dbt-platform-helper 12.1.0__py3-none-any.whl → 12.2.0__py3-none-any.whl

dbt_platform_helper/domain/conduit.py

@@ -0,0 +1,172 @@
+import subprocess
+from collections.abc import Callable
+
+import click
+
+from dbt_platform_helper.exceptions import ECSAgentNotRunning
+from dbt_platform_helper.providers.cloudformation import (
+    add_stack_delete_policy_to_task_role,
+)
+from dbt_platform_helper.providers.cloudformation import update_conduit_stack_resources
+from dbt_platform_helper.providers.cloudformation import (
+    wait_for_cloudformation_to_reach_status,
+)
+from dbt_platform_helper.providers.copilot import connect_to_addon_client_task
+from dbt_platform_helper.providers.copilot import create_addon_client_task
+from dbt_platform_helper.providers.copilot import create_postgres_admin_task
+from dbt_platform_helper.providers.ecs import ecs_exec_is_available
+from dbt_platform_helper.providers.ecs import get_cluster_arn
+from dbt_platform_helper.providers.ecs import get_ecs_task_arns
+from dbt_platform_helper.providers.ecs import get_or_create_task_name
+from dbt_platform_helper.providers.secrets import get_addon_type
+from dbt_platform_helper.providers.secrets import get_parameter_name
+from dbt_platform_helper.utils.application import Application
+from dbt_platform_helper.utils.messages import abort_with_error
+
+
+class Conduit:
+    def __init__(
+        self,
+        application: Application,
+        echo_fn: Callable[[str], str] = click.secho,
+        subprocess_fn: subprocess = subprocess,
+        get_ecs_task_arns_fn=get_ecs_task_arns,
+        connect_to_addon_client_task_fn=connect_to_addon_client_task,
+        create_addon_client_task_fn=create_addon_client_task,
+        create_postgres_admin_task_fn=create_postgres_admin_task,
+        get_addon_type_fn=get_addon_type,
+        ecs_exec_is_available_fn=ecs_exec_is_available,
+        get_cluster_arn_fn=get_cluster_arn,
+        get_parameter_name_fn=get_parameter_name,
+        get_or_create_task_name_fn=get_or_create_task_name,
+        add_stack_delete_policy_to_task_role_fn=add_stack_delete_policy_to_task_role,
+        update_conduit_stack_resources_fn=update_conduit_stack_resources,
+        wait_for_cloudformation_to_reach_status_fn=wait_for_cloudformation_to_reach_status,
+        abort_fn=abort_with_error,
+    ):
+
+        self.application = application
+        self.subprocess_fn = subprocess_fn
+        self.echo_fn = echo_fn
+        self.get_ecs_task_arns_fn = get_ecs_task_arns_fn
+        self.connect_to_addon_client_task_fn = connect_to_addon_client_task_fn
+        self.create_addon_client_task_fn = create_addon_client_task_fn
+        self.create_postgres_admin_task = create_postgres_admin_task_fn
+        self.get_addon_type_fn = get_addon_type_fn
+        self.ecs_exec_is_available_fn = ecs_exec_is_available_fn
+        self.get_cluster_arn_fn = get_cluster_arn_fn
+        self.get_parameter_name_fn = get_parameter_name_fn
+        self.get_or_create_task_name_fn = get_or_create_task_name_fn
+        self.add_stack_delete_policy_to_task_role_fn = add_stack_delete_policy_to_task_role_fn
+        self.update_conduit_stack_resources_fn = update_conduit_stack_resources_fn
+        self.wait_for_cloudformation_to_reach_status_fn = wait_for_cloudformation_to_reach_status_fn
+        self.abort_fn = abort_fn
+
+    def start(self, env: str, addon_name: str, access: str = "read"):
+        clients = self._initialise_clients(env)
+        addon_type, cluster_arn, parameter_name, task_name = self._get_addon_details(
+            env, addon_name, access
+        )
+
+        self.echo_fn(f"Checking if a conduit task is already running for {addon_type}")
+        task_arn = self.get_ecs_task_arns_fn(clients["ecs"], cluster_arn, task_name)
