release 3.3.8 (#125)

Author: gsingh04

.gitignore

@@ -16,7 +16,7 @@ reports
 *.pyc
 .eggs
 *.egg-info
-.venv
+.venv*
 .cache
 .pytest_cache
 .mypy_cache
@@ -30,5 +30,4 @@ node_modules
 .DS_Store
 .idea/
 *sonarlint*
-docs
 test.sh

CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.3.8] - 2024-08-15
+
+### Fixed
+
+- [#116](https://github.com/aws-solutions/network-orchestration-for-aws-transit-gateway/issues/116)
+- [#117](https://github.com/aws-solutions/network-orchestration-for-aws-transit-gateway/issues/117)
+- IAM policy for _StateMachineLambdaFunctionRole_
+
+### Changed
+
+- `resource_exception_handler` decorator does not catch `IncorrectState` 
+  exception, allowing the exception to be raised as `ResourceBusyException ` 
+  by `service_exception_handler` decorator
+
+### Security
+
+- Bumped axios to `1.7.4` to mitigate [CVE-2024-39338](https://github.com/advisories/GHSA-8hc4-vh64-cxmj)
+
 ## [3.3.7] - 2024-08-02
 
 ### Security

deployment/network-orchestration-hub.template

@@ -1094,7 +1094,7 @@ Resources:
                   - logs:CreateLogStream
                   - logs:PutLogEvents
                 Resource:
-                  - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/{AWS::Partition}/lambda/*
+                  - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${AWS::Partition}/lambda/*
                   - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudWatchLogActions}*
                   - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudWatchLogFailures}*
               - Effect: Allow

source/cognito-trigger/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "cognito-trigger",
-  "version": "3.3.7",
+  "version": "3.3.8",
   "description": "Triggered when a new user is confirmed in the user pool to allow for custom actions to be taken",
   "author": {
     "name": "Amazon Web Services",
@@ -35,4 +35,4 @@
   "overrides": {
     "fast-xml-parser": "4.4.1"
   }
-}
+}

source/cognito-trigger/package.json

@@ -0,0 +1,30 @@
+[build-system]
+requires = ["setuptools"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "network-orchestration-for-tgw"
+version = "3.3.8-dev"
+description = "solution packages for network-orchestration-for-tgw"
+requires-python = ">=3.10"
+license = { text = "Apache Software License" }
+dependencies = [
+    "boto3==1.34.91",
+    "botocore==1.34.129",
+    "aws-lambda-powertools==2.25.0",
+]
+[project.optional-dependencies]
+dev = [
+    "moto==4.2.0",
+    "pytest==7.4.2",
+    "mypy-boto3-ec2==1.34.149",
+    "mypy-boto3-dynamodb==1.34.148",
+    "mypy-boto3-sts==1.34.0",
+    "mypy-boto3-sns==1.34.121",
+    "mypy-boto3-ram==1.34.0",
+    "mypy-boto3-organizations==1.34.139"
+]
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["custom_resource*", "tgw_vpc_attachment*", "tgw_peering_attachment*"]

source/lambda/pyproject.toml

@@ -2,12 +2,16 @@
 
 import pytest
 from aws_lambda_powertools.utilities.typing import LambdaContext
-from moto import mock_sts
+from moto import mock_sts, mock_ec2
 from mypy_boto3_ec2 import EC2Client
 
 from tgw_vpc_attachment.__tests__.conftest import override_environment_variables
 from tgw_vpc_attachment.lib.clients.ec2 import EC2
+from tgw_vpc_attachment.lib.exceptions import ResourceBusyException
 from tgw_vpc_attachment.main import lambda_handler
+from tgw_vpc_attachment.lib.handlers.tgw_vpc_attachment_handler import TransitGatewayVPCAttachments
+
+from unittest.mock import patch
 
 
 @mock_sts
@@ -74,6 +78,33 @@ def test_disassociate_transit_gateway_route_table(vpc_setup_with_explicit_route_
     # throws exception because get_transit_gateway_route_table_associations is not implemented in moto
 
