Merge pull request #113 from aws-solutions/release/v3.3.5

Release v3.3.5

CHANGELOG.md

@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [3.3.5] - 2024-04
+
+### Added
+
+- Validation of transit gateway route table names to improve error message in case of duplicate names
+
+### Changed
+
+- Removed dependency on 'requests' library to mitigate CVE-2024-3651
+
 ## [3.3.4] - 2024-04
 
 ### Fixed

NOTICE.txt

@@ -149,7 +149,6 @@ python-dateutil                          Apache Software License, BSD License
 python-jose                              MIT License
 pytz                                     MIT License
 regex                                    Apache Software License
-requests                                 Apache Software License
 responses                                Apache 2.0
 rsa                                      Apache Software License
 s3transfer                               Apache Software License

README.md

@@ -182,7 +182,9 @@ See license [here](./LICENSE.txt).
 
 ## Collection of operational metrics
 
-This solution includes an option to send anonymized operational metrics to AWS. We use this data to better understand how customers use this solution and related services and products. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/network-orchestration-aws-transit-gateway/reference.html).
+This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For
+more information, including how to disable this capability, please see
+the [implementation guide](https://docs.aws.amazon.com/solutions/latest/network-orchestration-aws-transit-gateway/reference.html).
 
 ---
 

source/lambda/custom_resource/__tests__/test_custom_resource_helper.py

@@ -352,7 +352,7 @@ def test__success__fail(self, mocker):
 
         # success
         m1 = mocker.patch(
-            "requests.put",
+            "urllib.request.urlopen",
         )
         send(
             event=CFN_REQUEST_EVENT,

source/lambda/custom_resource/lib/custom_resource_helper.py

@@ -8,10 +8,10 @@
 import threading
 import time
 from os import environ, path
+from urllib import request, error
 from uuid import uuid4
 
 import boto3
-import requests
 from aws_lambda_powertools import Logger
 from aws_lambda_powertools.utilities.typing import LambdaContext
 from aws_lambda_typing import events
@@ -319,15 +319,21 @@ def send(
 
     json_response_body = json.dumps(response_body)
     headers = {
-        "content-type": "",
-        "content-length": str(len(json_response_body)),
+        "Content-Type": "application/json",
+        "Content-Length": str(len(json_response_body)),
     }
 
+    req = request.Request(response_url, data=json_response_body.encode('utf-8'), headers=headers, method='PUT')
+
     try:
-        response = requests.put(
-            response_url, data=json_response_body, headers=headers
-        )
-        logger.info("CloudFormation returned status code: %s", response.reason)
-    except Exception as err:
-        logger.error("send(..) failed executing requests.put(..): %s", str(err))
+        with request.urlopen(req) as response:
+            # Log the status code and reason
+            logger.info("CloudFormation returned status code: %s", response.reason)
+    except error.HTTPError as e:
+        # Handle HTTP errors
+        logger.error("send(..) failed sending PUT request: %s", str(e))
+        raise
+    except error.URLError as e:
+        # Handle URL errors (e.g., connectivity issues, invalid URL)
+        logger.error("send(..) failed sending PUT request: %s", str(e.reason))
         raise

source/lambda/custom_resource/lib/utils.py

@@ -7,9 +7,9 @@
 import os
 import re
 from datetime import datetime
+from urllib import request, error
 
 import botocore
-import requests
 
 
 def sanitize(name, space_allowed=False, replace_with_character="_"):
@@ -61,10 +61,23 @@ def send_metrics(
     params = {"Solution": solution_id, "UUID": uuid, "Data": data}
     metrics = dict(time_stamp, **params)
     json_data = json.dumps(metrics)
-    headers = {"content-type": "application/json"}
-    req = requests.post(url, data=json_data, headers=headers)
-    code = req.status_code
-    return code
+    headers = {"Content-Type": "application/json"}
+
+    # Prepare the data and headers for the POST request
+    data = json_data.encode('utf-8')  # Encode the data to bytes
+    req = request.Request(url, data=data, headers=headers, method='POST')
+
+    # Execute the request and handle the response
+    try:
+        with request.urlopen(req) as response:
+            code = response.getcode()  # Get the response code
+            return code
+    except error.HTTPError as e:
+        # If an HTTP error occurs, return the HTTP error code
+        return e.code
+    except error.URLError as e:
+        # Handle other URL errors and re-raise them
+        raise ConnectionError(f"Error during POST request: {e.reason}")
 
 
 boto3_config = botocore.config.Config(

source/lambda/requirements.txt

@@ -15,11 +15,6 @@ s3transfer==0.7.0
 six==1.16.0
 urllib3==2.0.7
 
-requests~=2.31.0
-#sub-dependencies
-certifi==2023.7.22
-charset-normalizer==3.3.0
-idna==3.4
 
 boto3-stubs[essential]~=1.26.0
 boto3-stubs[ram]~=1.26.0

source/lambda/tgw_vpc_attachment/__tests__/transit_gateway_handler/test_approval_tag_handler.py

