#698 and #695 (#699)

pyproject.toml

@@ -3,7 +3,7 @@
 
 [tool.poetry]
 name = "aws-service-catalog-puppet"
-version = "0.244.0"
+version = "0.245.0"
 description = "Making it easier to deploy ServiceCatalog products"
 classifiers = ["Development Status :: 5 - Production/Stable", "Intended Audience :: Developers", "Programming Language :: Python :: 3", "License :: OSI Approved :: Apache Software License", "Operating System :: OS Independent", "Natural Language :: English"]
 homepage = "https://service-catalog-tools-workshop.com/"

servicecatalog_puppet/cli.py

@@ -580,6 +580,12 @@ def setup_config(
         os.environ[
             environmental_variables.SCHEDULER_ALGORITHM
         ] = remote_config.get_scheduler_algorithm(puppet_account_id_to_use, home_region)
+    if not os.environ.get(environmental_variables.AWS_STS_REGIONAL_ENDPOINTS):
+        os.environ[
+            environmental_variables.AWS_STS_REGIONAL_ENDPOINTS
+        ] = remote_config.get_aws_sts_regional_endpoints(
+            puppet_account_id_to_use, home_region
+        )
 
 
 @cli.command()
@@ -884,6 +890,7 @@ def set_config_value(name, value):
     is_a_boolean = dict(
         spoke_deploy_environment_compute_type=False,
         scheduler_threads_or_processes=False,
+        aws_sts_regional_endpoints=False,
     ).get(name, True)
     management_commands.set_config_value(name, value, is_a_boolean)
 

servicecatalog_puppet/commands/bootstrap.py

@@ -254,6 +254,11 @@ def bootstrap(
                 "ParameterValue": puppet_role_path,
                 "UsePreviousValue": False,
             },
+            {
+                "ParameterKey": "AWSSTSRegionalEndpoints",
+                "ParameterValue": config.get_aws_sts_regional_endpoints(),
+                "UsePreviousValue": False,
+            },
         ],
         "Tags": [{"Key": "ServiceCatalogPuppet:Actor", "Value": "Framework",}]
         + initialiser_stack_tags,

servicecatalog_puppet/commands/task_reference_helpers/generators/spoke_local_portfolios.py

@@ -473,7 +473,6 @@ def handle_spoke_local_portfolios(
                         all_tasks_task_reference,
                         constants.CREATE_POLICIES,
                         share_and_accept_ref,
-
                     ],
                     "account_id": task_to_add.get("account_id"),
                     "region": task_to_add.get("region"),

servicecatalog_puppet/commands/task_reference_helpers/generators/spoke_local_portfolios_test.py

@@ -166,9 +166,7 @@ def test_for_accounts(self):
                 "share_tag_options": "True",
                 "task_reference": f"portfolio_share_and_accept-{ou_name}-{region}-{portfolio}",
             },
-            all_tasks[
-                f"portfolio_share_and_accept-{ou_name}-{region}-{portfolio}"
-            ],
+            all_tasks[f"portfolio_share_and_accept-{ou_name}-{region}-{portfolio}"],
         )
 
         self.assertEqual(

servicecatalog_puppet/config.py

@@ -16,7 +16,6 @@
     serialisation_utils,
 )
 
-
 logger = logging.getLogger()
 
 
@@ -242,6 +241,10 @@ def get_global_share_principals_default():
     return os.environ.get(environmental_variables.GLOBAL_SHARE_PRINCIPALS)
 
 
+def get_aws_sts_regional_endpoints():
+    return os.environ.get(environmental_variables.AWS_STS_REGIONAL_ENDPOINTS)
+
+
 def get_on_complete_url():
     return os.environ.get(environmental_variables.ON_COMPLETE_URL, "")
 

servicecatalog_puppet/constants.py

@@ -397,7 +397,9 @@
 CACHE_DOWNLOADING_ROLE_NAME = "PuppetRoleForDownloadingFromCache"
 
 SHARE_PRINCIPALS_DEFAULT = False
-
+AWS_STS_REGIONAL_ENDPOINTS_LEGACY = "legacy"
+AWS_STS_REGIONAL_ENDPOINTS_REGIONAL = "regional"
+AWS_STS_REGIONAL_ENDPOINTS_DEFAULT = AWS_STS_REGIONAL_ENDPOINTS_LEGACY
 DESCRIBE_PORTFOLIO_SHARES = "describe-portfolio-shares"
 
 SCHEDULER_ALGORITHM_DEFAULT = "topological_generations"

servicecatalog_puppet/environmental_variables.py

@@ -28,3 +28,4 @@
 SPOKE_SCHEDULER_THREADS_OR_PROCESSES = "SCT_SPOKE_SCHEDULER_THREADS_OR_PROCESSES"
 SPOKE_SCHEDULER_ALGORITHM = "SCT_SPOKE_SCHEDULER_ALGORITHM"
 GLOBAL_SHARE_PRINCIPALS = "SCT_GLOBAL_SHARE_PRINCIPALS"
+AWS_STS_REGIONAL_ENDPOINTS = "AWS_STS_REGIONAL_ENDPOINTS"

servicecatalog_puppet/remote_config.py

@@ -184,6 +184,16 @@ def get_global_share_principals_default(puppet_account_id, default_region=None):
     )
 