 
+@mock_sts
+@patch('tgw_vpc_attachment.lib.clients.ec2.EC2.get_transit_gateway_route_table_associations')
+def test_get_association_state(mock_get_tgw_rtb_associations, vpc_setup_with_explicit_route_table):
+    tgw_attachments = TransitGatewayVPCAttachments(vpc_setup_with_explicit_route_table)
+
+    # disassociated state, returns empty list
+    mock_get_tgw_rtb_associations.return_value = []
+    assert tgw_attachments._get_association_state('myTable') == 'disassociated'
+
+    # state transition from associating -> associated
+    mock_get_tgw_rtb_associations.side_effect = [[{'State': 'associating'}], [{'State': 'associated'}]]
+    os.environ["WAIT_TIME"] = '1'
+    assert tgw_attachments._get_association_state('myTable') == 'associated'
+
+
+@mock_sts
+@patch('tgw_vpc_attachment.lib.clients.ec2.EC2.get_transit_gateway_route_table_associations')
+def test_get_association_state_raises_exception(mock_get_tgw_rtb_associations, vpc_setup_with_explicit_route_table):
+    tgw_attachments = TransitGatewayVPCAttachments(vpc_setup_with_explicit_route_table)
+
+    mock_get_tgw_rtb_associations.side_effect = [ResourceBusyException]
+
+    with pytest.raises(ResourceBusyException):
+        tgw_attachments._get_association_state('myTable')
+
+    assert mock_get_tgw_rtb_associations.call_count == 1
+
 @mock_sts
 def test_get_transit_gateway_attachment_propagations(vpc_setup_with_explicit_route_table):
     # ARRANGE
@@ -138,6 +169,26 @@ def test_enable_transit_gateway_route_table_propagation_skip(vpc_setup_with_expl
     assert response['AttachmentState'] == 'available'
 
 
+@mock_sts
+@mock_ec2
+@patch('tgw_vpc_attachment.lib.clients.ec2.EC2.enable_transit_gateway_route_table_propagation')
+@patch.object(TransitGatewayVPCAttachments, '_get_propagation_route_tables_to_enable')
+def test_enable_transit_gateway_route_table_propagation_raises_exception(
+        mock_get_propagation_rtb, mock_enable_propagation, vpc_setup_with_explicit_route_table):
+
+    # ARRANGE
+    vpc_setup_with_explicit_route_table['AttachmentState'] = "available"
+    mock_get_propagation_rtb.return_value = ['rtb-0000']
+    mock_enable_propagation.side_effect = [ResourceBusyException]
+
+    # ACT
+    tgw_attachments = TransitGatewayVPCAttachments(vpc_setup_with_explicit_route_table)
+
+    # ASSERT
+    with pytest.raises(ResourceBusyException):
+        tgw_attachments.enable_transit_gateway_route_table_propagation()
+
+
 @mock_sts
 def test_enable_transit_gateway_route_table_propagation(vpc_setup_with_explicit_route_table):
     # ARRANGE

source/lambda/tgw_vpc_attachment/__tests__/transit_gateway_handler/test_transit_gateway_handler.py

@@ -16,7 +16,6 @@ def wrapper_func(self, *args, **kwargs):
             response = func(self, *args, **kwargs)
         except ClientError as err:
             exception_codes = [
-                'IncorrectState',
                 'InsufficientSubnetsException',
                 'OptInRequired',
                 'DuplicateSubnetsInSameZone'

