fic(core): Fixing TGW Cross account attachment (#732)

naveenkoppula · web-flow · commit 8927bf82fe08 · 2021-05-17T08:08:52.000-04:00
* Fixing TGW Corss account attachment

* fixing tests

* fixing import

* fix prettier version with 2.2.0 which is using in code
diff --git a/.github/workflows/lint-prettier.yml b/.github/workflows/lint-prettier.yml
@@ -45,7 +45,7 @@ jobs:
           node-version: 12
       - name: Install Prettier
         run: |
-          npm install -g prettier
+          npm install -g prettier@2.2.0
       - name: Analyze TypeScript files
         run: |
           prettier --check **/*.ts
diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts
@@ -34,6 +34,7 @@ import * as transitGateway from '../deployments/transit-gateway';
 import * as centralEndpoints from '../deployments/central-endpoints';
 import { CfnResourceStackCleanupOutput } from '../deployments/cleanup/outputs';
 import { VpcOutputFinder, VpcSubnetOutput } from '@aws-accelerator/common-outputs/src/vpc';
+import { TransitGatewayAttachmentOutputFinder } from '@aws-accelerator/common-outputs/src/transit-gateway';
 
 export interface IamPolicyArtifactsOutput {
   bucketArn: string;
@@ -194,6 +195,9 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
 
   const subscriptionCheckDone: string[] = [];
   const dnsLogGroupsAccountAndRegion: { [accoutKey: string]: boolean } = {};
+  const existingAttachments = TransitGatewayAttachmentOutputFinder.findAll({
+    outputs,
+  });
   // Create all the VPCs for accounts and organizational units
   for (const { ouKey, accountKey, vpcConfig, deployments } of acceleratorConfig.getVpcConfigs()) {
     let createPolicy = false;
@@ -230,6 +234,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       acceleratorName,
       installerVersion,
       vpcOutput,
+      existingAttachments,
     });
 
     const pcxConfig = vpcConfig.pcx;
diff --git a/src/deployments/cdk/src/common/vpc.ts b/src/deployments/cdk/src/common/vpc.ts
@@ -13,7 +13,11 @@ import { NestedStack } from '@aws-cdk/aws-cloudformation';
 import { SecurityGroup } from './security-group';
 import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 import { AccountStacks } from '../common/account-stacks';
-import { TransitGatewayOutputFinder, TransitGatewayOutput } from '@aws-accelerator/common-outputs/src/transit-gateway';
+import {
+  TransitGatewayOutputFinder,
+  TransitGatewayOutput,
+  TransitGatewayAttachmentOutput,
+} from '@aws-accelerator/common-outputs/src/transit-gateway';
 import { CfnTransitGatewayAttachmentOutput } from '../deployments/transit-gateway/outputs';
 import { AddTagsToResourcesOutput } from './add-tags-to-resources-output';
 import { VpcDefaultSecurityGroup } from '@aws-accelerator/custom-resource-vpc-default-security-group';
@@ -102,6 +106,7 @@ export interface VpcProps extends VpcCommonProps {
   outputs: StackOutput[];
   acceleratorName: string;
   installerVersion: string;
+  existingAttachments: TransitGatewayAttachmentOutput[];
   vpcOutput?: VpcOutput;
 }
 
@@ -156,6 +161,7 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
       acceleratorName,
       installerVersion,
       vpcOutput,
+      existingAttachments,
     } = props.vpcProps;
     const vpcName = props.vpcProps.vpcConfig.name;
 
@@ -421,6 +427,39 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
             cidr: this.cidrBlock,
           });
         } else {
+          let constructIndex: string;
+          let existingAttachment: TransitGatewayAttachmentOutput | undefined;
+          existingAttachment = existingAttachments.find(
+            att =>
+              att.accountKey === tgwAttach.account &&
+              att.region === this.region &&
+              att.cidr === this.cidrBlock &&
+              att.vpc === vpcName,
+          );
+          if (!existingAttachment) {
+            existingAttachment = existingAttachments.find(
+              att => att.accountKey === tgwAttach.account && att.region === this.region && att.cidr === this.cidrBlock,
+            );
+          }
+          if (!existingAttachment) {
+            // Generate hash
+            constructIndex = hashSum({
+              accountKey: tgwAttach.account,
+              rgion: this.region,
+              cidr: this.cidrBlock,
+              vpc: vpcName,
+            });
+          } else {
+            // This might cause failure if existing users already having multiple tgw cross account attachments in same account and region
+            constructIndex =
+              existingAttachment.constructIndex ||
+              existingAttachments
+                .findIndex(
+                  att =>
+                    att.accountKey === tgwAttach.account && att.region === this.region && att.cidr === this.cidrBlock,
+                )
+                .toString();
+          }
           new CfnTransitGatewayAttachmentOutput(this, 'TgwAttachmentOutput', {
             accountKey: tgwAttach.account,
             region: this.region,
@@ -429,6 +468,8 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
             tgwRoutePropagates,
             blackhole: blackhole ?? false,
             cidr: this.cidrBlock,
+            vpc: vpcName,
+            constructIndex,
           });
         }
       }
diff --git a/src/deployments/cdk/src/deployments/transit-gateway/step-2.ts b/src/deployments/cdk/src/deployments/transit-gateway/step-2.ts
@@ -26,7 +26,7 @@ export async function step2(props: TransitGatewayStep2Props) {
       continue;
     }
 
