(fix): Lambda timeout in large customer environments (#1020)

* Rebased and merging in actual changes

* Create force-github-actions.txt

* Prettier Formatting

* Fixing prettier issue with more files

* Fixing typing issue for results

---------

Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>

Author: rycerrat

reference-artifacts/SAMPLE_CONFIGS/force-github-actions.txt

@@ -0,0 +1,2 @@
+This file added solely to test forcing GitHub actions.
+

src/core/cdk/src/initial-setup.ts

@@ -11,32 +11,35 @@
  *  and limitations under the License.
  */
 
-import * as path from 'path';
 import * as cdk from '@aws-cdk/core';
 import * as codebuild from '@aws-cdk/aws-codebuild';
+import * as dynamodb from '@aws-cdk/aws-dynamodb';
+import * as fs from 'fs';
 import * as iam from '@aws-cdk/aws-iam';
+import * as kms from '@aws-cdk/aws-kms';
 import * as lambda from '@aws-cdk/aws-lambda';
+import * as path from 'path';
+import * as s3 from '@aws-cdk/aws-s3';
 import * as s3assets from '@aws-cdk/aws-s3-assets';
 import * as secrets from '@aws-cdk/aws-secretsmanager';
-import * as dynamodb from '@aws-cdk/aws-dynamodb';
 import * as sfn from '@aws-cdk/aws-stepfunctions';
+import * as sns from '@aws-cdk/aws-sns';
 import * as tasks from '@aws-cdk/aws-stepfunctions-tasks';
-import * as s3 from '@aws-cdk/aws-s3';
-import { CdkDeployProject, PrebuiltCdkDeployProject } from '@aws-accelerator/cdk-accelerator/src/codebuild';
+
 import { AcceleratorStack, AcceleratorStackProps } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-stack';
-import { createRoleName, createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+import { CdkDeployProject, PrebuiltCdkDeployProject } from '@aws-accelerator/cdk-accelerator/src/codebuild';
+import { createName, createRoleName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+
+import { AddTagsToResourcesTask } from './tasks/add-tags-to-resources-task';
+import { CDKBootstrapTask } from './tasks/cdk-bootstrap';
 import { CodeTask } from '@aws-accelerator/cdk-accelerator/src/stepfunction-tasks';
+import { CreateAdConnectorTask } from './tasks/create-adconnector-task';
 import { CreateControlTowerAccountTask } from './tasks/create-control-tower-account-task';
 import { CreateOrganizationAccountTask } from './tasks/create-organization-account-task';
-import { CreateAdConnectorTask } from './tasks/create-adconnector-task';
 import { CreateStackTask } from './tasks/create-stack-task';
 import { RunAcrossAccountsTask } from './tasks/run-across-accounts-task';
-import * as fs from 'fs';
-import * as sns from '@aws-cdk/aws-sns';
 import { StoreOutputsTask } from './tasks/store-outputs-task';
 import { StoreOutputsToSSMTask } from './tasks/store-outputs-to-ssm-task';
-import { CDKBootstrapTask } from './tasks/cdk-bootstrap';
-import * as kms from '@aws-cdk/aws-kms';
 
 const VPC_CIDR_POOL_TABLE = 'cidr-vpc-assign';
 const SUBNET_CIDR_POOL_TABLE = 'cidr-subnet-assign';
@@ -969,16 +972,61 @@ export namespace InitialSetup {
         resultPath: 'DISCARD',
       });
 
-      const addTagsToSharedResourcesTask = new CodeTask(this, 'Add Tags to Shared Resources', {
-        functionProps: {
-          code: lambdaCode,
-          handler: 'index.addTagsToSharedResourcesStep',
+      // S3 bucket for Add Tags to Shared Resources Lambda fns
+      const addTagsToSharedResourcesBucket = new s3.Bucket(this, 'AddTagsToSharedResourcesBucket', {
+        blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+        encryption: s3.BucketEncryption.S3_MANAGED,
+        removalPolicy: cdk.RemovalPolicy.RETAIN,
+        lifecycleRules: [
+          {
+            id: '1DayDelete',
+            enabled: true,
+            expiration: cdk.Duration.days(1),
+          },
+        ],
+      });
+      addTagsToSharedResourcesBucket.addToResourcePolicy(
+        new iam.PolicyStatement({
+          actions: ['s3:GetObject*', 's3:PutObject*', 's3:DeleteObject*', 's3:GetBucket*', 's3:List*'],
+          resources: [addTagsToSharedResourcesBucket.arnForObjects('*'), addTagsToSharedResourcesBucket.bucketArn],
+          principals: [pipelineRole],
+        }),
+      );
+      // Allow only https requests
+      addTagsToSharedResourcesBucket.addToResourcePolicy(
+        new iam.PolicyStatement({
+          actions: ['s3:*'],
+          resources: [addTagsToSharedResourcesBucket.bucketArn, addTagsToSharedResourcesBucket.arnForObjects('*')],
+          principals: [new iam.AnyPrincipal()],
+          conditions: {
+            Bool: {
+              'aws:SecureTransport': 'false',
+            },
+          },
+          effect: iam.Effect.DENY,
+        }),
+      );
+
+      //State Machine and associated resources for Adding Tags to Shared Resources
+      const addTagsToSharedResourcesStateMachine = new sfn.StateMachine(this, 'Add Tags To Resources Sfn', {
+        stateMachineName: `${props.acceleratorPrefix}AddTagsToSharedResources_sfn`,
+        definition: new AddTagsToResourcesTask(this, 'AddTagsToSharedResources', {
+          lambdaCode,
           role: pipelineRole,
-        },
-        functionPayload: {
+          name: 'Add Tags To Shared Resources',
+        }),
+      });
+
+      const addTagsToSharedResourcesTask = new tasks.StepFunctionsStartExecution(this, 'Add Tags To Resources', {
+        stateMachine: addTagsToSharedResourcesStateMachine,
+        integrationPattern: sfn.IntegrationPattern.RUN_JOB,
+        input: sfn.TaskInput.fromObject({
+          'accounts.$': '$.accounts',
+          acceleratorPrefix: props.acceleratorPrefix,
           assumeRoleName: props.stateMachineExecutionRole,
           outputTableName: outputsTable.tableName,
-        },
+          s3Bucket: addTagsToSharedResourcesBucket.bucketName,
+        }),
         resultPath: 'DISCARD',
       });
 

