v21.0.7 — PreflightLogGroup orphan fix + VPC-scope reconciliation leak

Two correctness fixes:

1. PreflightLogGroup orphan race — removed explicit PreflightLogGroup CFN resource. Prevents AlreadyExists error on StackSet cross-region redeploy after delete. Root cause of the MA8-use1 failure.

2. VPC-scope reconciliation leak — added _VPC_BOUND service set to is_in_scope. VPC-bound services (EC2, RDS, ElastiCache, etc.) now fail closed when VPC ID is unresolvable, preventing reconciliation from converting VPC scope into account scope on the nightly sweep. Also restores tag_non_vpc_services toggle in standalone YAML.

Validation: Layer 1 CI 17/17, E2E 37/37, CT3 chaos test 123 TAGGED with 0 new regressions.

See CHANGELOG.md for full details.

v20.3.0 — Tier 1 MAP service handlers (Keyspaces + Directory Service + CloudHSM v2)

Summary

Adds auto-tagging coverage for three MAP 2.0 Included Services that previously had zero handler coverage in the Lambda. Customers in affected verticals were silently losing credits.

New handlers

• Amazon Keyspaces — CreateKeyspace (cassandra.amazonaws.com)
• AWS Directory Service — CreateDirectory (Simple AD), CreateMicrosoftAD (Managed Microsoft AD)
• AWS CloudHSM v2 — CreateCluster, CreateHsm (HSMs tag through the parent cluster ARN)

IAM additions

• ds:AddTagsToResource
• cloudhsm:TagResource

cassandra:TagResource was already granted.

Native tag API dispatch

Resource Groups Tagging API coverage for these services is inconsistent, so all three dispatch to the native tag APIs — each with a different shape:

Service	API	Resource identifier	Tag shape
Keyspaces	keyspaces.tag_resource	resourceArn=<ARN>	[{key, value}] (lowercase)
Directory Service	ds.add_tags_to_resource	ResourceId=<directory_id>	[{Key, Value}]
CloudHSM v2	cloudhsmv2.tag_resource	ResourceId=<cluster_id>	TagList=[{Key, Value}]

Collision safety

All new handlers are guarded by event_source ==. The cloudhsmv2.amazonaws.com guard disambiguates CreateCluster from existing redshift/memorydb/dax/eks/MSK handlers.

Intentional deferrals

• AD Connector (ConnectDirectory) — requires broader EventBridge prefix expansion
• Keyspaces CreateTable — collides with Glue/DynamoDB/Timestream
• E2E fixtures — CloudHSM init is 10–15 min; dedicated fixture PR to follow

Upgrade notes

• MINOR bump (v20.2.0 → v20.3.0): new capability, no breaking change
• No customer action required to pick up new handlers on existing deployments — re-run deploy.sh or update.sh to apply the new template version
• Handler baseline: 149 → 154 (+5 new, E2E coverage follow-up pending)

Validation

• ✅ 50/50 CI checks passed first-try (including full Layer 2 E2E across 7 accounts)
• ✅ All existing handlers unaffected — no regressions
• Native API shapes verified via boto3 service model

PR #25

v20.2.0 — AutoDeployment conditional + cross-MPE conflict detection

What's Changed

• feat: AutoDeployment conditional + cross-MPE conflict detection (v20.2.0) by @hyunsies in #24

Full Changelog: v20.1.0...v20.2.0

v20.1.0 — version visibility + batched IAM preflight + stack-state preflight

First release under the new SemVer policy (see VERSIONING.md). MINOR bump from the v20 baseline — new capabilities, safe in-place update for existing deployments.

What's new

Version visibility

• New CFN AWS::SSM::Parameter at /auto-map-tagger/${MpeId}/version
• New CFN stack Output TemplateVersion
• Lambda cold-start log: auto-map-tagger v20.1.0 cold start

Zero outbound calls — version is pinned at deploy time, readable via aws ssm get-parameter, describe-stacks --query "Stacks[0].Outputs", or CloudWatch Logs.

Batched deploy-time IAM preflight

Extends deploy.sh to simulate the 21 IAM actions the deploy itself needs (CFN + IAM + Lambda + Events + SQS + SSM + Logs + SNS + S3) in a single iam:simulate-principal-policy call (~200ms). Multi-account mode adds 5 StackSets + Organizations actions for 26 total.

Fails on both explicitDeny (SCP blocks) and implicitDeny (principal missing grant). Replaces the 15-min-into-deploy AccessDenied-tarpit with a ~200ms fast fail + per-action remediation.

Correctly handles both IAM users and assumed-role (SSO) callers — the latter required converting the session ARN to the role ARN before passing to simulate-principal-policy.

Stack-state preflight

deploy.sh previously fell through to update-stack for any existing stack state that wasn't NOT_FOUND, DELETE_COMPLETE, or ROLLBACK_COMPLETE. Customers hit stuck states (*_IN_PROGRESS, UPDATE_ROLLBACK_FAILED, ROLLBACK_FAILED, DELETE_FAILED) and got cryptic CFN errors.

New preflight catches the four failure classes with specific remediation commands — including the exact continue-update-rollback invocation for stuck update rollbacks.

For existing customers

Safe in-place update. Re-run deploy.sh from the configurator to get v20.1.0. No breaking changes.

Manual validation

Six end-to-end tests run against the single-account test environment:

• Rendering: ✅ single (21 actions) + multi (26 actions)
• Admin happy path: ✅
• Under-privileged assumed role: ✅ all 20 missing permissions caught (caught a bug during testing where the assumed-role ARN needed translation to role ARN for simulate-principal-policy)
• Stack state ROLLBACK_COMPLETE: ✅ passes through (deploy.sh auto-recovers)
• Stack state CREATE_IN_PROGRESS: ✅ fails with remediation
• Stack state ROLLBACK_FAILED: ✅ fails with remediation
• Empty caller ARN fail-safe: ✅ warns and continues

Full diff

See PR #23: #23