retries implemented for gd and macie. (#779) (#780)

Brian969 · web-flow · commit 67be0e52610e · 2021-08-12T13:12:09.000-04:00
Authored-by: Dustin Hickey &lt;hickeydh@amazon.amazon.com&gt;
diff --git a/src/deployments/cdk/src/deployments/iam/guardduty-roles.ts b/src/deployments/cdk/src/deployments/iam/guardduty-roles.ts
@@ -47,7 +47,7 @@ export async function createAdminRole(stack: AccountStack) {
 
   role.addToPrincipalPolicy(
     new iam.PolicyStatement({
-      actions: ['guardduty:EnableOrganizationAdminAccount'],
+      actions: ['guardduty:EnableOrganizationAdminAccount', 'guardduty:ListOrganizationAdminAccounts'],
       resources: ['*'],
     }),
   );
diff --git a/src/deployments/cdk/src/deployments/iam/macie-roles.ts b/src/deployments/cdk/src/deployments/iam/macie-roles.ts
@@ -60,7 +60,7 @@ export async function createMacieAdminRole(stack: AccountStack) {
   );
   role.addToPrincipalPolicy(
     new iam.PolicyStatement({
-      actions: ['macie2:EnableOrganizationAdminAccount'],
+      actions: ['macie2:EnableOrganizationAdminAccount', 'macie2:ListOrganizationAdminAccounts'],
       resources: ['*'],
     }),
   );
diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/src/index.ts b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/src/index.ts
@@ -29,41 +29,61 @@ async function onEvent(event: CloudFormationCustomResourceEvent) {
   }
 }
 
-function getPhysicalId(event: CloudFormationCustomResourceEvent): string {
-  const properties = (event.ResourceProperties as unknown) as HandlerProperties;
-
-  return `${properties.accountId}`;
-}
-
 async function onCreateOrUpdate(
   event: CloudFormationCustomResourceCreateEvent | CloudFormationCustomResourceUpdateEvent,
 ) {
-  const properties = (event.ResourceProperties as unknown) as HandlerProperties;
-  const response = await enableOrgAdmin(properties);
+  const accountId = event.ResourceProperties.accountId;
+  const sleepTime = 30000;
+  const retryCount = 10;
+  await enableOrgAdmin(accountId);
+  let guardDutyAdminEnabled = await isGuardDutyAdminEnabled(accountId);
+  let retries = 0;
+  while (!guardDutyAdminEnabled && retries < retryCount) {
+    console.log(
+      `GuardDuty Admin not enabled. Retrying in ${sleepTime / 1000} seconds. Retry: ${retries + 1} of ${retryCount}`,
+    );
+    await sleep(sleepTime);
+    await enableOrgAdmin(accountId);
+    guardDutyAdminEnabled = await isGuardDutyAdminEnabled(accountId);
+    retries++;
+  }
   return {
-    physicalResourceId: getPhysicalId(event),
+    physicalResourceId: event.ResourceProperties.accountId,
     data: {},
   };
 }
+async function isGuardDutyAdminEnabled(accountId: string) {
+  console.log(`Checking if GuardDuty Administration is enabled for account ${accountId}`);
+  const adminList = await guardduty.listOrganizationAdminAccounts().promise();
+  console.log(adminList);
+  const isAccountAdded = adminList.AdminAccounts?.filter(account => {
+    return account.AdminAccountId === accountId;
+  });
+
+  if (isAccountAdded!.length === 0) {
+    console.log('Account has not been added.');
+  } else {
+    console.log('Account has been added.');
+  }
+  return isAccountAdded!.length > 0;
+}
 
