fix(core): Block unsupported changes to current config with prev success Config (#584)

* Adding vpc deletion check in compare config
* Passing repo name to compare configurations
* Fixing Subnet CIDR change comparision

Author: naveenkoppula

src/core/cdk/src/initial-setup.ts

@@ -172,6 +172,10 @@ export namespace InitialSetup {
         functionPayload: {
           'inputConfig.$': '$',
           region: cdk.Aws.REGION,
+          configRepositoryName: props.configRepositoryName,
+          'configFilePath.$': '$.configuration.configFilePath',
+          'configCommitId.$': '$.configuration.configCommitId',
+          'acceleratorVersion.$': '$.configuration.acceleratorVersion',
           'baseline.$': '$.configuration.baselineOutput.baseline',
         },
         resultPath: 'DISCARD',

src/core/runtime/src/compare-configurations-step.ts

@@ -2,13 +2,12 @@ import { SecretsManager } from '@aws-accelerator/common/src/aws/secrets-manager'
 import { compareAcceleratorConfig } from '@aws-accelerator/common-config/src/compare/main';
 import { getCommitIdSecretName } from '@aws-accelerator/common-outputs/src/commitid-secret';
 
-export interface StepInput {
+export interface StepInput extends ConfigurationInput {
   inputConfig: CompareConfigurationInput;
   region: string;
 }
 
 export interface CompareConfigurationInput {
-  configuration: ConfigurationInput;
   configOverrides: { [key: string]: boolean } | undefined;
   overrideComparison: boolean | undefined;
 }
@@ -26,7 +25,7 @@ export interface CompareConfigurationsOutput {
   configCommitId: string;
 }
 
-export const handler = async (input: StepInput): Promise<CompareConfigurationsOutput> => {
+export const handler = async (input: StepInput) => {
   console.log(`Loading compare configurations...`);
   console.log(JSON.stringify(input, null, 2));
 
@@ -47,8 +46,7 @@ export const handler = async (input: StepInput): Promise<CompareConfigurationsOu
     'ov-nacl': false,
   };
 
-  const { inputConfig, region } = input;
-  const { configFilePath, configRepositoryName, configCommitId, baseline } = inputConfig.configuration;
+  const { inputConfig, region, baseline, configCommitId, configFilePath, configRepositoryName } = input;
   const commitSecretId = getCommitIdSecretName();
 
   const secrets = new SecretsManager();
@@ -64,11 +62,7 @@ export const handler = async (input: StepInput): Promise<CompareConfigurationsOu
     console.log(
       'either previous git repo commitId not found or commitIds are same, so skipping validation of config file updates',
     );
-    return {
-      configRepositoryName,
-      configFilePath,
-      configCommitId,
-    };
+    return;
   }
   let configOverrides = inputConfig.configOverrides;
   if (baseline === 'ORGANIZATIONS') {
@@ -105,5 +99,5 @@ export const handler = async (input: StepInput): Promise<CompareConfigurationsOu
     throw new Error(`There were errors while comparing the configuration changes:\n${errors.join('\n')}`);
   }
 
-  return inputConfig.configuration;
+  return;
 };

src/lib/common-config/src/compare/common.ts

@@ -145,3 +145,18 @@ export function matchConfigDependencyArray(diffs: Diff[], pathValues: string[],
   }
   return errors;
 }
+
+export function deletedConfigEntry(diffs: Diff[], pathValues: string[], pathValue: string): string[] {
+  const errors: string[] = [];
+  for (const deletedDiff of diffs.filter(isDiffDeleted)) {
+    if (!deletedDiff.path) {
+      continue;
+    }
+    const found = pathValues.every(r => deletedDiff.path?.includes(r));
+    const changedValue = deletedDiff.path?.[deletedDiff.path?.length - 1];
+    if (found && changedValue === pathValue) {
+      errors.push(`ConfigCheck: blocked deleting  "${changedValue}" from config path "${deletedDiff.path?.join('/')}"`);
+    }
+  }
+  return errors;
+}

