Merge pull request #81 from sanjay-reddy-kandi/main

release/v2.7.6

Author: abewub

CHANGELOG.md

@@ -4,6 +4,13 @@
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.7.6] - 2025-04
+### Added
+- Updated AppRegistry implementation to use tag-based approach instead of CFN-based association.
+
+### Fixed
+- Update base python image to mitigate [CVE-2025-0395](https://nvd.nist.gov/vuln/detail/CVE-2025-0395), [CVE-2024-12133](https://nvd.nist.gov/vuln/detail/CVE-2024-12133), [CVE-2024-12243](https://nvd.nist.gov/vuln/detail/CVE-2024-12243)
+
 ## [2.7.5] - 2025-01
 ### Fixed
 - Updated aws-lambda-powertools from version 2.39.1 to 3.4.1

deployment/run-unit-tests.sh

@@ -14,7 +14,7 @@ main() {
   echo "Installing python packages including development dependencies"
   cd "$source_dir"
   "$POETRY_HOME"/bin/poetry install --with dev
-  
+
   # Activate the virtual environment.
   source $("$POETRY_HOME"/bin/poetry env info --path)/bin/activate
 

source/Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/python:3.12.7-slim-bookworm
+FROM public.ecr.aws/docker/library/python:3.12.9-slim-bookworm
 
 # Set up a non-root user
 RUN adduser -uid 1001 nonroot

source/lib/components/app-registry-hub-resources.ts

@@ -1,18 +1,9 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 import * as cdk from "aws-cdk-lib";
-import * as appreg from "@aws-cdk/aws-servicecatalogappregistry-alpha";
-import { Aws, CfnCondition, Fn, Tags } from "aws-cdk-lib";
-import { CfnApplication } from "aws-cdk-lib/aws-applicationinsights";
-import {
-  CfnAttributeGroup,
-  CfnAttributeGroupAssociation,
-  CfnResourceAssociation,
-} from "aws-cdk-lib/aws-servicecatalogappregistry";
-import { CfnResourceShare } from "aws-cdk-lib/aws-ram";
+import * as servicecatalogappregistry from "aws-cdk-lib/aws-servicecatalogappregistry";
+import { Aws, Fn, Tags } from "aws-cdk-lib";
 import { Construct } from "constructs";
-import overrideLogicalId from "../cdk-helper/override-logical-id";
-import setCondition from "../cdk-helper/set-condition";
 
 export interface AppRegistryHubResourcesProps extends cdk.StackProps {
   solutionId: string;
@@ -21,104 +12,26 @@ export interface AppRegistryHubResourcesProps extends cdk.StackProps {
   solutionVersion: string;
   appRegistryApplicationName: string;
   applicationType: string;
-  managementAccountId: string;
-  orgId: string;
-  multiAccountDeploymentCondition: CfnCondition;
 }
 
