Review fixes

samples/sample-rdk-rules/README.md

@@ -1,4 +1,4 @@
-# Introduction
+# Sample RDK Rules pipeline
 This setup will allow you to deploy custom config rules created by the RDK via ADF pipeline. 
 
 ## Architecture
@@ -10,8 +10,9 @@ This setup will allow you to deploy custom config rules created by the RDK via A
     - Then CodeBuild will generate 2 CloudFormation templates one for Lambda function(s) deployment and other for the Custom Config rule(s) deployment.
 
 * When a Lambda function get invokes by a Target account Custom config rule; it will assume the Config role in Target account then put config Evaluations into the Target account's Config rule.
+
 ### ADF setup
-Sample pipeline defintion looks like below:
+Sample pipeline definition looks like below:
 
 ```
   - name: custom-config-rules-pipeline ## repo name
@@ -46,7 +47,7 @@ After you clone the repo following file/folder structure will be there;
 | Name  | Purpose  |   
 |---|---|
 | config-rules  | This folder will contain all the custom config rules created by `rdk create ...`. Make sure to setup correct details in the `parameters.json` file(ex: SourceRuntime) |
-| params  | Contains parameters we need for the generated CloudFormation templates. You must set the account id of the Compliance account in `LambdaAccountId`. This will be used as a parameter when it deploys config-rule into Target accounts to refer Lambda function from the Compliance account. [Refer this link](https://github.com/awslabs/aws-deployment-framework/blob/master/docs/user-guide.md#cloudformation-parameters-and-tagging)  |
+| params  | Contains parameters we need for the generated CloudFormation templates. You must set the account id of the Compliance account in `LambdaAccountId` and Target accounts Config role arn as a pattern in `ConfigRoleArnToAssume`. These will be used as parameters when it deploys config-rule into Target accounts to refer Lambda function from the Compliance account. [Refer this link](https://github.com/awslabs/aws-deployment-framework/blob/master/docs/user-guide.md#cloudformation-parameters-and-tagging)  |
 | templates  | This folder contains all the cloudformation template pieces that required to build cfn template for the lambda function deployment.  |
 | buildspec.yml | Buildspec file to generate Cloudformation templates for the Lambda and Custom Config rules |
 | lambda_helper.py | This is the helper file that pack and upload the lambda code recursively in the config-rules folder |

samples/sample-rdk-rules/buildspec.yml

@@ -3,7 +3,7 @@ phases:
   install:
     runtime-versions:
       python: 3.8
-      nodejs: 12
+      nodejs: 16
     commands:
       - aws s3 cp s3://$S3_BUCKET_NAME/adf-build/ adf-build/ --recursive --quiet
       - pip install -r adf-build/requirements.txt -q

samples/sample-rdk-rules/config-rules/EC2_CHECKS_TERMINIATION_PROTECTION_ADF/EC2_CHECKS_TERMINIATION_PROTECTION_ADF.py

@@ -88,11 +88,8 @@ def is_valid_environment(instance_id, event):
 def is_part_of_asg(instance_id,event):
     asg = get_client('autoscaling', event)
     result = asg.describe_auto_scaling_instances(InstanceIds=[instance_id])
-    if result['AutoScalingInstances']:
-        return True
-    else:
-        return False
-
+    return len(result['AutoScalingInstances']) > 0
+
 # Checks DisableApiTermination is enabled or not
 def is_termination_protection_on(instance_id, event):
     client = get_client('ec2', event)

samples/sample-rdk-rules/lambda_helper.py

@@ -28,7 +28,7 @@ def load_json_file(file: str) -> dict:
 
 def replace_rule_name_and_load(file: str, rule_name:str, rule_name_stripped:str) -> dict:
     try:
-        with open(file, 'r') as f:
+        with open(file, 'r', encoding="utf-8") as f:
             content = f.read().replace("RuleNameStripped", rule_name_stripped)
             content = content.replace("RuleName", rule_name)
             return json.loads(content)

samples/sample-rdk-rules/params/global.json

@@ -1,5 +1,6 @@
 {
     "Parameters": {
-        "LambdaAccountId": "1111111111"
+        "LambdaAccountId": "1111111111",
+        "ConfigRoleArnToAssume": "config-role-arn-here | ex: arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
     }
 }

samples/sample-rdk-rules/requirements.txt

@@ -1,3 +1,3 @@
 s3==3.0.0
-boto3==1.20.32
+boto3==1.24.51
 argparse==1.4.0

samples/sample-rdk-rules/templates/lambda-permission.json

@@ -1,15 +1,15 @@
 
 {
-      "Type": "AWS::Lambda::Permission",
-      "DependsOn": "RuleNameStrippedLambdaFunction",
-      "Properties": {
-        "FunctionName": {
-          "Fn::GetAtt": [
-            "RuleNameStrippedLambdaFunction",
-            "Arn"
-          ]
-        },
-        "Action": "lambda:InvokeFunction",
-        "Principal": "config.amazonaws.com"
-      }
+  "Type": "AWS::Lambda::Permission",
+  "DependsOn": "RuleNameStrippedLambdaFunction",
+  "Properties": {
+    "FunctionName": {
+      "Fn::GetAtt": [
+        "RuleNameStrippedLambdaFunction",
+        "Arn"
+      ]
+    },
+    "Action": "lambda:InvokeFunction",
+    "Principal": "config.amazonaws.com"
+  }
 }