Releases: awslabs/landing-zone-accelerator-on-aws
v1.10.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Performance Improvements
This release includes significant performance improvements to the overall runtime of the LZA pipeline.
feat(performance): changed transpiler to swc - We have replaced the default typescript transpiler for the LZA to use SWC. This enhancement can reduce the overall runtime of the LZA pipeline depending on the amount of accounts and environments that need to be synthesized and deployed. Customers who have a small amount of accounts and enabled regions managed by the LZA will see the greatest benefit from this change.
fix(bootstrap): batched bootstrap checks - We have changed the bootstrapping process to batch api calls that check to see if the bootstrapping stack needs to be updated. This substantially speeds up the bootstrapping stage when an update to the bootstrapping stack does not need to be performed. Customers who have a large amount of accounts and enabled regions will see the greatest benefit from this change
VPC CIDR Ordering
The Landing Zone Accelerator allows customers to provide a list of CIDR ranges when creating Amazon Virtual Private Clouds (VPCs). This release has updated our documentation to specify that the ordering of provided CIDR ranges in the network-config.yaml
file should be maintained when adding or removing additional CIDRs. The first entry in the list is mapped to the CidrBlock CloudFormation property which results in replacement of the resource when modified.
New Configuration Repository Location
Parameter Option for Installation
New LZA Installations:
This release provides the opportunity for new installations to leverage AWS CodeConnections to use GitHub, GitLab, or Bitbucket for storing the LZA configuration files. This supplements existing options including AWS CodeCommit and Amazon S3 to provide even more flexibility when integrating LZA operations into existing workflows.
Added
- feat(networking): add support for TLS1.3 security policy for ALB and NLB listener
- feat(performance): changed transpiler to swc
- feat(pipeline): add codeconnection as configuration source
- feat(regions): add support for the ap-southeast-5 opt-in region
- feat(regions): add feature to enable opt-in regions programmatically
- feat(s3): add error handling and validation for s3 config
- feat(s3): add feature flag parameter use-s3-source for S3 as LZA source code location
- feat(stacksets): added support for dependencies between stacksets
- feat(uninstaller): deleted s3 repo in uninstaller
- feat(yarn): add ability to use .yarnrc to use custom package registry and ca-certs
Fixed
- fix(bootstrap): batched bootstrap checks
- fix(control-tower): updated boolean logic to get LZ identifier
- fix(custom-stacks): loaded replacement values during custom stack deployment
- fix(diff): parse error during diff
- fix(firewalls): fix firewall owner lookup when deployed in shared VPC
- fix(iam): add cdk feature flag to minimize iam policy
- fix(iam): use same form of service principal in all partitions: .amazonaws.com
- fix(logs): refactored NewCloudWatchLogEvent to ignore LZA-managed log groups
- fix(metadata): fixed config file writes with codecommit
- fix(organizations): failure when 5 SCPs with allow-list strategy option is defined
- fix(organizations): update organizations module to handle nested ou's correctly
- fix(prerequisites): checks forces child accounts to have CodeBuild parallel executions
- fix(replacements): accel_lookup variable not getting replaced for all the occurrences
- fix(s3): fix s3 bucket name constructs for imported buckets
- fix(s3): fixed issue where s3 bucket as source did not support a KMS-encrypted bucket
- fix(s3): default asset bucket name to home region
- fix(s3): add methods to construct imported bucket
- fix(ssm): updated session manager role to allow kms permissions in all enabled regions
- fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
- fix(uninstaller): include deletion of IdentityCenter and ResourcePolicyEnforcement stacks
Changed
- chore: remove cdk 2.148.0 dependencies
- chore: suppress node warnings on synth
- chore: update typedoc to v0.26.7
- chore: updated cdk version
- chore: updated deps @types/jest v29.5.12 aws-sdk v3.637.0
- chore: upgrade aws sdk to v2.1691.0
- chore: upgrade lerna to v8.1.8
- chore(cfn-nag): added suppressions
- chore(documentation): add security.md file to repo
- chore(documentation): added json-schema page
- chore(documentation): update config.md Control Tower OU guidance
- chore(documentation): updating typedoc for vpc cidrs to include caveat about cidr list
- chore(installer): added clarification to CF template
- chore(lambda): remove debug console log statements
- chore(modules): renamed modules to lza-modules
- chore(organizations): use global region in AWS Organizations client
- chore(regions): update global region map
- chore(sample-config): add iam user create prevention control in sample config
- chore(sample-config): add kms modification protection to preventative controls in sample config
- chore(sample-config): add disable import findings integration to scp
- chore(sample-config): update s3 service control policy
- chore(sts): updated sts endpoints
- chore(uninstaller): improved performance for deployments with many regions
- chore(validation): extending validation on ENI lookups to allow for _ character
v1.9.2
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Fixed
- fix(metadata): fixed config file writes with codecommit
- fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
- fix(control-tower): skip existing Control Tower identifier check when Contrtol Tower is not enabled