src/lib/common-config/src/compare/validate.ts

@@ -13,20 +13,21 @@ const GLOBAL_OPTIONS_CLS_REGION = ['global-options', 'central-log-services', 're
 /**
  * config path(s) for mandatory accounts vpc(s)
  */
+const ACCOUNT_VPC = ['mandatory-account-configs', 'vpc'];
 const ACCOUNT_VPC_NAME = ['mandatory-account-configs', 'vpc', 'name'];
 const ACCOUNT_VPC_REGION = ['mandatory-account-configs', 'vpc', 'region'];
 const ACCOUNT_VPC_DEPLOY = ['mandatory-account-configs', 'vpc', 'deploy'];
-const ACCOUNT_VPC_CIDR = ['mandatory-account-configs', 'vpc', 'cidr', 'ipv4', 'value'];
-const ACCOUNT_VPC_CIDR2 = ['mandatory-account-configs', 'vpc', 'cidr2', 'ipv4', 'value'];
+const ACCOUNT_VPC_CIDR = ['mandatory-account-configs', 'vpc', 'cidr'];
+const ACCOUNT_VPC_CIDR2 = ['mandatory-account-configs', 'vpc', 'cidr2'];
 
 /**
  * config path(s) for mandatory accounts vpc subnets
  */
 const ACCOUNT_SUBNETS = ['mandatory-account-configs', 'vpc', 'subnets'];
 const ACCOUNT_SUBNET_NAME = ['mandatory-account-configs', 'vpc', 'subnets', 'name'];
 const ACCOUNT_SUBNET_AZ = ['mandatory-account-configs', 'vpc', 'subnets', 'definitions', 'az'];
-const ACCOUNT_SUBNET_CIDR = ['mandatory-account-configs', 'vpc', 'subnets', 'definitions', 'cidr', 'ipv4', 'value'];
-const ACCOUNT_SUBNET_CIDR2 = ['mandatory-account-configs', 'vpc', 'subnets', 'definitions', 'cidr2', 'ipv4', 'value'];
+const ACCOUNT_SUBNET_CIDR = ['mandatory-account-configs', 'vpc', 'subnets', 'definitions', 'cidr'];
+const ACCOUNT_SUBNET_CIDR2 = ['mandatory-account-configs', 'vpc', 'subnets', 'definitions', 'cidr2'];
 const ACCOUNT_SUBNET_DISABLED = ['mandatory-account-configs', 'vpc', 'subnets', 'definitions', 'disabled'];
 
 /**
@@ -57,20 +58,21 @@ const VGW_ASN = ['mandatory-account-configs', 'vpc', 'vgw', 'asn'];
 /**
  * config path(s) for organizational units - vpc
  */
+const OU_VPC = ['organizational-units', 'vpc'];
 const OU_VPC_NAME = ['organizational-units', 'vpc', 'name'];
 const OU_VPC_REGION = ['organizational-units', 'vpc', 'region'];
 const OU_VPC_DEPLOY = ['organizational-units', 'vpc', 'deploy'];
-const OU_VPC_CIDR = ['organizational-units', 'vpc', 'cidr', 'ipv4', 'value'];
-const OU_VPC_CIDR2 = ['organizational-units', 'vpc', 'cidr2', 'ipv4', 'value'];
+const OU_VPC_CIDR = ['organizational-units', 'vpc', 'cidr'];
+const OU_VPC_CIDR2 = ['organizational-units', 'vpc', 'cidr2'];
 
 /**
  * config path(s) for organizational units vpc subnets
  */
 const OU_SUBNETS = ['organizational-units', 'vpc', 'subnets'];
 const OU_SUBNET_NAME = ['organizational-units', 'vpc', 'subnets', 'name'];
 const OU_SUBNET_AZ = ['organizational-units', 'vpc', 'subnets', 'definitions', 'az'];
-const OU_SUBNET_CIDR = ['organizational-units', 'vpc', 'subnets', 'definitions', 'cidr', 'ipv4', 'value'];
-const OU_SUBNET_CIDR2 = ['organizational-units', 'vpc', 'subnets', 'definitions', 'cidr2', 'ipv4', 'value'];
+const OU_SUBNET_CIDR = ['organizational-units', 'vpc', 'subnets', 'definitions', 'cidr'];
+const OU_SUBNET_CIDR2 = ['organizational-units', 'vpc', 'subnets', 'definitions', 'cidr2'];
 const OU_SUBNET_DISABLED = ['organizational-units', 'vpc', 'subnets', 'definitions', 'disabled'];
 