@@ -453,8 +453,9 @@ def test_tgw_route_approval_required_tag_conditional_with_rule_not_in_ou__rule_m
     create_propagation_rule_tag(vpc_setup_with_explicit_route_table, 'default', 'Reject')
     create_association_rule_tag(vpc_setup_with_explicit_route_table, '01', 'Accept')
     create_propagation_rule_tag(vpc_setup_with_explicit_route_table, '01', 'Accept')
+    gateway_route_table = vpc_setup_with_explicit_route_table['transit_gateway_route_table']
     EC2().create_tags(
-        vpc_setup_with_explicit_route_table['transit_gateway_route_table'],
+        gateway_route_table,
         "ApprovalRule-01-NotInOUs",
         'Root/core'
     )
@@ -473,6 +474,9 @@ def test_tgw_route_approval_required_tag_conditional_with_rule_not_in_ou__rule_m
     assert response['ExistingAssociationRouteTableId'] == 'none'
     assert response['ApprovalRequired'] == 'no'
     assert response['Status'] == 'auto-approved'
+    assert response['AssociationRouteTableId'] == gateway_route_table
+    assert len(response['PropagationRouteTableIds']) == 1
+    assert response['PropagationRouteTableIds'][0] == gateway_route_table
 
 
 @mock_sts

source/lambda/tgw_vpc_attachment/__tests__/transit_gateway_handler/test_describe_transit_gateway.py

@@ -1,7 +1,9 @@
 import os
 
+import boto3
+import pytest
 from aws_lambda_powertools.utilities.typing import LambdaContext
-from moto import mock_sts
+from moto import mock_sts, mock_ec2
 
 from tgw_vpc_attachment.__tests__.conftest import override_environment_variables
 from tgw_vpc_attachment.main import lambda_handler
@@ -28,7 +30,6 @@ def test_tgw_describe_transit_gateway_vpc_attachments_existing(vpc_setup_with_ex
     assert response['TgwAttachmentExist'] == 'yes'
     assert response['FoundExistingSubnetInAttachment'] == 'no'
 
-
 @mock_sts
 def test_tgw_describe_transit_gateway_vpc_attachments_existing_with_subnet(vpc_setup_with_explicit_route_table):
     # ARRANGE
@@ -71,3 +72,54 @@ def test_tgw_describe_transit_gateway_no_vpc_attachment(vpc_setup_with_explicit_
     # ASSERT
     assert response['TgwAttachmentExist'] == 'no'
     assert response['AttachmentState'] == 'deleted'
+
+
+@mock_sts
+def test_describe_transit_gateway_route_tables_with_duplicate_names(vpc_setup_with_explicit_route_table):
+    # ARRANGE
+    override_environment_variables()
+
+    with mock_ec2():
+        ec2_client = boto3.client("ec2", region_name="us-east-1")
+
+    tags = [
+        {
+            'ResourceType': 'transit-gateway-route-table',
+            'Tags': [
+                {
+                    'Key': 'Name',
+                    'Value': 'my-duplicate-route-table-name'
+                },
+                {
+                    'Key': os.environ['APPROVAL_KEY'],
+                    'Value': 'No'
+                }
+            ]
+        },
+    ]
+    ec2_client.create_transit_gateway_route_table(
+        TransitGatewayId=vpc_setup_with_explicit_route_table['tgw_id'],
+        TagSpecifications=tags
+    )
+
+    # create a second route table with same 'name' tag
+    ec2_client.create_transit_gateway_route_table(
+        TransitGatewayId=vpc_setup_with_explicit_route_table['tgw_id'],
+        TagSpecifications=tags
+    )
+
+    # ACT
+    with pytest.raises(Exception) as error_info:
+        lambda_handler({
+            'params': {
+                'ClassName': 'TransitGateway',
+                'FunctionName': 'describe_transit_gateway_route_tables'
+            },
+            'event': {
+                'VpcId': vpc_setup_with_explicit_route_table['vpc_id'],
+                'SubnetId': 'subnet_not_in_attachment_id'
+            }}, LambdaContext())
+
+    # ASSERT
+    assert "Invalid TGW route table setup. Multiple route tables are tagged with the name my-duplicate-route-table-name, which prevents deterministic TGW association. Please tag each route table with a unique name." in str(
+        error_info.value)