-    new TransitGatewayRoute(accountStack, `TgwRoute${index}`, {
+    new TransitGatewayRoute(accountStack, `TgwRoute${attachment.constructIndex || index}`, {
       tgwAttachmentId: attachment.tgwAttachmentId,
       tgwRouteAssociates: attachment.tgwRouteAssociates,
       tgwRoutePropagates: attachment.tgwRoutePropagates,
diff --git a/src/deployments/cdk/test/common/vpc.spec.ts b/src/deployments/cdk/test/common/vpc.spec.ts
@@ -143,6 +143,7 @@ test('the VPC creation should create the correct amount of subnets', () => {
     outputs: [],
     acceleratorName: 'test',
     installerVersion: '0.0.0',
+    existingAttachments: [],
   });
 
   // Convert the stack to a CloudFormation template
@@ -264,6 +265,7 @@ test('the VPC creation should throw an error when a subnet uses a route table th
       outputs: [],
       acceleratorName: 'test',
       installerVersion: '0.0.0',
+      existingAttachments: [],
     });
   });
 });
@@ -292,6 +294,7 @@ test('the VPC creation should create the internet gateway', () => {
     outputs: [],
     acceleratorName: 'test',
     installerVersion: '0.0.0',
+    existingAttachments: [],
   });
 
   // Convert the stack to a CloudFormation template
@@ -328,6 +331,7 @@ test('the VPC creation should create the VPN gateway', () => {
     outputs: [],
     acceleratorName: 'test',
     installerVersion: '0.0.0',
+    existingAttachments: [],
   });
 
   // Convert the stack to a CloudFormation template
@@ -453,6 +457,7 @@ test('the VPC creation should create the NAT gateway', () => {
     outputs: [],
     acceleratorName: 'test',
     installerVersion: '0.0.0',
+    existingAttachments: [],
   });
 
   // Convert the stack to a CloudFormation template
diff --git a/src/installer/cdk/src/index.ts b/src/installer/cdk/src/index.ts
@@ -193,7 +193,7 @@ async function main() {
       },
     }),
     environment: {
-      buildImage: codebuild.LinuxBuildImage.STANDARD_3_0,
+      buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
       privileged: true, // Allow access to the Docker daemon
       computeType: codebuild.ComputeType.MEDIUM,
       environmentVariables: {
diff --git a/src/lib/cdk-accelerator/src/codebuild/cdk-deploy-project.ts b/src/lib/cdk-accelerator/src/codebuild/cdk-deploy-project.ts
@@ -102,7 +102,7 @@ export class CdkDeployProject extends CdkDeployProjectBase {
         path: projectAsset.s3ObjectKey,
       }),
       environment: {
-        buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
+        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
         computeType: computeType ?? codebuild.ComputeType.MEDIUM,
         environmentVariables: this.environmentVariables,
       },
diff --git a/src/lib/common-outputs/src/transit-gateway.ts b/src/lib/common-outputs/src/transit-gateway.ts
@@ -1,3 +1,4 @@
+import { optional } from '@aws-accelerator/common-types';
 import * as t from 'io-ts';
 import { StackOutput } from './stack-output';
 import { createStructuredOutputFinder } from './structured-output';
@@ -34,6 +35,8 @@ export const TransitGatewayAttachmentOutput = t.interface(
     tgwRoutePropagates: t.array(t.string),
     blackhole: t.boolean,
     cidr: t.string,
+    vpc: optional(t.string),
+    constructIndex: optional(t.string),
   },
   'TgwAttachmentOutput',
 );

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ export async function step2(props: TransitGatewayStep2Props) {`
`26`	`26`	`continue;`
`27`	`27`	`}`
`28`	`28`
`29`		- new TransitGatewayRoute(accountStack, `TgwRoute${index}`, {
	`29`	+ new TransitGatewayRoute(accountStack, `TgwRoute${attachment.constructIndex \|\| index}`, {
`30`	`30`	`tgwAttachmentId: attachment.tgwAttachmentId,`
`31`	`31`	`tgwRouteAssociates: attachment.tgwRouteAssociates,`
`32`	`32`	`tgwRoutePropagates: attachment.tgwRoutePropagates,`