source/lambda/tgw_vpc_attachment/lib/exceptions.py

@@ -186,9 +186,7 @@ def _add_subnet_to_tgw_attachment(self):
             self.event.get("TransitGatewayAttachmentId"),
             self.event.get('SubnetId'),
         )
-        if response.get("Error") == "IncorrectState":
-            raise ResourceBusyException
-        elif response.get("Error") == "DuplicateSubnetsInSameZone":
+        if response.get("Error") == "DuplicateSubnetsInSameZone":
             self.event.update({"Status": "auto-rejected"})
             comment = "You can only add one subnet in a TGW-VPC attachment per Availability Zone. Please delete and " \
                       "create the tag with RoutingTag provided in the Hub Template"
@@ -218,10 +216,8 @@ def _remove_subnet_from_tgw_attachment(self):
             self.event.get("TransitGatewayAttachmentId"),
             self.event.get('SubnetId'),
         )
-        if response.get("Error") == "IncorrectState":
-            raise ResourceBusyException
         # this exception is caught if the last subnet in the attachment is being deleted
-        elif response.get("Error") == "InsufficientSubnetsException":
+        if response.get("Error") == "InsufficientSubnetsException":
             self.logger.info(
                 "Insufficient Subnets when calling the ModifyTransitGatewayVpcAttachment operation, "
                 "This is the last subnet in the TGW-VPC Attachment. Deleting TGW Attachment..."
@@ -545,14 +541,11 @@ def associate_transit_gateway_route_table(self):
             )
             self.event.update({"Action": "AssociateTgwRouteTable"})
             transit_gateway_attachment_id = self.event.get("TransitGatewayAttachmentId")
-            response = self.hub_ec2_client.associate_transit_gateway_route_table(
+            self.hub_ec2_client.associate_transit_gateway_route_table(
                 association_route_table_id,
                 transit_gateway_attachment_id,
             )
-            state = self._get_association_state(
-                association_route_table_id,
-                response.get("Association").get("State"),
-            )
+            state = self._get_association_state(association_route_table_id)
             self.event.update({"AssociationState": state})
             self._create_tag(
                 self.event.get("VpcId"),
@@ -570,14 +563,11 @@ def disassociate_transit_gateway_route_table(self):
             existing_association_route_table = self.event.get("ExistingAssociationRouteTableId")
             self.logger.info(f"Disassociating TGW Route Table Id: {existing_association_route_table}")
             self.event.update({"Action": "DisassociateTgwRouteTable"})
-            response = self.hub_ec2_client.disassociate_transit_gateway_route_table(
+            self.hub_ec2_client.disassociate_transit_gateway_route_table(
                 existing_association_route_table,
                 self.event.get("TransitGatewayAttachmentId"),
             )
-            state = self._get_association_state(
-                existing_association_route_table,
-                response.get("Association").get("State"),
-            )
+            state = self._get_association_state(existing_association_route_table)
             self.event.update({"DisassociationState": state})
             self._create_tag(
                 self.event.get("VpcId"),
@@ -588,28 +578,33 @@ def disassociate_transit_gateway_route_table(self):
             self.logger.info(TGW_VPC_ERROR)
         return self.event
 
-    def _get_association_state(self, rtb, state: TransitGatewayAssociationStateType):
-        association_in_transient_state = False
-        if state != "associated" or state != "disassociated":
-            association_in_transient_state = True
+    def _get_association_state(self, rtb):
+        max_retries = int(environ.get("MAX_RETRY", 5))  # Default to 5 retries
+        retry = 0
+        vpc_id = self.event.get("VpcId")
+        tgw_attachment_id = self.event.get("TransitGatewayAttachmentId")
+        wait_time = int(environ.get("WAIT_TIME", 5))  # Default to 5 seconds if not set
 
-        while association_in_transient_state:
-            vpc_id = self.event.get("VpcId")
-            tgw_attachment_id = self.event.get("TransitGatewayAttachmentId")
+        while retry < max_retries:
             response = self.hub_ec2_client.get_transit_gateway_route_table_associations(
                 rtb,
                 tgw_attachment_id,
                 vpc_id,
             )
+
             # once the TGW RT is disassociated the returned response is empty list
             state = "disassociated"
             if response:
                 state = response[0].get("State")
             self.logger.info(f"Association Status: {state}")
             if state == "associated" or state == "disassociated":
-                association_in_transient_state = False
-            sleep(int(environ.get("WAIT_TIME")))
-        return state
+                return state
+            retry += 1
+            sleep(wait_time)
+
+        self.logger.error("Maximum retries reached, unable to determine association state.")
+        raise ResourceBusyException
+
 
     @service_exception_handler
     def enable_transit_gateway_route_table_propagation(self):