Changed
- chore: add security.md file to repo
v1.9.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Sample Configuration service control policies (SCPs) enhancement
The lza-sample-config provides a set of Service Control Policies (SCPs) that can be used as a starting point for configuring the LZA after initial deployment. The guardrails-1.json SCP, has been enhanced to include an additional clause to protect invocation of lambda functions that are used within the LZA engine. We recommend reviewing configuration changes made to the lza-sample-config and determine which changes you need to apply to your configuration
Changed
- chore: upgrade github action to node20
Configuration Changes
- chore(lza-sample-config): enhance SCP statements for invocation of Lambda functions
v1.9.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
New Configuration Repository Location
Parameter for Installation
New LZA Installations:
This release provides the opportunity for new installations to leverage Amazon S3 for storing the LZA configuration files which was previously managed by AWS CodeCommit. New installations of LZA are recommended to use s3
as this will be the default source location for the LZA configuration repository moving forward.
Existing LZA Environments / LZA Version Upgrades:
When performing an upgrade to the latest version of LZA, this parameter will not be automatically selected and will require manual intervention. For upgrades of LZA, please select codecommit
as it is not currently supported to migrate from AWS CodeCommit repository to S3 bucket. This feature is prioritized for an upcoming release.
Added
- feat(s3): added use of S3 as a configuration repository location
- feat(network): allow Route53 resolver endpoints and query logging to be defined in the VPC object.
- feat(control-tower): integrate lz management and lz baseline api
- feat(control-tower) integrate lz management and baseline api for external account deployment
- feat(control-tower): lz management api gov cloud support
- feat(control-tower): add global region into the Control Tower governed region list
- feat(logging): add cloudwatch log group data protection policy
- feat(securityhub): allow custom cloudwatch log group for events
Fixed
- fix(bootstrap): Failed to publish asset when cdkOptions.centralizeBuckets: true
- fix(control-tower): add validation to check incorrect landing zone version in global config
- fix(control-tower): new lza installation overrides existing control tower settings
- fix(organizations): unable to create ou with same name under different parent
- fix(organization): ou baseline operation should be skipped when Control Tower is not enabled
Changed
- chore: add commitlint to precommit hook
- chore: upgrade cdk to 2.148.0
- chore: bump cdk bootstrap to 20
- chore(documentation): update opt-in region requirement for Control Tower deployment
- chore(documentation): update merge request template to add unit test information
- chore(test): update all-enabled custom config rule lambda python version
v1.8.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Fixed
- fix(networking): Fix undefined condition for transitGatewayCidrBlocks property for Transit Gateway.
- bug(pipeline): Suppress mapping bucket results from build log
- fix(pipeline): "find: ‘./cdk.out’: No such file or directory" error in diff stage
- fix(config): update global config cdkoptions and control tower settings
- fix(security-hub): Fixed SecurityHub error "exceeds maximum number of members can be created in a single request"
v1.8.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Added
- feat(networking): Add transit gateway static CIDR blocks and Transit Gateway Connect attachments
- feat(autoScalingGroup): Add option to set maxInstanceLifetime property for AutoScalingGroups
- feat(securityHub): Allow SecurityHub to be enabled when AwsConfig is enabled with deploymentTargets option
- feat(customizations): Add option to set maxInstanceLifetime property for AutoScalingGroups by @insignias
Changed
- chore(github): added automated testing to GitHub repo for external PRs
- chore(networking): update function signatures for vpc resources in network vpc stack
Fixed
- fix(organizations): throttling on ListAccounts call
- fix(control-tower): The baseline 'AWSControlTowerBaseline' cannot be enabled on renamed OUs
- fix(control-tower): change organizations module execution condition
- fix(diff): "Unexpected end of JSON input" error, closes #497
- fix(configrule): Update config rule remediation validation when using KMSMasterKey replacement value
- fix(construct): LZA fails with AWS::Logs::LogGroup already exists, closes #471, #492, #494 by @richardkeit
New Contributors
- @insignias made their first contribution in this release
- @richardkeit made their first contribution in this release
v1.7.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Added
- feat(security-hub): enable cisv3 standard
Fixed
- fix(logging): CreateServiceLinkedRole fails with LogGroup already exists
- fix(organizations): Update number of retries when using SDKV3 retry strategy
- fix(replacements): add check for undefined accountName
v1.7.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
AWS Lambda runtime upgrade to Node.js 18
This version upgrades all of the AWS Lambda runtime to Node.js 18 as the Node.js 16 runtime for AWS Lambda is scheduled for deprecation in 2024. Performing the upgrade to v1.7.0 should remediate any notifications for upcoming deprecation. Note: Any AWS Config rules in the security-config.yaml
are not automatically updated and will need to be manually validated against the sample configurations for updated configuration files.