 export class AppRegistryHubResources extends Construct {
+  public readonly applicationTagValue: string;
   constructor(scope: Construct, id: string, props: AppRegistryHubResourcesProps) {
     super(scope, id);
-    const application = new appreg.Application(this, "AppRegistry", {
-      applicationName: Fn.join("-", [props.appRegistryApplicationName, Aws.REGION, Aws.ACCOUNT_ID]),
+    const application = new servicecatalogappregistry.CfnApplication(this, "AppRegistry", {
+      name: Fn.join("-", [props.appRegistryApplicationName, Aws.REGION, Aws.ACCOUNT_ID]),
       description: `Service Catalog application to track and manage all your resources for the solution ${props.solutionName}`,
     });
-    const cfnApplication = application.node.defaultChild as CfnApplication;
-    overrideLogicalId(cfnApplication, "Application");
-
-    const cfnresourceAssociation = new CfnResourceAssociation(this, "CfnResourceAssociation", {
-      application: application.applicationId,
-      resource: Aws.STACK_ID,
-      resourceType: "CFN_STACK",
-    });
-    overrideLogicalId(cfnresourceAssociation, "AppRegistryApplicationStackAssociation");
-
-    const attributeGroup = new appreg.AttributeGroup(this, "DefaultApplicationAttributeGroup", {
-      attributeGroupName: Fn.join("-", [props.appRegistryApplicationName, Aws.REGION, Aws.ACCOUNT_ID]),
-      description: "Attribute group for solution information",
-      attributes: {
-        applicationType: props.applicationType,
-        version: props.solutionVersion,
-        solutionID: props.solutionId,
-        solutionName: props.solutionName,
-      },
-    });
-
-    const cfnAttributeGroup = attributeGroup.node.defaultChild as CfnAttributeGroup;
-    overrideLogicalId(cfnAttributeGroup, "DefaultApplicationAttributeGroup");
-
-    const cfnAttributeGroupAssociation = new CfnAttributeGroupAssociation(this, "AttributeGroupAssociation", {
-      application: application.applicationId,
-      attributeGroup: attributeGroup.attributeGroupId,
-    });
-    overrideLogicalId(cfnAttributeGroupAssociation, "AppRegistryApplicationAttributeAssociation");
-
-    const appInsights = new CfnApplication(this, "ApplicationInsightsConfiguration", {
-      resourceGroupName: Fn.join("-", [
-        "AWS_AppRegistry_Application",
-        props.appRegistryApplicationName,
-        Aws.REGION,
-        Aws.ACCOUNT_ID,
-      ]),
-      autoConfigurationEnabled: true,
-      cweMonitorEnabled: true,
-      opsCenterEnabled: true,
-    });
-    appInsights.addDependency(cfnApplication);
-    overrideLogicalId(appInsights, "ApplicationInsightsConfiguration");
-
-    const resourceShare = new CfnResourceShare(this, "ApplicationShare", {
-      name: Aws.STACK_NAME,
-      allowExternalPrincipals: false,
-      permissionArns: [
-        cdk.Arn.format(
-          {
-            service: "ram",
-            resource: "permission",
-            resourceName: "AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation",
-            partition: Aws.PARTITION,
-            region: "",
-            account: "aws",
-          },
-          cdk.Stack.of(this),
-        ),
-      ],
-      principals: [
-        cdk.Arn.format(
-          {
-            service: "organizations",
-            resource: "organization",
-            resourceName: `${props.orgId}`,
-            partition: Aws.PARTITION,
-            region: "",
-            account: props.managementAccountId,
-          },
-          cdk.Stack.of(this),
-        ),
-      ],
-      resourceArns: [application.applicationArn],
-    });
-
-    overrideLogicalId(resourceShare, "ApplicationShare");
-    setCondition(resourceShare, props.multiAccountDeploymentCondition);
+    application.overrideLogicalId("Application");
+    this.applicationTagValue = application.attrApplicationTagValue;
 
     // Tags for application
 
-    Tags.of(application).add("SolutionID", props.solutionId);
-    Tags.of(application).add("SolutionName", props.solutionName);
-    Tags.of(application).add("SolutionVersion", props.solutionVersion);
-    Tags.of(application).add("ApplicationType", props.applicationType);
-    Tags.of(application).add("SolutionDomain", props.solutionDomain);
+    Tags.of(application).add("Solutions:SolutionID", props.solutionId);
+    Tags.of(application).add("Solutions:SolutionName", props.solutionName);
+    Tags.of(application).add("Solutions:SolutionVersion", props.solutionVersion);
+    Tags.of(application).add("Solutions:ApplicationType", props.applicationType);
+    Tags.of(application).add("Solutions:SolutionDomain", props.solutionDomain);
     Tags.of(application).add("CloudFoundations:CostOptimizerForWorkspaces", Aws.STACK_NAME);
   }
 }

source/lib/components/app-registry-spoke-resources.ts

@@ -413,7 +413,7 @@ export class CostOptimizerHubStack extends cdk.Stack {
     const reportingBucket = new UsageReportBucketResources(this, "UsageReportBucketResources");
 
     const spokeAccountTable = new Table(this, "SpokeAccountTable", {
-      pointInTimeRecovery: true,
+      pointInTimeRecoverySpecification: { pointInTimeRecoveryEnabled: true },
       removalPolicy: cdk.RemovalPolicy.RETAIN,
       encryption: TableEncryption.AWS_MANAGED,
       billingMode: BillingMode.PAY_PER_REQUEST,
@@ -435,7 +435,7 @@ export class CostOptimizerHubStack extends cdk.Stack {
       sortKey: { name: "Region", type: AttributeType.STRING },
       removalPolicy: cdk.RemovalPolicy.RETAIN,
       encryption: TableEncryption.AWS_MANAGED,
-      pointInTimeRecovery: true,
+      pointInTimeRecoverySpecification: { pointInTimeRecoveryEnabled: true },
       billingMode: BillingMode.PAY_PER_REQUEST,
     });
     const usageTableNode = usageTable.node.findChild("Resource") as cdk.aws_dynamodb.CfnTable;
@@ -450,7 +450,7 @@ export class CostOptimizerHubStack extends cdk.Stack {
       sortKey: { name: "SessionTime", type: AttributeType.STRING },
       removalPolicy: cdk.RemovalPolicy.RETAIN,
       encryption: TableEncryption.AWS_MANAGED,
-      pointInTimeRecovery: true,
+      pointInTimeRecoverySpecification: { pointInTimeRecoveryEnabled: true },
       billingMode: BillingMode.PAY_PER_REQUEST,
     });
     const sessionTableNode = userSessionTable.node.findChild("Resource") as cdk.aws_dynamodb.CfnTable;
@@ -543,7 +543,7 @@ export class CostOptimizerHubStack extends cdk.Stack {
       stableTagInUse: stableTagging.valueAsString,
     };
 