+        if not task_arn:
+            self.echo_fn("Creating conduit task")
+            self.create_addon_client_task_fn(
+                clients["iam"],
+                clients["ssm"],
+                clients["secrets_manager"],
+                self.subprocess_fn,
+                self.application,
+                env,
+                addon_type,
+                addon_name,
+                task_name,
+                access,
+            )
+
+            self.echo_fn("Updating conduit task")
+            self._update_stack_resources(
+                clients["cloudformation"],
+                clients["iam"],
+                clients["ssm"],
+                self.application.name,
+                env,
+                addon_type,
+                addon_name,
+                task_name,
+                parameter_name,
+                access,
+            )
+
+            task_arn = self.get_ecs_task_arns_fn(clients["ecs"], cluster_arn, task_name)
+
+        else:
+            self.echo_fn("Conduit task already running")
+
+        self.echo_fn(f"Checking if exec is available for conduit task...")
+
+        try:
+            self.ecs_exec_is_available_fn(clients["ecs"], cluster_arn, task_arn)
+        except ECSAgentNotRunning:
+            self.abort_fn('ECS exec agent never reached "RUNNING" status')
+
+        self.echo_fn("Connecting to conduit task")
+        self.connect_to_addon_client_task_fn(
+            clients["ecs"], self.subprocess_fn, self.application.name, env, cluster_arn, task_name
+        )
+
+    def _initialise_clients(self, env):
+        return {
+            "ecs": self.application.environments[env].session.client("ecs"),
+            "iam": self.application.environments[env].session.client("iam"),
+            "ssm": self.application.environments[env].session.client("ssm"),
+            "cloudformation": self.application.environments[env].session.client("cloudformation"),
+            "secrets_manager": self.application.environments[env].session.client("secretsmanager"),
+        }
+
+    def _get_addon_details(self, env, addon_name, access):
+        ssm_client = self.application.environments[env].session.client("ssm")
+        ecs_client = self.application.environments[env].session.client("ecs")
+
+        addon_type = self.get_addon_type_fn(ssm_client, self.application.name, env, addon_name)
+        cluster_arn = self.get_cluster_arn_fn(ecs_client, self.application.name, env)
+        parameter_name = self.get_parameter_name_fn(
+            self.application.name, env, addon_type, addon_name, access
+        )
+        task_name = self.get_or_create_task_name_fn(
+            ssm_client, self.application.name, env, addon_name, parameter_name
+        )
+
+        return addon_type, cluster_arn, parameter_name, task_name
+
+    def _update_stack_resources(
+        self,
+        cloudformation_client,
+        iam_client,
+        ssm_client,
+        app_name,
+        env,
+        addon_type,
+        addon_name,
+        task_name,
+        parameter_name,
+        access,
+    ):
+        self.add_stack_delete_policy_to_task_role_fn(cloudformation_client, iam_client, task_name)
+        stack_name = self.update_conduit_stack_resources_fn(
+            cloudformation_client,
+            iam_client,
+            ssm_client,
+            app_name,
+            env,
+            addon_type,
+            addon_name,
+            task_name,
+            parameter_name,
+            access,
+        )
+        self.echo_fn("Waiting for conduit task update to complete...")
+        self.wait_for_cloudformation_to_reach_status_fn(
+            cloudformation_client, "stack_update_complete", stack_name
+        )