 
+@functools.lru_cache(maxsize=32)
+def get_aws_sts_regional_endpoints(puppet_account_id, default_region=None):
+    logger.info(
+        "getting aws_sts_regional_endpoints,  default_region: {}".format(default_region)
+    )
+    return get_config(puppet_account_id, default_region).get(
+        "aws_sts_regional_endpoints", constants.AWS_STS_REGIONAL_ENDPOINTS_DEFAULT
+    )
+
+
 def get_spoke_deploy_environment_compute_type(puppet_account_id, default_region):
     logger.info(
         "getting spoke_deploy_environment_compute_type,  default_region: {}".format(

servicecatalog_puppet/servicecatalog-puppet-initialiser.template.yaml

@@ -4,7 +4,7 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: |
   Initialiser template used to bring up the install ServiceCatalog-Puppet
-  {"version": "0.223.0", "framework": "servicecatalog-puppet", "role": "initialiser"}
+  {"version": "0.245.0", "framework": "servicecatalog-puppet", "role": "initialiser"}
 
 Metadata:
   AWS::CloudFormation::Interface:
@@ -13,6 +13,7 @@ Metadata:
           default: "General"
         Parameters:
           - EnabledRegions
+          - AWSSTSRegionalEndPoints
           - ShouldCollectCloudformationEvents
           - ShouldForwardEventsToEventbridge
           - ShouldForwardFailuresToOpscenter
@@ -127,6 +128,14 @@ Parameters:
       - True
       - False
     Default: True
+  AWSSTSRegionalEndPoints:
+    Type: String
+    Description: |
+      This setting specifies how the SDK determines the AWS service endpoint that it uses to talk to the AWS Security Token Service (AWS STS).
+    AllowedValues:
+      - legacy
+      - regional
+    Default: legacy
   ShouldUseStacksServiceRole:
     Type: String
     Description: |
@@ -420,6 +429,9 @@ Resources:
           - Name: SHOULD_SHARE_PRINCIPALS
             Type: PLAINTEXT
             Value: !Ref ShouldSharePrincipals
+          - Name: AWS_STS_REGIONAL_ENDPOINTS
+            Type: PLAINTEXT
+            Value: !Ref AWSSTSRegionalEndPoints
       Source:
         Type: NO_SOURCE
         BuildSpec: |
@@ -440,6 +452,7 @@ Resources:
                 - servicecatalog-puppet set-config-value spoke_deploy_environment_compute_type ${SPOKE_DEPLOY_ENVIRONMENT_COMPUTE_TYPE}
                 - servicecatalog-puppet set-config-value global_share_tag_options_default ${SHOULD_SHARE_TAG_OPTIONS}
                 - servicecatalog-puppet set-config-value global_share_principals_default ${SHOULD_SHARE_PRINCIPALS}
+                - servicecatalog-puppet set-config-value aws_sts_regional_endpoints ${AWS_STS_REGIONAL_ENDPOINTS}
                 - servicecatalog-puppet bootstrap-spoke ${PUPPET_ACCOUNT_ID} --permission-boundary ${PUPPET_ROLE_PERMISSION_BOUNDARY} --puppet-role-name ${PUPPET_ROLE_NAME} --puppet-role-path ${PUPPET_ROLE_PATH}
             build:
               commands:
@@ -471,7 +484,7 @@ Resources:
       Role: !GetAtt StartInstallRole.Arn
       Handler: "index.handler"
       Description: Lambda for starting Puppet CodeBuild Job
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 900
       Code:
         ZipFile: |
@@ -583,6 +596,7 @@ Resources:
           - !Ref ShouldDeleteRollbackCompleteStacks
           - !Ref ShouldShareTagOptions
           - !Ref ShouldSharePrincipals
+          - !Ref AWSSTSRegionalEndPoints
 Outputs:
   ServiceCatalogPuppetRepoConsoleURL:
     Value: !Sub "https://${AWS::Region}.console.aws.amazon.com/codesuite/codecommit/repositories/ServiceCatalogPuppet/browse"

servicecatalog_puppet/template_builder/hub/bootstrap.py

@@ -15,7 +15,7 @@
     ssm,
 )
 
