Feat/support china partition merge

docs/admin-guide.md

@@ -63,6 +63,10 @@ The `adfconfig.yml` file resides on the
 and defines the general high-level configuration for the AWS Deployment
 Framework.
 
+For Govcloud and China deployments, `adfconfig.yml` file resides on the
+[management account](#management-account) CodeCommit Repository
+(in us-gov-west-1 and cn-north-1 respectively)
+
 The configuration properties are synced into AWS Systems Manager Parameter
 Store and are used for certain orchestration options throughout your
 Organization.
@@ -775,8 +779,9 @@ accounts stay within your organization’s access control guidelines.
 ADF allows SCPs to be applied in a similar fashion as base stacks. You can
 define your SCP definition in a file named `scp.json` and place it in a folder
 that represents your Organizational Unit (or OU/AccountName path if you are
-wanting to apply an account-specific SCP) within the `adf-bootstrap` folder from
-the `aws-deployment-framework-bootstrap` repository on the management account.
+wanting to apply an account-specific SCP) within the `adf-bootstrap` folder
+from the `aws-deployment-framework-bootstrap` repository on the management
+account.
 
 For example, if you have an account named `my_banking_account` under the
 `banking/dev` OU that needs a specific SCP, and another SCP defined for the
@@ -820,8 +825,8 @@ You can define your Tagging Policy definition in a file named
 `tagging-policy.json` and place it in a folder that represents your
 Organizational Unit within the `adf-bootstrap` folder from the
 `aws-deployment-framework-bootstrap` repository on the management account.
-Tagging policies can also be applied to a single account using the same approach
-described above for SCPs.
+Tagging policies can also be applied to a single account using the same
+approach described above for SCPs.
 
 Tag Policies are available only in an organization that has
 [all features enabled](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html).
@@ -916,8 +921,10 @@ To determine the current version, follow these steps:
 
 ### ADF version you have deployed
 
-To check the current version of ADF that you have deployed, go to the management
-account in us-east-1. Check the CloudFormation stack output or tag of the
+To check the current version of ADF that you have deployed, go to the
+management account in us-east-1 for global partition deployments. For Govcloud
+and China deployments go to us-gov-west-1 and cn-north-1 respectively. Check
+the CloudFormation stack output or tag of the
 `serverlessrepo-aws-deployment-framework` Stack.
 
 - In the outputs tab, it will show the version as the `ADFVersionNumber`.
@@ -938,8 +945,9 @@ releases](https://github.com/awslabs/aws-deployment-framework/releases).
 The `serverlessrepo-aws-deployment-framework` stack is updated through this
 process with new changes that were included in that release of ADF.
 
-To check the progress in the management account in `us-east-1`, follow these
-steps:
+To check the progress in the management account in `us-east-1` for global
+partition deployments; for Govcloud and China deployments go to us-gov-west-1
+or cn-north-1 respectively, follow these steps:
 
 1. Go to the [CloudFormation
    console](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks?filteringStatus=active&filteringText=serverlessrepo-aws-deployment-framework&viewNested=true&hideStacks=false)
@@ -949,14 +957,14 @@ steps:
    with a recent `Updated time` is what you want to see.
 4. If it is in progress or if it has not applied the update yet, you can go to
    the `Events` tab to see what is happening and if any error happened. Use the
-   refresh button on the top right of the table to retrieve updates on the stack
-   deployment.
+   refresh button on the top right of the table to retrieve updates on the
+   stack deployment.
 
-   Once finished, you need to merge the pull request after reviewing the changes
-   if any are present. Since there might be changes to some of the foundational
-   aspects of ADF and how it works _(eg CDK Constructs)_. These changes might
-   need to be applied to the files that live within the _bootstrap_ repository
-   in your AWS management account too.
+   Once finished, you need to merge the pull request after reviewing the
+   changes if any are present. Since there might be changes to some of the
+   foundational aspects of ADF and how it works _(eg CDK Constructs)_.
+   These changes might need to be applied to the files that live within
+   the _bootstrap_ repository in your AWS management account too.
 
    To ease this process, the AWS CloudFormation stack will run the
    _InitialCommit_ Custom CloudFormation resource when updating ADF.
@@ -981,7 +989,8 @@ Which branch is used is determined by:
 
    Alternatively, you can also perform the update using the AWS CLI.
 
-In the management account in `us-east-1`:
+In the management account in `us-east-1` for global partition deployments;
+For Govcloud and China deployments in us-gov-west-1 or cn-north-1 respectively:
 
 1. Go to the Pull Request section of the `aws-deployment-framework-bootstrap`
    [CodeCommit
@@ -996,16 +1005,17 @@ In the management account in `us-east-1`:
    changes that it proposes. Once reviewed, merge the pull request to continue.
 