dbt_platform_helper/exceptions.py

@@ -20,6 +20,31 @@ class IncompatibleMinorVersion(ValidationException):
         self.check_version = check_version
 
 
+class NoClusterError(AWSException):
+    pass
+
+
+class CreateTaskTimeoutError(AWSException):
+    pass
+
+
+class ParameterNotFoundError(AWSException):
+    pass
+
+
+class AddonNotFoundError(AWSException):
+    pass
+
+
+class InvalidAddonTypeError(AWSException):
+    def __init__(self, addon_type):
+        self.addon_type = addon_type
+
+
+class AddonTypeMissingFromConfigError(AWSException):
+    pass
+
+
 class CopilotCodebaseNotFoundError(Exception):
     pass
 
@@ -46,3 +71,11 @@ class ApplicationNotFoundError(Exception):
 
 class ApplicationEnvironmentNotFoundError(Exception):
     pass
+
+
+class SecretNotFoundError(AWSException):
+    pass
+
+
+class ECSAgentNotRunning(AWSException):
+    pass

dbt_platform_helper/providers/cloudformation.py

@@ -0,0 +1,105 @@
+import json
+
+from cfn_tools import dump_yaml
+from cfn_tools import load_yaml
+
+
+def add_stack_delete_policy_to_task_role(cloudformation_client, iam_client, task_name: str):
+
+    stack_name = f"task-{task_name}"
+    stack_resources = cloudformation_client.list_stack_resources(StackName=stack_name)[
+        "StackResourceSummaries"
+    ]
+
+    for resource in stack_resources:
+        if resource["LogicalResourceId"] == "DefaultTaskRole":
+            task_role_name = resource["PhysicalResourceId"]
+            iam_client.put_role_policy(
+                RoleName=task_role_name,
+                PolicyName="DeleteCloudFormationStack",
+                PolicyDocument=json.dumps(
+                    {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Action": ["cloudformation:DeleteStack"],
+                                "Effect": "Allow",
+                                "Resource": f"arn:aws:cloudformation:*:*:stack/{stack_name}/*",
+                            },
+                        ],
+                    },
+                ),
+            )
+
+
+def update_conduit_stack_resources(
+    cloudformation_client,
+    iam_client,
+    ssm_client,
+    application_name: str,
+    env: str,
+    addon_type: str,
+    addon_name: str,
+    task_name: str,
+    parameter_name: str,
+    access: str,
+):
+
+    conduit_stack_name = f"task-{task_name}"
+    template = cloudformation_client.get_template(StackName=conduit_stack_name)
+    template_yml = load_yaml(template["TemplateBody"])
+    template_yml["Resources"]["LogGroup"]["DeletionPolicy"] = "Retain"
+    template_yml["Resources"]["TaskNameParameter"] = load_yaml(
+        f"""
+        Type: AWS::SSM::Parameter
+        Properties:
+          Name: {parameter_name}
+          Type: String
+          Value: {task_name}
+        """
+    )
+
+    log_filter_role_arn = iam_client.get_role(RoleName="CWLtoSubscriptionFilterRole")["Role"]["Arn"]
+
+    destination_log_group_arns = json.loads(
+        ssm_client.get_parameter(Name="/copilot/tools/central_log_groups")["Parameter"]["Value"]
+    )
+
+    destination_arn = destination_log_group_arns["dev"]
+    if env.lower() in ("prod", "production"):
+        destination_arn = destination_log_group_arns["prod"]
+
+    template_yml["Resources"]["SubscriptionFilter"] = load_yaml(
+        f"""
+        Type: AWS::Logs::SubscriptionFilter
+        DeletionPolicy: Retain
+        Properties:
+          RoleArn: {log_filter_role_arn}
+          LogGroupName: /copilot/{task_name}
+          FilterName: /copilot/conduit/{application_name}/{env}/{addon_type}/{addon_name}/{task_name.rsplit("-", 1)[1]}/{access}
+          FilterPattern: ''
+          DestinationArn: {destination_arn}
+        """
+    )
+
+    params = []
+    if "Parameters" in template_yml:
+        for param in template_yml["Parameters"]:
+            # TODO testing missed in codecov, update test to assert on method call below with params including ExistingParameter from cloudformation template.
+            params.append({"ParameterKey": param, "UsePreviousValue": True})
+
+    cloudformation_client.update_stack(
+        StackName=conduit_stack_name,
+        TemplateBody=dump_yaml(template_yml),
+        Parameters=params,
+        Capabilities=["CAPABILITY_IAM"],
+    )
+
+    return conduit_stack_name
+
+
+# TODO Catch errors and raise a more human friendly Exception is the CloudFormation stack goes into a "unhappy" state, e.g. ROLLBACK_IN_PROGRESS. Currently we get things like botocore.exceptions.WaiterError: Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once
+def wait_for_cloudformation_to_reach_status(cloudformation_client, stack_status, stack_name):
+
+    waiter = cloudformation_client.get_waiter(stack_status)
+    waiter.wait(StackName=stack_name, WaiterConfig={"Delay": 5, "MaxAttempts": 20})