-from servicecatalog_puppet import config, constants
+from servicecatalog_puppet import config, constants, environmental_variables
 
 
 def get_template(
@@ -53,6 +53,18 @@ def get_template(
             Default="No",
         )
     )
+    aws_sts_regional_endpoints_parameter = template.add_parameter(
+        t.Parameter(
+            "AWSSTSRegionalEndpoints",
+            Type="String",
+            Description="This setting specifies how the SDK determines the AWS service endpoint that it uses to talk to the AWS Security Token Service (AWS STS).",
+            Default=constants.AWS_STS_REGIONAL_ENDPOINTS_DEFAULT,
+            AllowedValues=[
+                constants.AWS_STS_REGIONAL_ENDPOINTS_LEGACY,
+                constants.AWS_STS_REGIONAL_ENDPOINTS_REGIONAL,
+            ],
+        )
+    )
     puppet_code_pipeline_role_permission_boundary_parameter = template.add_parameter(
         t.Parameter(
             "PuppetCodePipelineRolePermissionBoundary",
@@ -586,6 +598,11 @@ def get_template(
             "Name": "PUPPET_ROLE_PATH",
             "Value": t.Ref(puppet_role_path_parameter),
         },
+        {
+            "Type": "PLAINTEXT",
+            "Name": environmental_variables.AWS_STS_REGIONAL_ENDPOINTS,
+            "Value": t.Ref(aws_sts_regional_endpoints_parameter),
+        },
     ]
 
     if is_codecommit:

servicecatalog_puppet/workflow/manifest/generate_manifest_with_ids_task.py

@@ -149,6 +149,11 @@ def run(self):
                 "value": config.get_global_share_principals_default(),
                 "type": "PLAINTEXT",
             },
+            {
+                "name": environmental_variables.AWS_STS_REGIONAL_ENDPOINTS,
+                "value": config.get_aws_sts_regional_endpoints(),
+                "type": "PLAINTEXT",
+            },
         ]
 
         if "http" in version:

servicecatalog_puppet/workflow/portfolio/portfolio_management/copy_into_spoke_local_portfolio_task.py

@@ -143,14 +143,10 @@ def run(self):
         products_found = 0
         while products_found < n_products_to_check:
             products_ids = list()
-            paginator = servicecatalog.get_paginator('search_products_as_admin')
-            for page in paginator.paginate(
-                    PortfolioId=spoke_portfolio_id,
-            ):
+            paginator = servicecatalog.get_paginator("search_products_as_admin")
+            for page in paginator.paginate(PortfolioId=spoke_portfolio_id,):
                 for pvd in page.get("ProductViewDetails", []):
-                    products_ids.append(
-                        pvd.get("ProductViewSummary").get("ProductId")
-                    )
+                    products_ids.append(pvd.get("ProductViewSummary").get("ProductId"))
             products_found = 0
             for product_to_check in products_to_check:
                 if product_to_check in products_ids:

servicecatalog_puppet/workflow/portfolio/portfolio_management/import_into_spoke_local_portfolio_task.py

@@ -61,10 +61,8 @@ def run(self):
             products_found = 0
             while products_found < n_products_to_check:
                 products_ids = list()
-                paginator = servicecatalog.get_paginator('search_products_as_admin')
-                for page in paginator.paginate(
-                    PortfolioId=spoke_portfolio_id,
-                ):
+                paginator = servicecatalog.get_paginator("search_products_as_admin")
+                for page in paginator.paginate(PortfolioId=spoke_portfolio_id,):
                     for pvd in page.get("ProductViewDetails", []):
                         products_ids.append(
                             pvd.get("ProductViewSummary").get("ProductId")

setup.py

@@ -73,7 +73,7 @@
 
 setup_kwargs = {
     'name': 'aws-service-catalog-puppet',
-    'version': '0.244.0',
+    'version': '0.245.0',
     'description': 'Making it easier to deploy ServiceCatalog products',
     'long_description': '# aws-service-catalog-puppet\n\n![logo](./docs/logo.png) \n\n## Badges\n\n[![codecov](https://codecov.io/gh/awslabs/aws-service-catalog-puppet/branch/master/graph/badge.svg?token=e8M7mdsmy0)](https://codecov.io/gh/awslabs/aws-service-catalog-puppet)\n\n\n## What is it?\nThis is a python3 framework that makes it easier to share multi region AWS Service Catalog portfolios and makes it \npossible to provision products into accounts declaratively using a metadata based rules engine.\n\nWith this framework you define your accounts in a YAML file.  You give each account a set of tags, a default region and \na set of enabled regions.\n\nOnce you have done this you can define portfolios should be shared with each set of accounts using the tags and you \ncan specify which regions the shares occur in.\n\nIn addition to this, you can also define products that should be provisioned into accounts using the same tag based \napproach.  The framework will assume role into the target account and provision the product on your behalf.\n\n\n## Getting started\n\nYou can read the [installation how to](https://service-catalog-tools-workshop.com/30-how-tos/10-installation/30-service-catalog-puppet.html)\nor you can read through the [every day use](https://service-catalog-tools-workshop.com/30-how-tos/50-every-day-use.html)\nguides.\n\nYou can read the [documentation](https://aws-service-catalog-puppet.readthedocs.io/en/latest/) to understand the inner \nworkings. \n\n\n## Going further\n\nThe framework is one of a pair.  The other is [aws-service-catalog-factory](https://github.com/awslabs/aws-service-catalog-factory).\nWith Service Catalog Factory you can create pipelines that deploy multi region portfolios very easily. \n\n## License\n\nThis library is licensed under the Apache 2.0 License. \n \n',
     'author': 'Eamonn Faherty',