LZA Upgrade (#1240)

* Add .gitlab-ci.yml

* update CI image

* python image

* switch to proper folder

* Update .gitlab-ci.yml file

* lza premigration script

* Updating migration scripts and adding yarn commands

* Updating migration scripts and adding yarn commands

* Removing example config

* Updating README

* Fixing fields in input-config.example.json

* readme updates

* Add migration skip delete logic (#1177)

LGTM

* Readme update

* Clearing up custom resource no-op

* Fixing snapshot script issues

* Update aws-s3.ts

* Adding assets for custom config rules, updating convert config and resource mapping to fix issues found during testing. Also adding throttlingBackoff for detectdrift calls to ensure proper results are returned

* Readme updates from testing

* Updating readmes and mew Pre-Migration scripts

* Updating package.json to have snapshot and asea-prep commands. Also including dependencies for package.json aws-sdk services

* Small fixes and readme updates

* Updating convert-config script to handle auditManager disable, sharetargets for transitgateway, and config rules

* Updating readme and docs for handling drifted-resources and stack-drift.

* Updating readme and pre-migration scripts

* Updating readme, fix for guarddutyprefix and updating snapshot for ddb and reporting

* Add warning for resource-mapping and updating branch for installer

* Updating tsconfig, package.json and other config files

* Adding LZA installer template with source code and updating putLZAInstallerStackTemplate to use this

* Fix for fs.constants.COPYFILE_FICLONE_FORCE

* Removing additional parameter since it defaults to force

* updated installer template

* updated pre-migration code

* updated installer template

* Updating Network Config and Convert Config file with fixes

* added premigration changes

* updated config converter

* latest config converter

* added back asea installer template

* fixed throttling for snapshot

* Most recent changes for ALB, ALB templates, and non-fortinet fw check

* Updating target type

* added resource deletion handling

* Fixing non-fortinet firewalls, mad, and cw log kms deployment targets

* Fixing deploymentTarget issue for SSMWrite policy

* updated readme

* Adding encryption for putobject calls

* Fixing suspended account issues

* Fixing asea-assets bucket code to use local client for s3 calls

* Updating README with up to date post-migration instructions

* Added more deletion options

* removed nacl association update

* fixed post-migration write to s3

* updated config converter

* Updates for ASEA VPC lookups for cidr blocks

* updated config converter

* batched local writes

* fixed ignored ou and writeToSources

* fixed snapshot supported regions

* feat(migration): Removing MAD from config converter

* Updating documentation and updating config repository type

* Removing README at Custom-Scripts directory level

* Removing addResourcePolicy call and allowing this to be updated in phase-2 due to underlying Cloudformation behavior change

* Updating readme and inventory file with latest instructions and having detection policyPath use LZA_CONFIG_RULES instead of LZA_IAM_POLICY_CONFIG_PATH

* Reverting secrets fix temporarily

* Updating readme with asea resource handler information and table

* Updating convert-config to handle security hub issue and ssm deployment target issue

* Updating readme for KMS Key differences and only generating a single network-config during convert-config process

* Updating cdntral bucket name, adding check for node14, support for tls1.3, and macie fix for new region

* Updating behavior of nested ous, adding flag for disabling termination protection

* Find account id for non-local subnets in security group rules, remove nested ou from scp deployment targets, and switching emails to lowercaselocale

* Updating drift detection and fixing dynamic-log partitioning for vpc flow logs

* Removing VPC Flow Logs in Dynamic Partition

* updated convert config

* Updating code for 3P firewall routes

* Fixing subscription filters and destinations

* Remove VPC flow logs in post-migration and update dynamic partitioning for ssm logs

* Fixing typos in log destination and stream

* Doc updates for drift detection, refactoring warnings to sit inside config-check.ts and update drift detection scripts

* Fixing IAM role type for account, SSM Read Only Access Role, and Dynamic Partitioning

* Fixing nested stack naming check

* Fixes for nestedOus, vpcOutputs, and ssm automation docsets

* move doc to mkdocs

* add link to LZA upgrade doc on main README

* add faq content

* clarify prereq about empty OU

* added differences about logging

* typo

* detail about subscription filter

* doc feedback

* doc improvment

* fix list

* remove duplicate content

* more doc feedback

* feedback about gwlb impact

* typos

* revert change to pdf plugin

* update branch names

* add latest version of upgrade tools in lza-upgrade, remove Pre-migration folder