 Confirm the `aws-deployment-framework-bootstrap` pipeline in the management
-account in `us-east-1`:
+account in `us-east-1` for global partition deployments; For Govcloud and China
+deployments go to us-gov-west-1 or cn-north-1 respectively:
 
 1. Go to the [CodePipeline console for the aws-deployment-framework-bootstrap
    pipeline](https://console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-deployment-framework-bootstrap-pipeline/view?region=us-east-1).
 2. This should progress and turn up as green. If you did not have to merge the
    pull request in the prior step, feel free to 'Release changes' on the
    pipeline to test it.
 3. If any of these steps fail, you can click on the `Details` link to get more
-   insights into the failure. Please report the step where it failed and include
-   a copy of the logs when it fails here.
+   insights into the failure. Please report the step where it failed and
+   include a copy of the logs when it fails here.
 
 The `aws-deployment-framework-bootstrap` pipeline will trigger the account
 creation and on-boarding process in parallel.
@@ -1027,8 +1037,8 @@ trigger the `aws-deployment-framework-pipelines` pipeline in the
 _deployment account_ in _your main region_:
 
 1. Open your deployment account.
-2. Make sure you are in the main deployment region, where all your pipelines are
-   located.
+2. Make sure you are in the main deployment region, where all your pipelines
+   are located.
 3. Go to the CodePipeline console and search for
    `aws-deployment-framework-pipelines`.
 4. This should progress and turn up as green. If any of these steps fail, it
@@ -1091,7 +1101,9 @@ Alternatively, you can also perform the update using the AWS CLI.
 
 If you wish to remove ADF you can delete the CloudFormation stack named
 `serverlessrepo-aws-deployment-framework` in the management account in
-the `us-east-1` region. This will move into a `DELETE_FAILED` at some stage because
+the `us-east-1` region for global partition deployments; For Govcloud and China
+deployments go to us-gov-west-1 or cn-north-1 respectively.
+This will move into a `DELETE_FAILED` at some stage because
 there is an S3 Bucket that is created via a custom resource _(cross region)_.
 After it moves into `DELETE_FAILED`, you can right-click on the stack and hit
 delete again while selecting to skip the Bucket the stack will successfully
@@ -1108,11 +1120,13 @@ the base stack when the account is moved to the Root of the AWS Organization.
 
 One thing to keep in mind if you are planning to re-install ADF is that you
 will want to clean up the parameter from SSM Parameter Store named
-_deployment_account_id_ in `us-east-1` on the management account. AWS Step
-Functions uses this parameter to determine if ADF has already got a deployment
-account setup. If you re-install ADF with this parameter set to a value,
-ADF will attempt an assume role to the account to do some work, which will fail
-since that role will not be on the account at that point.
+_deployment_account_id_ in `us-east-1` on the management account for global
+partition deployments; For Govcloud and China deployments go to us-gov-west-1
+or cn-north-1 respectively. AWS Step Functions uses this parameter to determine
+if ADF has already got a deployment account setup. If you re-install ADF with
+this parameter set to a value, ADF will attempt an assume role to the account
+to do some work, which will fail since that role will not be on the account at
+that point.
 
 There is also a CloudFormation stack named `adf-global-base-adf-build` which
 lives on the management account in your main deployment region. This stack
@@ -1147,7 +1161,9 @@ There are two ways to enable this:
    to deploy the latest version again, set the `Log Level` to `DEBUG` to get
    extra logging information about the issue you are experiencing.
 2. If you are running an older version of ADF, please navigate to the
-   CloudFormation Console in `us-east-1` of the AWS Management account.
+   CloudFormation Console in `us-east-1` of the AWS Management account for
+   global partition deployments; For Govcloud and China deployments go to
+   us-gov-west-1 or cn-north-1 respectively.
 3. Update the stack.
 4. For any ADF deployment of `v3.2.0` and later, please change the `Log Level`
    parameter and set it to `DEBUG`. Deploy those changes and revert them after
@@ -1162,16 +1178,20 @@ Please trace the failed component and dive into/report the debug information.
 
