From fdeb99c305fc66be5722505b5140715e0840b440 Mon Sep 17 00:00:00 2001 From: Ibrahim Mohamed Date: Wed, 12 Jul 2023 19:58:50 -0400 Subject: [PATCH] Update to version v5.3.5 --- CHANGELOG.md | 7 ++ lambda/cfn/index.js | 1 - lambda/cfn/lib/ElasticSearchUpdate.js | 102 ------------------ package-lock.json | 4 +- package.json | 2 +- source/requirements-test.txt | 4 +- .../CanvasLMSHook/requirements.txt | 4 +- templates/master/cognito/index.js | 3 +- templates/master/elasticsearch/es.js | 35 ++---- templates/master/importstack.js | 10 +- templates/master/roles.json | 17 ++- 11 files changed, 42 insertions(+), 147 deletions(-) delete mode 100644 lambda/cfn/lib/ElasticSearchUpdate.js diff --git a/CHANGELOG.md b/CHANGELOG.md index f22597032..1f0739ec1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.3.5] - 2023-07-12 + +### Updated + +- removal of ElasticSearchUpdate custom resource to prevent CFNLambda recursion alert (#618) +- Security patches for pip packages + ## [5.3.4] - 2023-05-19 ### Updated diff --git a/lambda/cfn/index.js b/lambda/cfn/index.js index 029c84404..0f9b05199 100644 --- a/lambda/cfn/index.js +++ b/lambda/cfn/index.js @@ -15,7 +15,6 @@ const targets={ CognitoLogin:require('./lib/CognitoLogin'), CognitoRole:require('./lib/CognitoRole'), CognitoUrl:require('./lib/CognitoUrl'), - ElasticSearchUpdate:require('./lib/ElasticSearchUpdate'), ESCognitoClient:require('./lib/ESCognitoClient'), LambdaVersion:require('./lib/LambdaVersion'), Kibana:require('./lib/base'), // Kibana custom resource deprecated.. preserve entry here to avoid resource delete failure on stack upgrade. diff --git a/lambda/cfn/lib/ElasticSearchUpdate.js b/lambda/cfn/lib/ElasticSearchUpdate.js deleted file mode 100644 index d46a5abdf..000000000 --- a/lambda/cfn/lib/ElasticSearchUpdate.js +++ /dev/null @@ -1,102 +0,0 @@ - -var AWS = require('aws-sdk'); -var CfnLambda = require('cfn-lambda'); - -var ES = new AWS.ES({apiVersion: '2015-01-01'}); -var Lambda = new AWS.Lambda({apiVersion: '2015-03-31'}); - -var BoolProperties = [ - 'EBSOptions.EBSEnabled', - 'ElasticsearchClusterConfig.DedicatedMasterEnabled', - 'ElasticsearchClusterConfig.ZoneAwarenessEnabled', - 'CognitoOptions.Enabled' -]; - -var NumProperties = [ - 'EBSOptions.Iops', - 'EBSOptions.VolumeSize', - 'ElasticsearchClusterConfig.DedicatedMasterCount', - 'ElasticsearchClusterConfig.InstanceCount', - 'SnapshotOptions.AutomatedSnapshotStartHour' -]; - - -var Update = CfnLambda.SDKAlias({ - api: ES, - method: 'updateElasticsearchDomainConfig', - forceBools: BoolProperties, - forceNums: NumProperties, - returnPhysicalId: getPhysicalId -}); - -var Create = Update; - -function getPhysicalId(data, params) { - return CfnLambda.Environment.AccountId + '/' + params.DomainName; -} - -module.exports=class ElasticsearchDomainUpdate { - constructor(){ - Object.assign(this,{ - Create: Create, - Update: Update, - Delete: function(ID,params,reply){ - reply() - }, - NoUpdate: NoUpdate, - TriggersReplacement: ['DomainName'], - LongRunning: { - PingInSeconds: 30, - MaxPings: 60, - LambdaApi: Lambda, - Methods: { - Create: CheckCreate, - Update: CheckUpdate - } - } - }) - } -}; - -function CheckProcessComplete(params, reply, notDone) { - ES.describeElasticsearchDomain({ - DomainName: params.DomainName - }, function(err, domain) { - if (err) { - console.error('Error when pinging for Processing Complete: %j', err); - return reply(err.message); - } - if (domain.DomainStatus.Processing || (!domain.DomainStatus.Endpoint && !domain.DomainStatus.Endpoints.vpc) ) { - console.log('Status is not Processing: false yet. Ping not done: %j', domain); - return notDone(); - } - console.log('Status is Processing: false! %j', domain); - reply(null, domain.DomainStatus.DomainId, { - Endpoint: domain.DomainStatus.Endpoint ? domain.DomainStatus.Endpoint : domain.DomainStatus.Endpoints.vpc - }); - }); -} - -function CheckCreate(createReponse, params, reply, notDone) { - CheckProcessComplete(params, reply, notDone); -} - -function CheckUpdate(updateResponse, physicalId, params, oldParams, reply, notDone) { - CheckProcessComplete(params, reply, notDone); -} - -function NoUpdate(phys, params, reply) { - ES.describeElasticsearchDomain({ - DomainName: params.DomainName - }, function(err, domain) { - if (err) { - console.error('Error when pinging for NoUpdate Attrs: %j', err); - return reply(err.message); - } - console.log('NoUpdate pingcheck success! %j', domain); - reply(null, domain.DomainStatus.DomainId, { - Endpoint: domain.DomainStatus.Endpoint ? domain.DomainStatus.Endpoint : domain.DomainStatus.Endpoints.vpc - }); - }); -} - diff --git a/package-lock.json b/package-lock.json index c402312aa..30eeec281 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "qnabot-on-aws", - "version": "5.3.4", + "version": "5.3.5", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "qnabot-on-aws", - "version": "5.3.4", + "version": "5.3.5", "license": "SEE LICENSE IN LICENSE", "os": [ "darwin", diff --git a/package.json b/package.json index 97f229b44..a7ee500a3 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "qnabot-on-aws", - "version": "5.3.4", + "version": "5.3.5", "engines": { "node": ">=12.16.1", "npm": ">=7.8.0" diff --git a/source/requirements-test.txt b/source/requirements-test.txt index e4fb27287..b539abadb 100644 --- a/source/requirements-test.txt +++ b/source/requirements-test.txt @@ -2,7 +2,7 @@ docker==6.1.2 moto==4.1.0 openapi-spec-validator==0.5.1 pytest==7.2.0 -pytest-cov==4.0.0 +pytest-cov==4.1.0 pytest-env==0.8.1 -pytest-mock==3.10.0 +pytest-mock==3.11.1 pyyaml==6.0 \ No newline at end of file diff --git a/templates/examples/extensions/py_lambda_hooks/CanvasLMSHook/requirements.txt b/templates/examples/extensions/py_lambda_hooks/CanvasLMSHook/requirements.txt index 3f87c500d..f536ff7df 100644 --- a/templates/examples/extensions/py_lambda_hooks/CanvasLMSHook/requirements.txt +++ b/templates/examples/extensions/py_lambda_hooks/CanvasLMSHook/requirements.txt @@ -1,7 +1,7 @@ python-dateutil==2.8.1 urllib3==1.26.5 -canvasapi==3.1.0 +canvasapi==3.2.0 idna==2.10 pytz==2021.1 -requests==2.26.0 +requests==2.31.0 beautifulsoup4==4.12.0 diff --git a/templates/master/cognito/index.js b/templates/master/cognito/index.js index 5a066ab86..44e209479 100644 --- a/templates/master/cognito/index.js +++ b/templates/master/cognito/index.js @@ -55,7 +55,7 @@ module.exports={ }, "User":{ "Type" : "AWS::Cognito::UserPoolUser", - "DependsOn":["SignupPermision","MessagePermision","OpensearchDomainUpdate","KibanaRoleAttachment","RoleAttachment"], + "DependsOn":["SignupPermision","MessagePermision","KibanaRoleAttachment","RoleAttachment"], "Properties" : { "DesiredDeliveryMediums":["EMAIL"], "UserAttributes":[{ @@ -184,7 +184,6 @@ module.exports={ }, "KibanaClient":{ "Type": "Custom::ESCognitoClient", - "DependsOn":["OpensearchDomainUpdate"], "Properties": { "ServiceToken": { "Fn::GetAtt" : ["CFNLambda", "Arn"] }, "UserPool":{"Ref":"UserPool"}, diff --git a/templates/master/elasticsearch/es.js b/templates/master/elasticsearch/es.js index 89ad3661f..55def24b9 100644 --- a/templates/master/elasticsearch/es.js +++ b/templates/master/elasticsearch/es.js @@ -1,7 +1,12 @@ const util = require('../../util'); var properties={ - + "CognitoOptions":{ + "Enabled": true, + "IdentityPoolId": {"Ref":"KibanaIdPool"}, + "RoleArn":{"Fn::GetAtt":["ESCognitoRole","Arn"]}, + "UserPoolId": {"Ref":"UserPool"} + }, "ClusterConfig": { "DedicatedMasterEnabled": false, "InstanceCount": {"Ref":"ElasticSearchNodeCount"}, @@ -44,34 +49,6 @@ module.exports={ "Condition":"CreateDomain", "Properties":properties }, - "OpensearchDomainUpdate": { - "Type": "Custom::ElasticSearchUpdate", - "DependsOn":["CognitoDomain"], - "Properties":{ - "ServiceToken": { "Fn::GetAtt" : ["CFNLambda", "Arn"] }, - "DomainName":{"Fn::GetAtt":["ESVar","ESDomain"]}, - "CognitoOptions":{ - Enabled: true , - IdentityPoolId: {"Ref":"KibanaIdPool"}, - RoleArn:{"Fn::GetAtt":["ESCognitoRole","Arn"]}, - UserPoolId: {"Ref":"UserPool"} - }, - "AccessPolicies": {"Fn::Sub":JSON.stringify({ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "CognitoAuth", - "Principal": { - "AWS":"${KibanaRole.Arn}" - }, - "Effect": "Allow", - "Action": "es:ESHttp*", - "Resource":"${ESVar.ESArn}/*" - } - ] - })}, - } - }, "ESCognitoRole": { "Type": "AWS::IAM::Role", "Properties": { diff --git a/templates/master/importstack.js b/templates/master/importstack.js index b97b06b83..408801761 100644 --- a/templates/master/importstack.js +++ b/templates/master/importstack.js @@ -1,7 +1,7 @@ module.exports={ "ImportStack":{ "Type" : "AWS::CloudFormation::Stack", - "DependsOn":["PreUpgradeExport","OpensearchDomainUpdate"], + "DependsOn":["PreUpgradeExport"], "Properties" : { "TemplateURL" :{"Fn::Sub":"https://${BootstrapBucket}.s3.${AWS::Region}.amazonaws.com/${BootstrapPrefix}/templates/import.json"}, "Parameters" :{ @@ -33,15 +33,15 @@ module.exports={ "EmbeddingsLambdaArn": {"Ref": "EmbeddingsLambdaArn"}, "EmbeddingsSagemakerEndpoint": { "Fn::If": [ - "EmbeddingsSagemaker", - {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpoint"] }, + "EmbeddingsSagemaker", + {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpoint"] }, "" ] }, "EmbeddingsSagemakerEndpointArn": { "Fn::If": [ - "EmbeddingsSagemaker", - {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpointArn"] }, + "EmbeddingsSagemaker", + {"Fn::GetAtt": ["SagemakerEmbeddingsStack", "Outputs.EmbeddingsSagemakerEndpointArn"] }, "" ] } diff --git a/templates/master/roles.json b/templates/master/roles.json index 98fe4b6fc..4f15b1b9d 100644 --- a/templates/master/roles.json +++ b/templates/master/roles.json @@ -20,7 +20,22 @@ ] }, "Path": "/", - "Policies":[] + "Policies":[ + { + "PolicyName": "KibanaOpenSearchAccessPolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement":[ + { + "Sid":"CognitoAuth", + "Effect":"Allow", + "Action":"es:ESHttp*", + "Resource": {"Fn::Sub": "${ESVar.ESArn}/*"} + } + ] + } + } + ] } }, "AdminRole": {