* update main README

* readme

* version on readme

* add FAQ for manual route table changes

* known issues

* typo

* precision

* remove note about not installing v1.6

* changelog date

* prepare for release

* sync latest lza-upgrade

* add config folder

* chore: fixed ts lint error

* fixed linting errors

* fix: fixed linting

---------

Co-authored-by: Olivier Gaumond <[email protected]>
Co-authored-by: Ryan Cerrato <[email protected]>
Co-authored-by: Brian Crissup <[email protected]>
Co-authored-by: rycerrat-aws <[email protected]>

Author: 4 people

.gitlab-ci.yml

@@ -0,0 +1,15 @@
+# The Docker image that will be used to build your app
+image: public.ecr.aws/docker/library/python:3.12
+# Functions that should be executed before the build script is run
+before_script:
+  - cd src/mkdocs
+  - python -m pip install --upgrade pip
+  - pip install -r requirements.txt
+pages:
+  script:
+    - make build
+  artifacts:
+    paths:
+      # The folder that contains the files to be exposed at the Page URL
+      - public
+

.prettierignore

@@ -0,0 +1 @@
+reference-artifacts/Custom-Scripts/lza-upgrade*

README.md

@@ -4,7 +4,7 @@ The [Landing Zone Accelerator (LZA) on AWS solution](https://aws.amazon.com/solu
 
 The LZA v1.3 release (03/2023) focused on delivering AWS Secure Environment Accelerator (ASEA) feature parity and delivered both [CCCS Cloud Medium](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/#Support_for_specific_regions_and_industries) and [Trusted Secure Enclave Sensitive Edition](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/#Support_for_specific_regions_and_industries) sample configuration files. These samples deliver similar outcomes to the ASEA sample configuration file.
 
-The LZA team has developed an automated upgrade from ASEA to LZA. Upgrades from ASEA to LZA must occur before end of Q3 2025 (September 30, 2025). Please monitor this site for a future LZA release that will support the ASEA to LZA semi-automated upgrade capability [here](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/).  
+The LZA team has developed an automated upgrade from ASEA to LZA and it is now **generally available** with ASEA v1.6.0 and LZA v1.11.0. Upgrades from ASEA to LZA must occur before end of Q3 2025 (September 30, 2025). **The documentation for the ASEA to LZA upgrade is available in the AWS Secure Environment Accelerator [guide on GitHub pages](https://aws-samples.github.io/aws-secure-environment-accelerator/latest/lza-upgrade/)** and the upgrade tools are available in the [reference-artifacts/Custom-Scripts/lza-upgrade](./reference-artifacts/Custom-Scripts/lza-upgrade/) folder of this repository.
 
 Please reach out to your AWS Account Team with any questions.
 