-    new EcsClusterResources(this, "EcsClusterResources", ecsClusterProps);
+    const ecsClusterResources = new EcsClusterResources(this, "EcsClusterResources", ecsClusterProps);
 
     const registerSpokeAccountProps: RegisterSpokeAccountResourcesProps = {
       solutionId: props.solutionId,
@@ -577,12 +577,30 @@ export class CostOptimizerHubStack extends cdk.Stack {
       solutionVersion: props.solutionVersion,
       applicationType: "AWS-Solutions",
       appRegistryApplicationName: mappings.findInMap("Data", "AppRegistryApplicationName"),
-      managementAccountId: managementAccountId.valueAsString,
-      orgId: organizationID.valueAsString,
-      multiAccountDeploymentCondition: multiAccountDeploymentCondition,
     };
 
-    new AppRegistryHubResources(this, "AppRegistryHubResources", appRegistryHubProps);
+    const appRegistry = new AppRegistryHubResources(this, "AppRegistryHubResources", appRegistryHubProps);
+
+    // Function to add tags to a construct
+    const addTags = (construct: Construct) => {
+      cdk.Tags.of(construct).add("SolutionIdKey", props.solutionId);
+      cdk.Tags.of(construct).add("SolutionNameKey", props.solutionName);
+      cdk.Tags.of(construct).add("SolutionVersionKey", props.solutionVersion);
+      cdk.Tags.of(construct).add("awsApplication", appRegistry.applicationTagValue);
+    };
+
+    [
+      reportingBucket,
+      costOptimizerVpc,
+      ecsClusterResources,
+      uuidGenerator,
+      registerSpokeAccountFunction,
+      spokeAccountTable,
+      usageTable,
+      userSessionTable,
+    ].forEach((resource) => {
+      if (resource) addTags(resource);
+    });
 
     // Outputs
     new CfnOutput(this, "BucketNameOutput", {

source/lib/cost-optimizer-for-amazon-workspaces-hub-stack.ts

@@ -8,7 +8,6 @@ import { Policy, Role, PolicyDocument, PolicyStatement, ServicePrincipal, ArnPri
 import { Bucket } from "aws-cdk-lib/aws-s3";
 import * as lambda from "aws-cdk-lib/aws-lambda";
 import { Code, Runtime } from "aws-cdk-lib/aws-lambda";
-import { AppRegistrySpokeResources, AppRegistrySpokeResourcesProps } from "./components/app-registry-spoke-resources";
 import overrideLogicalId from "./cdk-helper/override-logical-id";
 import { addCfnNagSuppression } from "./cdk-helper/add-cfn-nag-suppression";
 export interface CostOptimizerSpokeStackProps extends cdk.StackProps {
@@ -272,17 +271,6 @@ export class CostOptimizerSpokeStack extends cdk.Stack {
     customResource.node.addDependency(accountRegistrationProviderRolePolicy);
     overrideLogicalId(customResource, "AccountRegistration");
 
-    const appRegistrySpokeResourcesProps: AppRegistrySpokeResourcesProps = {
-      solutionId: props.solutionId,
-      solutionName: props.solutionName,
-      solutionVersion: props.solutionVersion,
-      hubAccountId: hubAccountId.valueAsString,
-      appRegistryApplicationName: "workspaces-cost-optimizer",
-      applicationType: "AWS-Solutions",
-    };
-
-    new AppRegistrySpokeResources(this, "AppRegistrySpokeResources", appRegistrySpokeResourcesProps);
-
     new CfnOutput(this, "SolutionIDOutput", {
       value: mappings.findInMap("Data", "ID"),
       exportName: "SolutionID",