dbt_platform_helper/providers/copilot.py

@@ -0,0 +1,144 @@
+import json
+import time
+
+from botocore.exceptions import ClientError
+
+from dbt_platform_helper.constants import CONDUIT_DOCKER_IMAGE_LOCATION
+from dbt_platform_helper.exceptions import CreateTaskTimeoutError
+from dbt_platform_helper.providers.ecs import get_ecs_task_arns
+from dbt_platform_helper.providers.secrets import get_connection_secret_arn
+from dbt_platform_helper.providers.secrets import (
+    get_postgres_connection_data_updated_with_master_secret,
+)
+from dbt_platform_helper.utils.application import Application
+from dbt_platform_helper.utils.messages import abort_with_error
+
+
+def create_addon_client_task(
+    iam_client,
+    ssm_client,
+    secrets_manager_client,
+    subprocess,
+    application: Application,
+    env: str,
+    addon_type: str,
+    addon_name: str,
+    task_name: str,
+    access: str,
+):
+    secret_name = f"/copilot/{application.name}/{env}/secrets/{_normalise_secret_name(addon_name)}"
+
+    if addon_type == "postgres":
+        if access == "read":
+            secret_name += "_READ_ONLY_USER"
+        elif access == "write":
+            secret_name += "_APPLICATION_USER"
+        elif access == "admin":
+            create_postgres_admin_task(
+                ssm_client,
+                secrets_manager_client,
+                subprocess,
+                application,
+                addon_name,
+                addon_type,
+                env,
+                secret_name,
+                task_name,
+            )
+            return
+    elif addon_type == "redis" or addon_type == "opensearch":
+        secret_name += "_ENDPOINT"
+
+    role_name = f"{addon_name}-{application.name}-{env}-conduitEcsTask"
+
+    try:
+        iam_client.get_role(RoleName=role_name)
+        execution_role = f"--execution-role {role_name} "
+    except ClientError as ex:
+        execution_role = ""
+        # We cannot check for botocore.errorfactory.NoSuchEntityException as botocore generates that class on the fly as part of errorfactory.
+        # factory. Checking the error code is the recommended way of handling these exceptions.
+        if ex.response.get("Error", {}).get("Code", None) != "NoSuchEntity":
+            # TODO Raise an exception to be caught at the command layer
+            abort_with_error(
+                f"cannot obtain Role {role_name}: {ex.response.get('Error', {}).get('Message', '')}"
+            )
+
+    subprocess.call(
+        f"copilot task run --app {application.name} --env {env} "
+        f"--task-group-name {task_name} "
+        f"{execution_role}"
+        f"--image {CONDUIT_DOCKER_IMAGE_LOCATION}:{addon_type} "
+        f"--secrets CONNECTION_SECRET={get_connection_secret_arn(ssm_client,secrets_manager_client, secret_name)} "
+        "--platform-os linux "
+        "--platform-arch arm64",
+        shell=True,
+    )
+
+
+def create_postgres_admin_task(
+    ssm_client,
+    secrets_manager_client,
+    subprocess,
+    app: Application,
+    addon_name: str,
+    addon_type: str,
+    env: str,
+    secret_name: str,
+    task_name: str,
+):
+    read_only_secret_name = secret_name + "_READ_ONLY_USER"
+    master_secret_name = (
+        f"/copilot/{app.name}/{env}/secrets/{_normalise_secret_name(addon_name)}_RDS_MASTER_ARN"
+    )
+    master_secret_arn = ssm_client.get_parameter(Name=master_secret_name, WithDecryption=True)[
+        "Parameter"
+    ]["Value"]
+    connection_string = json.dumps(
+        get_postgres_connection_data_updated_with_master_secret(
+            ssm_client, secrets_manager_client, read_only_secret_name, master_secret_arn
+        )
+    )
+
+    subprocess.call(
+        f"copilot task run --app {app.name} --env {env} "
+        f"--task-group-name {task_name} "
+        f"--image {CONDUIT_DOCKER_IMAGE_LOCATION}:{addon_type} "
+        f"--env-vars CONNECTION_SECRET='{connection_string}' "
+        "--platform-os linux "
+        "--platform-arch arm64",
+        shell=True,
+    )
+
+
+def connect_to_addon_client_task(
+    ecs_client,
+    subprocess,
+    application_name,
+    env,
+    cluster_arn,
+    task_name,
+    addon_client_is_running_fn=get_ecs_task_arns,
+):
+    running = False
+    tries = 0
+    while tries < 15 and not running:
+        tries += 1
+        if addon_client_is_running_fn(ecs_client, cluster_arn, task_name):
+            subprocess.call(
+                "copilot task exec "
+                f"--app {application_name} --env {env} "
+                f"--name {task_name} "
+                f"--command bash",
+                shell=True,
+            )
+            running = True
+
+        time.sleep(1)
+
+    if not running:
+        raise CreateTaskTimeoutError
+
+
+def _normalise_secret_name(addon_name: str) -> str:
+    return addon_name.replace("-", "_").upper()

