',
           type: dynamodb.AttributeType.STRING,
         },
-        encryption: dynamodb.TableEncryption.DEFAULT,
       });
 
       // This is the maximum time before a build times out
@@ -260,6 +257,7 @@ export namespace InitialSetup {
         },
       );
 
+      // tslint:disable-next-line: deprecation
       const createLandingZoneAccountTask = new sfn.Task(this, 'Create Landing Zone Account', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(createLandingZoneAccountStateMachine, {
@@ -306,6 +304,7 @@ export namespace InitialSetup {
         },
       });
 
+      // tslint:disable-next-line: deprecation
       const createOrganizationAccountTask = new sfn.Task(this, 'Create Organization Account', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(createOrganizationAccountStateMachine, {
@@ -376,6 +375,7 @@ export namespace InitialSetup {
         },
       );
 
+      // tslint:disable-next-line: deprecation
       const installCfnRoleMasterTask = new sfn.Task(this, 'Install CloudFormation Role in Master', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(installCfnRoleMasterStateMachine, {
@@ -407,6 +407,7 @@ export namespace InitialSetup {
         }),
       });
 
+      // tslint:disable-next-line: deprecation
       const installRolesTask = new sfn.Task(this, 'Install Execution Roles', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(installRolesStateMachine, {
@@ -442,6 +443,7 @@ export namespace InitialSetup {
         }),
       });
 
+      // tslint:disable-next-line: deprecation
       const deleteVpcTask = new sfn.Task(this, 'Delete Default Vpcs', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(deleteVpcSfn, {
@@ -524,6 +526,7 @@ export namespace InitialSetup {
         },
       );
 
+      // tslint:disable-next-line: deprecation
       const storeAllOutputsToSsmTask = new sfn.Task(this, 'Store Outputs to SSM', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(storeOutputsToSsmStateMachine, {
@@ -596,6 +599,7 @@ export namespace InitialSetup {
           CONFIG_BRANCH_NAME: props.configBranchName,
           STACK_OUTPUT_TABLE_NAME: outputsTable.tableName,
         };
+        // tslint:disable-next-line: deprecation
         const deployTask = new sfn.Task(this, `Deploy Phase ${phase}`, {
           // tslint:disable-next-line: deprecation
           task: new tasks.StartExecution(codeBuildStateMachine, {
@@ -619,6 +623,7 @@ export namespace InitialSetup {
       });
 
       const createStoreOutputTask = (phase: number) => {
+        // tslint:disable-next-line: deprecation
         const storeOutputsTask = new sfn.Task(this, `Store Phase ${phase} Outputs`, {
           // tslint:disable-next-line: deprecation
           task: new tasks.StartExecution(storeOutputsStateMachine, {
@@ -657,6 +662,7 @@ export namespace InitialSetup {
         },
       });
 
+      // tslint:disable-next-line: deprecation
       const storeAllOutputsTask = new sfn.Task(this, `Store All Phase Outputs`, {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(storeOutputsStateMachine, {
@@ -706,6 +712,7 @@ export namespace InitialSetup {
         }),
       });
 
+      // tslint:disable-next-line: deprecation
       const createConfigRecordersTask = new sfn.Task(this, 'Create Config Recorders', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(createConfigRecorderSfn, {
@@ -800,6 +807,7 @@ export namespace InitialSetup {
         }),
       });
 
+      // tslint:disable-next-line: deprecation
       const createAdConnectorTask = new sfn.Task(this, 'Create AD Connector', {
         // tslint:disable-next-line: deprecation
         task: new tasks.StartExecution(createAdConnectorStateMachine, {
@@ -836,6 +844,7 @@ export namespace InitialSetup {
         .otherwise(storeAllOutputsToSsmTask);
 
       const commonStep1 = addScpTask.startState
+        // tslint:disable-next-line: deprecation
         .next(deployPhase1Task)
         .next(storePhase1Output)
         .next(accountDefaultSettingsTask)
@@ -853,11 +862,13 @@ export namespace InitialSetup {
         .next(baseLineCleanupChoice);
 
       const enableConfigChoice = new sfn.Choice(this, 'Create Config Recorders?')
+        // tslint:disable-next-line: deprecation
         .when(sfn.Condition.stringEquals('$.baseline', 'ORGANIZATIONS'), createConfigRecordersTask.next(commonStep1))
         .otherwise(commonStep1)
         .afterwards();
 
       const commonStep2 = deployPhaseRolesTask
+        // tslint:disable-next-line: deprecation
         .next(storePreviousOutput)
         .next(deployPhase0Task)
         .next(storePhase0Output)
@@ -870,6 +881,7 @@ export namespace InitialSetup {
         .afterwards();
 
       const commonDefinition = loadOrganizationsTask.startState
+        // tslint:disable-next-line: deprecation
         .next(loadAccountsTask)
         .next(installRolesTask)
         .next(deleteVpcTask)
@@ -879,6 +891,7 @@ export namespace InitialSetup {
 