AWS Control Tower Integration
Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available. For more information please review the Documentation
Added
- feat(control-tower): integrate lz management api
- feat(control-tower): integrate lz baseline api
- feat(control-tower): add global region into the Control Tower governed region list
- feat(network): add IPv6 support for DHCP options sets
- feat(network): Provide static IPv6 support for VPC and Subnets
- feat(network): extend IPv6 support to VPC peering, ENI, and TGW static routes
- feat(network): support vpc peering for vpcs created by vpcTemplates
- feat(network): add resolver config to vpc object
- feat(network): add tag property for interface endpoints
- feat(network): add route53 query logging and resolver endpoint handlers
- feat(logging): wildcards in dynamic partitioning
- feat(logging): add cloudwatch log group data protection policy
- feat(ssm): add targetType to documents
- feat(config): update to use json schema
- feat(replacements): add support for ACCOUNT_NAME in user data
- feat(pipeline): move assets to local directory
- feat(pipeline): validate accelerator version in build stage
- feat(regions): add ca-west-1 support
- feat(securityhub): add custom cloudwatch log group for security hub
- feat(iam): allow IAM Principal Arn as well as externalId for trust policy with IAM Roles
- feat(config): added deploymentTargets for awsConfig
- feat(guardduty): added deploymentTargets for GuardDuty
Changed
- chore(lambda): upgrade to node18 runtime
- chore(sdkv3): remove references to aws-lambda
- chore(sdkv3): remove aws-lambda reference in batch enable standards
- chore(package): tree shake util import to reduce package size
- chore(docs): added docs for local zone subnet creation
Fixed
- fix(replacements): retrieve mgmt credentials during every config validation
- fix(replacements): throw error for undefined replacement
- fix(replacements): updated logic for ignored replacements
- fix(replacements): updated validation pattern
- fix(replacements): updated EmailAddress type to support replacement strings
- fix(route53): revert getHostedZoneNameForService changes
- fix(identity-center): address identity center resource metadata lookup resources
- fix(identity-center): added permission to create assignments for mgmt
- fix(identity-center): removed custom resource for SSM parameters
- fix(diagnostic-pack): assume role name prefix for external deployment
- fix(logging): refactored logging of Security Hub events
- fix(diff): customizations template lookup
- fix(diff): dependent stack lookup
- fix(diff): added error logging to detect file diff errors
- fix(applications): only lookup shared subnet ids for apps in shared vpcs
- fix(toolkit): fixed deployment behavior for non-customization stage
- fix(toolkit): change asset copy files to syn
- fix(toolkit): move asset processing into main
- fix(organizations): unable to create ou with same name under different parent
- fix(organizations): delete policies based on event
- fix(organizations): Resolve issue where policies are not being updated
- fix(pipeline): send UUID on exception of central logs bucket kms key
- fix(config): Update SSM automation document match string
- fix(config): validate regions in customizations
- fix(service-quotas): check existing limit before request
- fix(idc): explicitly set management account for CDK env
- fix(move-accounts): retry strategy and increase timeout
- fix(alb): Update target types to include lambda
- fix(validation): check for duplicate emails in accounts-config
- fix(validation) Update KMS key lookup validation in security-config
Configuration Changes
- chore(sample-config): remove breakglass user from the sample configurations
- chore(sample-config): add alerting for breakglass user account usage
v1.6.4
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Added
- feat(validation): add option to skip scp validation during prepare stage
Fixed
- fix(toolkit): move custom stack queue out of toolkit
v1.6.3
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Fixed
- fix(organizations): ignore deletion for policies that do not exist
- fix(organizations): resolve issue where existing policies were not being updated