dbt_platform_helper/providers/ecs.py

@@ -0,0 +1,78 @@
+import random
+import string
+import time
+from typing import List
+
+from dbt_platform_helper.exceptions import ECSAgentNotRunning
+from dbt_platform_helper.exceptions import NoClusterError
+
+
+def get_cluster_arn(ecs_client, application_name: str, env: str) -> str:
+    for cluster_arn in ecs_client.list_clusters()["clusterArns"]:
+        tags_response = ecs_client.list_tags_for_resource(resourceArn=cluster_arn)
+        tags = tags_response["tags"]
+
+        app_key_found = False
+        env_key_found = False
+        cluster_key_found = False
+
+        for tag in tags:
+            if tag["key"] == "copilot-application" and tag["value"] == application_name:
+                app_key_found = True
+            if tag["key"] == "copilot-environment" and tag["value"] == env:
+                env_key_found = True
+            if tag["key"] == "aws:cloudformation:logical-id" and tag["value"] == "Cluster":
+                cluster_key_found = True
+
+        if app_key_found and env_key_found and cluster_key_found:
+            return cluster_arn
+
+    raise NoClusterError
+
+
+def get_or_create_task_name(
+    ssm_client, application_name: str, env: str, addon_name: str, parameter_name: str
+) -> str:
+    try:
+        return ssm_client.get_parameter(Name=parameter_name)["Parameter"]["Value"]
+    except ssm_client.exceptions.ParameterNotFound:
+        random_id = "".join(random.choices(string.ascii_lowercase + string.digits, k=12))
+        return f"conduit-{application_name}-{env}-{addon_name}-{random_id}"
+
+
+def get_ecs_task_arns(ecs_client, cluster_arn: str, task_name: str):
+
+    tasks = ecs_client.list_tasks(
+        cluster=cluster_arn,
+        desiredStatus="RUNNING",
+        family=f"copilot-{task_name}",
+    )
+
+    if not tasks["taskArns"]:
+        return []
+
+    return tasks["taskArns"]
+
+
+def ecs_exec_is_available(ecs_client, cluster_arn: str, task_arns: List[str]):
+
+    current_attemps = 0
+    execute_command_agent_status = ""
+
+    while execute_command_agent_status != "RUNNING" and current_attemps < 25:
+
+        current_attemps += 1
+
+        task_details = ecs_client.describe_tasks(cluster=cluster_arn, tasks=task_arns)
+
+        managed_agents = task_details["tasks"][0]["containers"][0]["managedAgents"]
+        execute_command_agent_status = [
+            agent["lastStatus"]
+            for agent in managed_agents
+            if agent["name"] == "ExecuteCommandAgent"
+        ][0]
+
+        time.sleep(1)
+
+    if execute_command_agent_status != "RUNNING":
+        raise ECSAgentNotRunning