       // Landing Zone Config Setup
       const alzConfigDefinition = loadLandingZoneConfigurationTask.startState
+        // tslint:disable-next-line: deprecation
         .next(addRoleToServiceCatalog)
         .next(createLandingZoneAccountsTask)
         .next(commonDefinition);
@@ -891,10 +904,12 @@ export namespace InitialSetup {
         .otherwise(createOrganizationAccountsTask)
         .afterwards();
 
+      // tslint:disable-next-line: deprecation
       installCfnRoleMasterTask.next(createOrganizationAccountsTask).next(commonDefinition);
 
       // // Organizations Config Setup
       const orgConfigDefinition = validateOuConfiguration.startState
+        // tslint:disable-next-line: deprecation
         .next(loadOrgConfigurationTask)
         .next(cloudFormationMasterRoleChoice);
 

src/deployments/cdk/package.json

@@ -11,14 +11,14 @@
   "devDependencies": {
     "@aws-accelerator/cdk-plugin-assume-role": "workspace:^0.0.1",
     "@aws-accelerator/deployments-runtime": "workspace:^0.0.1",
-    "@aws-cdk/assert": "1.46.0",
-    "@aws-cdk/cfnspec": "1.46.0",
-    "@aws-cdk/cloud-assembly-schema": "1.46.0",
-    "@aws-cdk/cx-api": "1.46.0",
+    "@aws-cdk/assert": "1.66.0",
+    "@aws-cdk/cfnspec": "1.66.0",
+    "@aws-cdk/cloud-assembly-schema": "1.66.0",
+    "@aws-cdk/cx-api": "1.66.0",
     "@types/jest": "25.1.4",
     "@types/mri": "^1.1.0",
     "@types/node": "12.12.6",
-    "aws-cdk": "1.46.0",
+    "aws-cdk": "1.66.0",
     "babel-jest": "25.2.0",
     "jest": "25.2.4",
     "mri": "^1.1.5",
@@ -84,37 +84,37 @@
     "@aws-accelerator/custom-resource-associate-resolver-rules": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-create-resolver-rule": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-ssm-increase-throughput": "workspace:^0.0.1",
-    "@aws-cdk/aws-accessanalyzer": "1.46.0",
-    "@aws-cdk/aws-autoscaling": "1.46.0",
-    "@aws-cdk/aws-budgets": "1.46.0",
-    "@aws-cdk/aws-certificatemanager": "1.46.0",
-    "@aws-cdk/aws-cloudformation": "1.46.0",
-    "@aws-cdk/aws-cloudwatch": "1.46.0",
-    "@aws-cdk/aws-config": "1.46.0",
-    "@aws-cdk/aws-directoryservice": "1.46.0",
-    "@aws-cdk/aws-ec2": "1.46.0",
-    "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0",
-    "@aws-cdk/aws-events": "1.46.0",
-    "@aws-cdk/aws-guardduty": "1.46.0",
-    "@aws-cdk/aws-iam": "1.46.0",
-    "@aws-cdk/aws-kinesis": "1.46.0",
-    "@aws-cdk/aws-kinesisfirehose": "1.46.0",
-    "@aws-cdk/aws-kms": "1.46.0",
-    "@aws-cdk/aws-lambda": "1.46.0",
-    "@aws-cdk/aws-logs": "1.46.0",
-    "@aws-cdk/aws-ram": "1.46.0",
-    "@aws-cdk/aws-route53": "1.46.0",
-    "@aws-cdk/aws-route53-targets": "1.46.0",
-    "@aws-cdk/aws-route53resolver": "1.46.0",
-    "@aws-cdk/aws-s3": "1.46.0",
-    "@aws-cdk/aws-s3-deployment": "1.46.0",
-    "@aws-cdk/aws-secretsmanager": "1.46.0",
-    "@aws-cdk/aws-securityhub": "1.46.0",
-    "@aws-cdk/aws-sns": "1.46.0",
-    "@aws-cdk/aws-ssm": "1.46.0",
-    "@aws-cdk/aws-stepfunctions": "1.46.0",
-    "@aws-cdk/core": "1.46.0",
-    "@aws-cdk/custom-resources": "1.46.0",
+    "@aws-cdk/aws-accessanalyzer": "1.66.0",
+    "@aws-cdk/aws-autoscaling": "1.66.0",
+    "@aws-cdk/aws-budgets": "1.66.0",
+    "@aws-cdk/aws-certificatemanager": "1.66.0",
+    "@aws-cdk/aws-cloudformation": "1.66.0",
+    "@aws-cdk/aws-cloudwatch": "1.66.0",
+    "@aws-cdk/aws-config": "1.66.0",
+    "@aws-cdk/aws-directoryservice": "1.66.0",
+    "@aws-cdk/aws-ec2": "1.66.0",
+    "@aws-cdk/aws-elasticloadbalancingv2": "1.66.0",
+    "@aws-cdk/aws-events": "1.66.0",
+    "@aws-cdk/aws-guardduty": "1.66.0",
+    "@aws-cdk/aws-iam": "1.66.0",
+    "@aws-cdk/aws-kinesis": "1.66.0",
+    "@aws-cdk/aws-kinesisfirehose": "1.66.0",
+    "@aws-cdk/aws-kms": "1.66.0",
+    "@aws-cdk/aws-lambda": "1.66.0",
+    "@aws-cdk/aws-logs": "1.66.0",
+    "@aws-cdk/aws-ram": "1.66.0",
+    "@aws-cdk/aws-route53": "1.66.0",
+    "@aws-cdk/aws-route53-targets": "1.66.0",
+    "@aws-cdk/aws-route53resolver": "1.66.0",
+    "@aws-cdk/aws-s3": "1.66.0",
+    "@aws-cdk/aws-s3-deployment": "1.66.0",
+    "@aws-cdk/aws-secretsmanager": "1.66.0",
+    "@aws-cdk/aws-securityhub": "1.66.0",
+    "@aws-cdk/aws-sns": "1.66.0",
+    "@aws-cdk/aws-ssm": "1.66.0",
+    "@aws-cdk/aws-stepfunctions": "1.66.0",
+    "@aws-cdk/core": "1.66.0",
+    "@aws-cdk/custom-resources": "1.66.0",
     "@types/cfn-response": "^1.0.3",
     "@types/semver": "^7.3.3",
     "colors": "1.4.0",