 The main components to look at are:
 
-1. In the AWS Management Account in `us-east-1`:
+1. In the AWS Management Account in `us-east-1` for global partition deployments;
+For Govcloud and Chinadeployments go to us-gov-west-1 or cn-north-1 respectively:
 2. The [CloudFormation aws-deployment-framework stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks?filteringStatus=active&filteringText=aws-deployment-framework&viewNested=true&hideStacks=false).
 3. The [CloudWatch Logs for the Lambda functions deployed by ADF](https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions?f0=true&n0=false&op=and&v0=ADF).
 4. Check if the [CodeCommit pull
    request](https://console.aws.amazon.com/codesuite/codecommit/repositories/aws-deployment-framework-bootstrap/pull-requests?region=us-east-1&status=OPEN)
    to install the latest version changes of ADF is merged into your default
-   branch for the `aws-deployment-framework-bootstrap` (ADF Bootstrap) repository.
+   branch for the `aws-deployment-framework-bootstrap` (ADF Bootstrap)
+   repository.
 5. The [CodePipeline execution of the AWS Bootstrap pipeline](https://console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-deployment-framework-bootstrap-pipeline/view?region=us-east-1).
 6. Navigate to the [AWS Step Functions service](https://us-east-1.console.aws.amazon.com/states/home?region=us-east-1#/statemachines)
-   in the management account in `us-east-1`. Check the state machines named
+   in the management account in `us-east-1`for global partition deployments;
+   For Govcloud and China deployments go to us-gov-west-1 or cn-north-1
+   respectively, check the state machines named
    `AccountManagementStateMachine...` and
    `AccountBootstrappingStateMachine...`. Look at recent executions only.
     - When you find one that has a failed execution, check the components that

docs/installation-guide.md

@@ -661,7 +661,8 @@ automatically in the background, to follow its progress:
    that started the bootstrap process for the deployment account. You can view
    the progress of this in the management account in the AWS Step Functions
    console for the step function `AccountBootstrappingStateMachine-` in the
-   `us-east-1` region.
+   `us-east-1` region for global partition deployments; For Govcloud and China
+   deployments go to us-gov-west-1 or cn-north-1 respectively.
 
 3. Once the Step Function has completed, switch roles over to the newly
    bootstrapped deployment account in the region you defined as your main

docs/samples-guide.md

@@ -70,7 +70,9 @@ Management Account. By default, there is a `global.yml` in the root of the
 be appended to as required.
 
 If we look at AWS Step Functions in the management account in `us-east-1`
-we can see the progress of the bootstrap process.
+we can see the progress of the bootstrap process for global partition
+deployments; For Govcloud and China deployments go to us-gov-west-1 or
+cn-north-1 respectively.
 
 ![run-state-machine](./images/run-state-machine.png)
 

src/lambda_codebase/account_bootstrap.py

@@ -83,7 +83,8 @@ def configure_generic_account(sts, event, region, role):
 
 def configure_master_account_parameters(event):
     """
-    Update the management account parameter store in us-east-1 with the
+    Update the management account parameter store in the base region
+    of the partition (us-east-1, us-gov-west-1 or cn-north-1) with the
     deployment_account_id then updates the main deployment region
     with that same value
     """

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml

@@ -687,6 +687,11 @@ Resources:
                 python: 3.12
                 nodejs: 20
               commands:
+                - |
+                  if [ "${AWS::Region}" = "cn-north-1" ]; then
+                    pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
+                    npm config set registry https://registry.npmmirror.com
+                  fi
                 - aws s3 cp s3://$SHARED_MODULES_BUCKET/adf-build/ ./adf-build/ --recursive --quiet
                 - pip install -r adf-build/requirements.txt -r adf-build/helpers/requirements.txt -q -t ./adf-build
             pre_build:

