fix(upgrade): enable organization cloudtrail in config converter. For… (#1263)

* fix(upgrade): enable organization cloudtrail in config converter. For CT environment create s3 events trail.  Add option to delete cloudtrail in post migration

* update resource handler table for vpc endpoints.

Author: crissupb

reference-artifacts/Custom-Scripts/lza-upgrade/src/common/aws/cloudtrail.ts

@@ -0,0 +1,40 @@
+/* eslint-disable */
+/**
+ *  Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+ *  with the License. A copy of the License is located at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+import { CloudTrailClient, DeleteTrailCommand } from '@aws-sdk/client-cloudtrail';
+import { Credentials } from '@aws-sdk/client-sts';
+import { throttlingBackOff } from './backoff';
+
+export class Cloudtrail {
+  private readonly serviceClient: CloudTrailClient;
+
+  constructor(credentials?: Credentials, region?: string) {
+    if (credentials) {
+      this.serviceClient = new CloudTrailClient({ credentials: {
+        accessKeyId: credentials.AccessKeyId!,
+        secretAccessKey: credentials.SecretAccessKey!,
+        sessionToken: credentials.SessionToken! }, 
+        region });
+    } else {
+      this.serviceClient = new CloudTrailClient({});
+    }
+  }
+
+  async deleteOrganizationTrail(acceleratorPrefix: string): Promise<void> {
+    try {
+      await throttlingBackOff(() => this.serviceClient.send(new DeleteTrailCommand({ Name: `${acceleratorPrefix}Org-Trail` })));
+    } catch (error) {
+      console.log(`Unable to delete Organization CloudTrail ${acceleratorPrefix}Org-Trail`);
+    }
+  }
+}

reference-artifacts/Custom-Scripts/lza-upgrade/src/convert-config.ts

@@ -741,6 +741,39 @@ export class ConvertAseaConfig {
       ousForS3EncryptionDeploymentTargetsWithoutNestedOus,
     );
 
+    let cloudtrailConfig = undefined;
+    if (globalOptions['ct-baseline'] === true) {
+      cloudtrailConfig = {
+        enable: true,
+        organizationTrail: true,
+        organizationTrailSettings: {
+          multiRegionTrail: true,
+          globalServiceEvents: false,
+          managementEvents: false,
+          s3DataEvents: true,
+          lambdaDataEvents: false,
+          sendToCloudWatchLogs: true,
+          apiErrorRateInsight: false,
+          apiCallRateInsight: false,
+        }
+      }
+    } else {
+      cloudtrailConfig = {
+        enable: true,
+        organizationTrail: true,
+        organizationTrailSettings: {
+          multiRegionTrail: true,
+          globalServiceEvents: true,
+          managementEvents: true,
+          s3DataEvents: true,
+          lambdaDataEvents: false,
+          sendToCloudWatchLogs: true,
+          apiErrorRateInsight: false,
+          apiCallRateInsight: true,
+        }
+      }
+    }
+
     const globalConfigAttributes: { [key: string]: unknown } = {
       externalLandingZoneResources: {
         importExternalLandingZoneResources: true,
@@ -779,23 +812,7 @@ export class ConvertAseaConfig {
       logging: {
         account: this.getAccountKeyforLza(globalOptions, centralizeLogging.account),
         centralizedLoggingRegion: centralizeLogging.region,
-        cloudtrail: {
-          enable: false,
-          organizationTrail: false,
-          // TODO: Confirm defaults
-          organizationTrailSettings: {
-            multiRegionTrail: true,
-            globalServiceEvents: true,
-            managementEvents: true,
-            s3DataEvents: true,
-            lambdaDataEvents: false,
-            sendToCloudWatchLogs: true,
-            apiErrorRateInsight: false,
-            apiCallRateInsight: true,
-          },
-          // TODO: Confirm Account trails, ASEA seems like doesn't have any account specific trail config
-          // TODO: Confirm about lifecycleRules. Not present in ASEA and not used in LZA
-        },
+        cloudtrail: cloudtrailConfig,
         sessionManager: {
           sendToS3: centralizeLogging['ssm-to-s3'],
           sendToCloudWatchLogs: centralizeLogging['ssm-to-cwl'],

reference-artifacts/Custom-Scripts/lza-upgrade/src/post-migration.ts

@@ -16,6 +16,7 @@ import { AcceleratorConfig, ImportCertificateConfig, ImportCertificateConfigType
 import { loadAseaConfig } from './asea-config/load';
 import { DynamoDB } from './common/aws/dynamodb';
 import { ConfigService } from './common/aws/config-service';
+import { Cloudtrail } from './common/aws/cloudtrail';
 import { S3 } from './common/aws/s3';
 import { Account, getAccountId } from './common/outputs/accounts';
 import { StackOutput, findValuesFromOutputs, loadOutputs } from './common/outputs/load-outputs';
@@ -32,6 +33,7 @@ export class PostMigration {
   private readonly s3: S3;
   private readonly dynamoDb: DynamoDB;
   private readonly configService: ConfigService;
+  private readonly cloudtrail = new Cloudtrail();
   private outputs: StackOutput[] = [];
   private accounts: Account[] = [];
   private centralBucket: string | undefined;
@@ -51,6 +53,7 @@ export class PostMigration {
     this.s3 = new S3(undefined, this.region);
     this.dynamoDb = new DynamoDB(undefined, this.region);
     this.configService = new ConfigService(undefined, this.region);
+    this.cloudtrail = new Cloudtrail(undefined, this.region);
     this.args = args;
     this.outputsDirectory = './outputs';
     this.writeConfig = {
@@ -151,6 +154,9 @@ export class PostMigration {
           break;
         case 'remove-logging':
           await this.removeLogging(mappingConfig);
+          break;
+        case 'remove-org-cloudtrail':
+          await this.cloudtrail.deleteOrganizationTrail(this.aseaPrefix);
       }
     }
 

src/mkdocs/docs/lza-upgrade/asea-resource-handlers.md

@@ -35,6 +35,6 @@ In order to accomplish upgrading from ASEA to LZA, the solution relies on a conc
 |Transit Gateways	|FALSE	|TRUE	|Amazon Side ASN </br> Auto Accept Shared Attachments </br> Default Route Table Associations </br> Default Route Table Propagations </br> DNS Support </br> VPN ECMP Support	|	|
 |Virtual Private Gateway	|FALSE	|TRUE	|Amazon Side ASN	|	|
 |VPC	|FALSE	|TRUE	|CIDR Blocks </br> Enable DNS Host Names </br> Enable DNS Support </br> Instance Tenancy 	|	|
-|VPC Endpoint	|FALSE	|FALSE	|	|	|
+|VPC Endpoint	|TRUE	|FALSE	|None, Including associated security group. Must re-create endpoint |	|
 |VPC Endpoint (Gateway)	|FALSE	|TRUE	|Route Table Ids	|	|
 |VPC Peering Connection	|FALSE	|FALSE	|	|	|