-async function enableOrgAdmin(properties: HandlerProperties) {
+async function sleep(ms: number) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+async function enableOrgAdmin(accountId: string) {
   const params = {
-    AdminAccountId: properties.accountId,
+    AdminAccountId: accountId,
   };
 
   try {
-    const enableAdmin = await throttlingBackOff(() => guardduty.enableOrganizationAdminAccount(params).promise());
-
+    console.log(`Enabling GuardDuty Admin for account ${accountId}`);
+    const enableAdmin = await guardduty.enableOrganizationAdminAccount(params).promise();
+    console.log(enableAdmin);
     return enableAdmin;
   } catch (e) {
-    const message = `${e}`;
-    // if account is already enabled as delegated admin, do not error out
-    if (
-      message.includes(`the account is already enabled as the GuardDuty delegated administrator for the organization`)
-    ) {
-      console.warn(message);
-    } else {
-      throw e;
-    }
+    console.log('Could not enable Guard Duty Admin.');
+    console.log(e);
   }
 }
diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/src/index.ts b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/src/index.ts
@@ -6,7 +6,6 @@ import {
   CloudFormationCustomResourceUpdateEvent,
 } from 'aws-lambda';
 import { errorHandler } from '@aws-accelerator/custom-resource-runtime-cfn-response';
-import { throttlingBackOff } from '@aws-accelerator/custom-resource-cfn-utils';
 
 const macie = new AWS.Macie2();
 
@@ -31,50 +30,60 @@ async function onEvent(event: CloudFormationCustomResourceEvent) {
   }
 }
 
-function getPhysicalId(event: CloudFormationCustomResourceEvent): string {
-  const properties = (event.ResourceProperties as unknown) as HandlerProperties;
-
-  return `${properties.accountId}`;
-}
-
 async function onCreateOrUpdate(
   event: CloudFormationCustomResourceCreateEvent | CloudFormationCustomResourceUpdateEvent,
 ) {
-  const properties = (event.ResourceProperties as unknown) as HandlerProperties;
-  const response = await enableOrgAdmin(properties);
+  const accountId = event.ResourceProperties.accountId;
+  const sleepTime = 30000;
+  const retryCount = 10;
+  await enableOrgAdmin(accountId);
+  let macieAdminEnabled = await isMacieAdminEnabled(accountId);
+  let retries = 0;
+  while (!macieAdminEnabled && retries < retryCount) {
+    console.warn(
+      `Macie Admin not enabled. Retrying in ${sleepTime / 1000} seconds. Retry: ${retries + 1} of ${retryCount}`,
+    );
+    await sleep(sleepTime);
+    await enableOrgAdmin(accountId);
+    macieAdminEnabled = await isMacieAdminEnabled(accountId);
+    retries++;
+  }
   return {
-    physicalResourceId: getPhysicalId(event),
+    physicalResourceId: accountId,
     data: {},
   };
 }
 
-async function enableOrgAdmin(properties: HandlerProperties) {
-  try {
-    const enableAdmin = await throttlingBackOff(() =>
-      macie
-        .enableOrganizationAdminAccount({
-          adminAccountId: properties.accountId,
-        })
-        .promise(),
-    );
+async function isMacieAdminEnabled(accountId: string) {
+  console.log(`Checking if Macie Administration is enabled for account ${accountId}`);
+  const adminList = await macie.listOrganizationAdminAccounts().promise();
+  const isAccountAdded = adminList.adminAccounts?.filter(account => {
+    return account.accountId === accountId;
+  });
+  if (isAccountAdded!.length === 0) {
+    console.log('Account has not been added.');
+  } else {
+    console.log('Account has been added.');
+  }
+  return isAccountAdded!.length > 0;
+}
 
-    return enableAdmin;
+async function enableOrgAdmin(accountId: string) {
+  console.info(`Enabling Macie Admin Account ${accountId}`);
+  try {
+    const macieAdmin = await macie
+      .enableOrganizationAdminAccount({
+        adminAccountId: accountId,
+      })
+      .promise();
+    console.info(macieAdmin);
   } catch (e) {
-    const message = `${e}`;
-    if (
-      message.includes(
-        'The request failed because an account is already enabled as the Macie delegated administrator for the organization',
-      )
-    ) {
-      console.warn(e);
-    } else if (
-      message.includes(
-        `The request failed because there's already a delegated Macie administrator account for your organization`,
-      )
-    ) {
-      console.warn(e);
-    } else {
-      throw e;
-    }
+    console.warn('Could not enable Macie Admin account');
+    console.warn(e);
+    return;
   }
 }
+
+async function sleep(ms: number) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