src/deployments/cdk/src/apps/phase-1.ts

@@ -285,6 +285,16 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       });
       subscriptionCheckDone.push(accountKey);
     }
+
+    // Creates resolver query logging and associate to the VPC
+    await vpcDeployment.step4({
+      accountKey,
+      accountStacks,
+      acceleratorPrefix: context.acceleratorPrefix,
+      outputs,
+      vpcConfig,
+      vpcId: vpc!.id,
+    });
   }
 
   // Create the firewall

src/deployments/cdk/src/common/nacl.ts

@@ -26,7 +26,7 @@ export class Nacl extends cdk.Construct {
     const nacl = new ec2.CfnNetworkAcl(this, `Nacl-${vpcConfig.name}-${subnetConfig.name}`, {
       vpcId,
     });
-    cdk.Tag.add(nacl, 'Name', `${subnetConfig.name}_${vpcConfig.name}_nacl`, { priority: 1000 });
+    cdk.Tags.of(nacl).add('Name', `${subnetConfig.name}_${vpcConfig.name}_nacl`, { priority: 1000 });
 
     const localSubnetDefinitions = subnetConfig.definitions;
     for (const sd of localSubnetDefinitions) {

src/deployments/cdk/src/common/transit-gateway-attachment.ts

@@ -15,7 +15,7 @@ export class TransitGatewayAttachment extends cdk.Construct {
     super(parent, name);
 
     this.resource = new ec2.CfnTransitGatewayAttachment(this, 'Resource', props);
-    cdk.Tag.add(this.resource, 'Name', props.name, { priority: 1000 });
+    cdk.Tags.of(this.resource).add('Name', props.name, { priority: 1000 });
   }
 
   get transitGatewayAttachmentId(): string {

src/deployments/cdk/src/deployments/vpc/index.ts

@@ -1,3 +1,4 @@
 export * from './outputs';
 export * from './step-1';
 export * from './step-2';
+export * from './step-4';