src/core/cdk/src/tasks/add-tags-to-resources-task.ts

@@ -0,0 +1,134 @@
+/**
+ *  Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+ *  with the License. A copy of the License is located at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
+import * as cdk from '@aws-cdk/core';
+import * as iam from '@aws-cdk/aws-iam';
+import * as lambda from '@aws-cdk/aws-lambda';
+import * as sfn from '@aws-cdk/aws-stepfunctions';
+
+import { CodeTask } from '@aws-accelerator/cdk-accelerator/src/stepfunction-tasks';
+
+export namespace AddTagsToResourcesTask {
+  export interface Props {
+    role: iam.IRole;
+    lambdaCode: lambda.Code;
+    waitSeconds?: number;
+    name: string;
+    permissions?: string[];
+    functionPayload?: { [key: string]: string };
+  }
+}
+
+export class AddTagsToResourcesTask extends sfn.StateMachineFragment {
+  readonly startState: sfn.State;
+  readonly endStates: sfn.INextable[];
+
+  constructor(scope: cdk.Construct, id: string, props: AddTagsToResourcesTask.Props) {
+    super(scope, id);
+
+    const { role, lambdaCode, name, permissions, waitSeconds = 60 } = props;
+
+    role.addToPrincipalPolicy(
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        resources: ['*'],
+        actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
+      }),
+    );
+    if (permissions && permissions.length > 0) {
+      role.addToPrincipalPolicy(
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          resources: ['*'],
+          actions: permissions,
+        }),
+      );
+    }
+
+    const ddbTask = new CodeTask(scope, `${name} DDB Task`, {
+      resultPath: '$',
+      functionProps: {
+        role,
+        code: lambdaCode,
+        handler: 'index.addTagsToSharedResources.scan',
+      },
+      functionPayload: {
+        'assumeRoleName.$': '$.assumeRoleName',
+        'outputTableName.$': '$.outputTableName',
+        's3Bucket.$': '$.s3Bucket',
+        'accounts.$': '$.accounts',
+        ...props.functionPayload,
+      },
+    });
+
+    // Create Map task to iterate
+    const mapTask = new sfn.Map(this, `${name} Map`, {
+      itemsPath: '$.accounts',
+      //resultPath: '$.errors',
+      resultPath: '$.results',
+      maxConcurrency: 10,
+      parameters: {
+        'accountId.$': '$$.Map.Item.Value',
+        'assumeRoleName.$': '$.assumeRoleName',
+        'outputTableName.$': '$.outputTableName',
+        's3Bucket.$': '$.s3Bucket',
+        's3Key.$': '$.s3Key',
+        ...props.functionPayload,
+      },
+    });
+
+    const addTagTask = new CodeTask(scope, `${name} Add Tag Task`, {
+      resultPath: '$',
+      functionProps: {
+        role,
+        code: lambdaCode,
+        handler: 'index.addTagsToSharedResources.add',
+      },
+      functionPayload: {
+        'accountId.$': '$.accountId',
+        'assumeRoleName.$': '$.assumeRoleName',
+        'outputTableName.$': '$.outputTableName',
+        's3Bucket.$': '$.s3Bucket',
+        's3Key.$': '$.s3Key',
+        ...props.functionPayload,
+      },
+    });
+
+    mapTask.iterator(addTagTask);
+
+    const verifyddbTask = new CodeTask(scope, `${name} Verify DDB Task`, {
+      resultPath: '$',
+      functionProps: {
+        role,
+        code: lambdaCode,
+        handler: 'index.addTagsToSharedResources.verify',
+      },
+      inputPath: '$',
+    });
+
+    const pass = new sfn.Pass(this, `${name} Verify DDB Success`, {
+      resultPath: 'DISCARD',
+    });
+
+    const fail = new sfn.Fail(this, `${name} Verify DDB Failed`);
+
+    const isDdbTaskSuccess = new sfn.Choice(scope, `${name} Verify DDB Success?`)
+      .when(sfn.Condition.stringEquals('$.status', 'SUCCESS'), pass)
+      .otherwise(fail);
+
+    let chain: sfn.Chain;
+    chain = sfn.Chain.start(ddbTask).next(mapTask).next(verifyddbTask).next(isDdbTaskSuccess);
+    this.startState = chain.startState;
+    this.endStates = chain.endStates;
+  }
+}