 /**
@@ -204,6 +206,8 @@ export async function validateAccountOu(differences: Diff<LHS, RHS>[], errors: s
  * @param errors
  */
 export async function validateAccountVpc(differences: Diff<LHS, RHS>[], errors: string[]): Promise<void> {
+  // the below function checks vpc deletion from Account Config
+  errors.push(...validateConfig.deletedConfigEntry(differences, ACCOUNT_VPC, 'vpc'));
   // the below function checks vpc deploy of the account
   const accountVpcDeploy = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_VPC_DEPLOY, 5);
   if (accountVpcDeploy) {
@@ -217,13 +221,13 @@ export async function validateAccountVpc(differences: Diff<LHS, RHS>[], errors:
   }
 
   // the below function checks vpc cidr of the account
-  const accountVpcCidr = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_VPC_CIDR, 8);
+  const accountVpcCidr = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_VPC_CIDR, 5);
   if (accountVpcCidr) {
     errors.push(...accountVpcCidr);
   }
 
   // the below function checks vpc cidr2 of the account
-  const accountVpcCidr2 = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_VPC_CIDR2, 8);
+  const accountVpcCidr2 = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_VPC_CIDR2, 5);
   if (accountVpcCidr2) {
     errors.push(...accountVpcCidr2);
   }
@@ -259,13 +263,13 @@ export async function validateAccountSubnets(differences: Diff<LHS, RHS>[], erro
   }
 
   // the below function checks subnet cidr of the account
-  const accountSubnetCidr = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_SUBNET_CIDR, 12);
+  const accountSubnetCidr = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_SUBNET_CIDR, 9);
   if (accountSubnetCidr) {
     errors.push(...accountSubnetCidr);
   }
 
   // the below function checks subnet cidr of the account
-  const accountSubnetCidr2 = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_SUBNET_CIDR2, 12);
+  const accountSubnetCidr2 = validateConfig.matchEditedConfigDependency(differences, ACCOUNT_SUBNET_CIDR2, 9);
   if (accountSubnetCidr2) {
     errors.push(...accountSubnetCidr2);
   }
@@ -376,6 +380,8 @@ export async function validateVgw(differences: Diff<LHS, RHS>[], errors: string[
  * @param errors
  */
 export async function validateOuVpc(differences: Diff<LHS, RHS>[], errors: string[]): Promise<void> {
+  // the below function checks vpc deletion from Organizational Unit
+  errors.push(...validateConfig.deletedConfigEntry(differences, OU_VPC, 'vpc'));
   // the below function checks vpc deploy of the account
   const ouVpcDeploy = validateConfig.matchEditedConfigDependency(differences, OU_VPC_DEPLOY, 5);
   if (ouVpcDeploy) {
@@ -389,13 +395,13 @@ export async function validateOuVpc(differences: Diff<LHS, RHS>[], errors: strin
   }
 
   // the below function checks vpc cidr of the account
-  const ouVpcCidr = validateConfig.matchEditedConfigDependency(differences, OU_VPC_CIDR, 8);
+  const ouVpcCidr = validateConfig.matchEditedConfigDependency(differences, OU_VPC_CIDR, 5);
   if (ouVpcCidr) {
     errors.push(...ouVpcCidr);
   }
 
   // the below function checks vpc cidr2 of the account
-  const ouVpcCidr2 = validateConfig.matchEditedConfigDependency(differences, OU_VPC_CIDR2, 8);
+  const ouVpcCidr2 = validateConfig.matchEditedConfigDependency(differences, OU_VPC_CIDR2, 5);
   if (ouVpcCidr2) {
     errors.push(...ouVpcCidr2);
   }
@@ -431,13 +437,13 @@ export async function validateOuSubnets(differences: Diff<LHS, RHS>[], errors: s
   }
 
   // the below function checks subnet cidr of the account
-  const ouSubnetCidr = validateConfig.matchEditedConfigDependency(differences, OU_SUBNET_CIDR, 12);
+  const ouSubnetCidr = validateConfig.matchEditedConfigDependency(differences, OU_SUBNET_CIDR, 9);
   if (ouSubnetCidr) {
     errors.push(...ouSubnetCidr);
   }
 
   // the below function checks subnet cidr of the account
-  const ouSubnetCidr2 = validateConfig.matchEditedConfigDependency(differences, OU_SUBNET_CIDR2, 12);
+  const ouSubnetCidr2 = validateConfig.matchEditedConfigDependency(differences, OU_SUBNET_CIDR2, 9);
   if (ouSubnetCidr2) {
     errors.push(...ouSubnetCidr2);
   }