dbt_platform_helper/providers/secrets.py

@@ -0,0 +1,85 @@
+import json
+import urllib
+
+from dbt_platform_helper.constants import CONDUIT_ADDON_TYPES
+from dbt_platform_helper.exceptions import AddonNotFoundError
+from dbt_platform_helper.exceptions import AddonTypeMissingFromConfigError
+from dbt_platform_helper.exceptions import InvalidAddonTypeError
+from dbt_platform_helper.exceptions import ParameterNotFoundError
+from dbt_platform_helper.exceptions import SecretNotFoundError
+
+
+def get_postgres_connection_data_updated_with_master_secret(
+    ssm_client, secrets_manager_client, parameter_name, secret_arn
+):
+    response = ssm_client.get_parameter(Name=parameter_name, WithDecryption=True)
+    parameter_value = response["Parameter"]["Value"]
+
+    parameter_data = json.loads(parameter_value)
+
+    secret_response = secrets_manager_client.get_secret_value(SecretId=secret_arn)
+    secret_value = json.loads(secret_response["SecretString"])
+
+    parameter_data["username"] = urllib.parse.quote(secret_value["username"])
+    parameter_data["password"] = urllib.parse.quote(secret_value["password"])
+
+    return parameter_data
+
+
+def get_connection_secret_arn(ssm_client, secrets_manager_client, secret_name: str) -> str:
+
+    try:
+        return ssm_client.get_parameter(Name=secret_name, WithDecryption=False)["Parameter"]["ARN"]
+    except ssm_client.exceptions.ParameterNotFound:
+        pass
+
+    try:
+        return secrets_manager_client.describe_secret(SecretId=secret_name)["ARN"]
+    except secrets_manager_client.exceptions.ResourceNotFoundException:
+        pass
+
+    raise SecretNotFoundError(secret_name)
+
+
+def get_addon_type(ssm_client, application_name: str, env: str, addon_name: str) -> str:
+    addon_type = None
+    try:
+        addon_config = json.loads(
+            ssm_client.get_parameter(
+                Name=f"/copilot/applications/{application_name}/environments/{env}/addons"
+            )["Parameter"]["Value"]
+        )
+    except ssm_client.exceptions.ParameterNotFound:
+        raise ParameterNotFoundError
+
+    if addon_name not in addon_config.keys():
+        raise AddonNotFoundError
+
+    for name, config in addon_config.items():
+        if name == addon_name:
+            if not config.get("type"):
+                raise AddonTypeMissingFromConfigError()
+            addon_type = config["type"]
+
+    if not addon_type or addon_type not in CONDUIT_ADDON_TYPES:
+        raise InvalidAddonTypeError(addon_type)
+
+    if "postgres" in addon_type:
+        addon_type = "postgres"
+
+    return addon_type
+
+
+def get_parameter_name(
+    application_name: str, env: str, addon_type: str, addon_name: str, access: str
+) -> str:
+    if addon_type == "postgres":
+        return f"/copilot/{application_name}/{env}/conduits/{_normalise_secret_name(addon_name)}_{access.upper()}"
+    elif addon_type == "redis" or addon_type == "opensearch":
+        return f"/copilot/{application_name}/{env}/conduits/{_normalise_secret_name(addon_name)}_ENDPOINT"
+    else:
+        return f"/copilot/{application_name}/{env}/conduits/{_normalise_secret_name(addon_name)}"
+
+
+def _normalise_secret_name(addon_name: str) -> str:
+    return addon_name.replace("-", "_").upper()

dbt_platform_helper/templates/addons/svc/prometheus-policy.yml

@@ -1,3 +1,5 @@
+# {% extra_header %}
+# {% version_info %}
 Parameters:
   App:
     Type: String

dbt_platform_helper/templates/pipelines/environments/manifest.yml

@@ -16,7 +16,6 @@ source:
   provider: GitHub
   # Additional properties that further specify the location of the artifacts.
   properties:
-    # Todo: Allow for overriding this, but without risking deploying a branch to higher environments
     branch: main
     repository: https://github.com/{{ git_repo }}
     connection_name: {{ app_name }}

dbt_platform_helper/utils/validation.py

@@ -266,6 +266,25 @@ def iam_role_arn_regex(key):
     )
 
 
+def dbt_email_address_regex(key):
+    return Regex(
+        r"^[\w.-]+@(businessandtrade.gov.uk|digital.trade.gov.uk)$",
+        error=f"{key} must contain a valid DBT email address",
+    )
+
+
+EXTERNAL_ROLE_ACCESS = {
+    "role_arn": iam_role_arn_regex("role_arn"),
+    "read": bool,
+    "write": bool,
+    "cyber_sign_off_by": dbt_email_address_regex("cyber_sign_off_by"),
+}
+
+EXTERNAL_ROLE_ACCESS_NAME = Regex(
+    r"^([a-z][a-zA-Z0-9_-]*)$",
+    error="External role access block name {} is invalid: names must only contain lowercase alphanumeric characters separated by hypen or underscore",
+)
+
 DATA_IMPORT = {
     Optional("source_kms_key_arn"): kms_key_arn_regex("source_kms_key_arn"),
     "source_bucket_arn": s3_bucket_arn_regex("source_bucket_arn"),
@@ -288,7 +307,8 @@ S3_BASE = {
             Optional("versioning"): bool,
             Optional("lifecycle_rules"): [LIFECYCLE_RULE],
             Optional("data_migration"): DATA_MIGRATION,
-        }
+            Optional("external_role_access"): {EXTERNAL_ROLE_ACCESS_NAME: EXTERNAL_ROLE_ACCESS},
+        },
     },
 }
 
@@ -402,6 +422,7 @@ ALB_DEFINITION = {
                 Optional("forwarded_values_query_string"): bool,
                 Optional("origin_protocol_policy"): str,
                 Optional("origin_ssl_protocols"): list,
+                Optional("slack_alert_channel_alb_secret_rotation"): str,
                 Optional("viewer_certificate_minimum_protocol_version"): str,
                 Optional("viewer_certificate_ssl_support_method"): str,
                 Optional("viewer_protocol_policy"): str,