reference-artifacts/Custom-Scripts/lza-upgrade/.eslintrc.json

@@ -0,0 +1,212 @@
+{
+  "env": {
+    "jest": true,
+    "node": true
+  },
+  "root": true,
+  "plugins": [
+    "@typescript-eslint",
+    "import"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 2018,
+    "sourceType": "module",
+    "project": "tsconfig.json"
+  },
+  "extends": [
+    "plugin:import/typescript"
+  ],
+  "settings": {
+    "import/parsers": {
+      "@typescript-eslint/parser": [
+        ".ts",
+        ".tsx"
+      ]
+    },
+    "import/resolver": {
+      "node": {},
+      "typescript": {
+        "project": "tsconfig.json",
+        "alwaysTryTypes": true
+      }
+    }
+  },
+  "ignorePatterns": [
+    "*.js",
+    "*.d.ts",
+    "node_modules/",
+    "*.generated.ts",
+    "coverage"
+  ],
+  "rules": {
+    "quotes": [
+      "error",
+      "single",
+      {
+        "avoidEscape": true
+      }
+    ],
+    "comma-dangle": [
+      "error",
+      "always-multiline"
+    ],
+    "comma-spacing": [
+      "error",
+      {
+        "before": false,
+        "after": true
+      }
+    ],
+    "no-multi-spaces": [
+      "error",
+      {
+        "ignoreEOLComments": false
+      }
+    ],
+    "array-bracket-spacing": [
+      "error",
+      "never"
+    ],
+    "array-bracket-newline": [
+      "error",
+      "consistent"
+    ],
+    "object-curly-spacing": [
+      "error",
+      "always"
+    ],
+    "object-curly-newline": [
+      "error",
+      {
+        "multiline": true,
+        "consistent": true
+      }
+    ],
+    "object-property-newline": [
+      "error",
+      {
+        "allowAllPropertiesOnSameLine": true
+      }
+    ],
+    "keyword-spacing": [
+      "error"
+    ],
+    "brace-style": [
+      "error",
+      "1tbs",
+      {
+        "allowSingleLine": true
+      }
+    ],
+    "space-before-blocks": [
+      "error"
+    ],
+    "curly": [
+      "error",
+      "multi-line",
+      "consistent"
+    ],
+    "@typescript-eslint/member-delimiter-style": [
+      "error"
+    ],
+    "semi": [
+      "error",
+      "always"
+    ],
+    "max-len": [
+      "error",
+      {
+        "code": 150,
+        "ignoreUrls": true,
+        "ignoreStrings": true,
+        "ignoreTemplateLiterals": true,
+        "ignoreComments": true,
+        "ignoreRegExpLiterals": true
+      }
+    ],
+    "quote-props": [
+      "error",
+      "consistent-as-needed"
+    ],
+    "@typescript-eslint/no-require-imports": [
+      "error"
+    ],
+    "import/no-extraneous-dependencies": [
+      "error",
+      {
+        "devDependencies": [
+          "**/test/**",
+          "**/build-tools/**"
+        ],
+        "optionalDependencies": false,
+        "peerDependencies": true
+      }
+    ],
+    "import/no-unresolved": [
+      "error"
+    ],
+    "import/order": [
+      "warn",
+      {
+        "groups": [
+          "builtin",
+          "external"
+        ],
+        "alphabetize": {
+          "order": "asc",
+          "caseInsensitive": true
+        }
+      }
+    ],
+    "no-duplicate-imports": [
+      "error"
+    ],
+    "no-shadow": [
+      "off"
+    ],
+    "@typescript-eslint/no-shadow": [
+      "error"
+    ],
+    "key-spacing": [
+      "error"
+    ],
+    "no-multiple-empty-lines": [
+      "error"
+    ],
+    "@typescript-eslint/no-floating-promises": [
+      "error"
+    ],
+    "no-return-await": [
+      "off"
+    ],
+    "@typescript-eslint/return-await": [
+      "error"
+    ],
+    "no-trailing-spaces": [
+      "error"
+    ],
+    "dot-notation": [
+      "error"
+    ],
+    "no-bitwise": [
+      "error"
+    ],
+    "@typescript-eslint/member-ordering": [
+      "error",
+      {
+        "default": [
+          "public-static-field",
+          "public-static-method",
+          "protected-static-field",
+          "protected-static-method",
+          "private-static-field",
+          "private-static-method",
+          "field",
+          "constructor",
+          "method"
+        ]
+      }
+    ]
+  }
+}

reference-artifacts/Custom-Scripts/lza-upgrade/.gitignore

@@ -0,0 +1,47 @@
+.DS_Store
+!/.gitattributes
+!/.github/workflows/pull-request-lint.yml
+!/package.json
+!/LICENSE
+!/.npmignore
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+pids
+*.pid
+*.seed
+*.pid.lock
+lib-cov
+coverage
+*.lcov
+.nyc_output
+build/Release
+node_modules/
+jspm_packages/
+*.tsbuildinfo
+.eslintcache
+*.tgz
+.yarn-integrity
+.cache
+/test-reports/
+junit.xml
+/coverage/
+!/.github/workflows/build.yml
+!/.mergify.yml
+!/.github/workflows/upgrade.yml
+!/.github/pull_request_template.md
+!/test/
+!/tsconfig.json
+!/tsconfig.dev.json
+/lib
+/dist/
+!/.eslintrc.json
+src/input-config/input-config.json
+src/input-config/input-config-*.json
+.vscode/
+backup/
+outputs/*

reference-artifacts/Custom-Scripts/lza-upgrade/.prettierrc.json

@@ -0,0 +1,7 @@
+{
+  "tabWidth": 2,
+  "printWidth": 120,
+  "singleQuote": true,
+  "quoteProps": "consistent",
+  "trailingComma": "all"
+}

reference-artifacts/Custom-Scripts/lza-upgrade/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.6.0] - 2025-01-17
+
+### Added
+- First official release of the ASEA to LZA upgrade tools