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/tests/stubs/slack.py

@@ -87,3 +87,87 @@
         }
     }]
 }
+
+stub_approval_event_cn = {
+    'Records': [{
+        'EventSource': 'aws:sns',
+        'EventVersion': '1.0',
+        'EventSubscriptionArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+        'Sns': {
+            'Type': 'Notification',
+            'MessageId': '1',
+            'TopicArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+            'Subject': 'APPROVAL NEEDED: AWS CodePipeline adf-pipeline-sample-vpc for action Approve',
+            'Message': '{"region":"cn-north-1","consoleLink":"https://console.amazonaws.cn","approval":{"pipelineName":"adf-pipeline-sample-vpc","stageName":"approval-stage-1","actionName":"Approve","token":"fa777887-41dc-4ac4-8455-a209a93c76b9","expires":"2019-03-17T11:08Z","externalEntityLink":null,"approvalReviewLink":"https://console.amazonaws.cn/codepipeline/"}}',
+            'Timestamp': '3000-03-10T11:08:34.673Z',
+            'SignatureVersion': '1',
+            'Signature': '1',
+            'SigningCertUrl': 'https://sns.opportunities/initiatives.amazonaws.com/SimpleNotificationService',
+            'UnsubscribeUrl': 'https://sns.cn-north-1.amazonaws.com',
+            'MessageAttributes': {}
+        }
+    }]
+}
+
+stub_bootstrap_event_cn = {
+    'Records': [{
+        'EventSource': 'aws:sns',
+        'EventVersion': '1.0',
+        'EventSubscriptionArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+        'Sns': {
+            'Type': 'Notification',
+            'MessageId': '1',
+            'TopicArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+            'Subject': 'AWS Deployment Framework Bootstrap',
+            'Message': 'Account 1111111 has now been bootstrapped into banking/production',
+            'Timestamp': '3000-03-10T11:08:34.673Z',
+            'SignatureVersion': '1',
+            'Signature': '1',
+            'SigningCertUrl': 'https://sns.cn-north-1.amazonaws.com/SimpleNotificationService',
+            'UnsubscribeUrl': 'https://sns.cn-north-1.amazonaws.com',
+            'MessageAttributes': {}
+        }
+    }]
+}
+
+stub_failed_pipeline_event_cn = {
+    'Records': [{
+        'EventSource': 'aws:sns',
+        'EventVersion': '1.0',
+        'EventSubscriptionArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+        'Sns': {
+            'Type': 'Notification',
+            'MessageId': '1',
+            'TopicArn': 'arn:aws-cn:sns:cn-north-11:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+            'Subject': None,
+            'Message': '{"version":"0","id":"1","detail-type":"CodePipeline Pipeline Execution State Change","source":"aws.codepipeline","account":"2","time":"3000-03-10T11:09:38Z","region":"eu-central-1","resources":["arn:aws:codepipeline:eu-central-1:999999:adf-pipeline-sample-vpc"],"detail":{"pipeline":"adf-pipeline-sample-vpc","execution-id":"1","state":"FAILED","version":9.0}}',
+            'Timestamp': '2019-03-10T11:09:49.953Z',
+            'SignatureVersion': '1',
+            'Signature': '2',
+            'SigningCertUrl': 'https://sns.cn-north-1.amazonaws.com/SimpleNotificationService',
+            'UnsubscribeUrl': 'https://sns.cn-north-1.amazonaws.com',
+            'MessageAttributes': {}
+        }
+    }]
+}
+
+stub_failed_bootstrap_event_cn = {
+    'Records': [{
+        'EventSource': 'aws:sns',
+        'EventVersion': '1.0',
+        'EventSubscriptionArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+        'Sns': {
+            'Type': 'Notification',
+            'MessageId': '1',
+            'TopicArn': 'arn:aws-cn:sns:cn-north-1:9999999:adf-pipeline-sample-vpc-PipelineSNSTopic-example',
+            'Subject': 'Failure - AWS Deployment Framework Bootstrap',
+            'Message': '{"Error":"Exception","Cause":"{\\"errorMessage\\": \\"CloudFormation Stack Failed - Account: 111 Region: eu-central-1 Status: ROLLBACK_IN_PROGRESS\\", \\"errorType\\": \\"Exception\\", \\"stackTrace\\": [[\\"/var/task/wait_until_complete.py\\", 99, \\"lambda_handler\\", \\"status))\\"]]}"}',
+            'Timestamp': '2019-03-10T11:09:49.953Z',
+            'SignatureVersion': '1',
+            'Signature': '2',
+            'SigningCertUrl': 'https://sns.cn-north-1.amazonaws.com/SimpleNotificationService',
+            'UnsubscribeUrl': 'https://sns.cn-north-1.amazonaws.com',
+            'MessageAttributes': {}
+        }
+    }]
+}

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/tests/stubs/stub_iam_cn.py

@@ -0,0 +1,41 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+# pylint: skip-file
+
+"""
+Stubs for testing iam.py
+"""
+
+get_role_policy = {
+    'RoleName': 'string',
+    'PolicyName': 'string',
+    'PolicyDocument': {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "KMS",
+                "Effect": "Allow",
+                "Action": ["iam:ChangePassword"],
+                "Resource": (
+                    "arn:aws-cn:kms:cn-north-1:111111111111:key/existing_key"
+                ),
+            },
+            {
+                "Sid": "S3",
+                "Effect": "Allow",
+                "Action": "s3:ListAllMyBuckets",
+                "Resource": [
+                    "arn:aws-cn:s3:::existing_bucket",
+                    "arn:aws-cn:s3:::existing_bucket/*",
+                ],
+            },
+            {
+                "Sid": "AssumeRole",
+                "Effect": "Allow",
+                "Action": "sts:AssumeRole",
+                "Resource": ['something'],
+            },
+        ]
+    }
+}