From 2cd8b3b3338ea0705c6940dd0855fc3a8198c5cf Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Tue, 17 Dec 2024 15:44:01 -0800 Subject: [PATCH] JASPER-223: Secure JASPER to VPN'd users only (#114) * - Implement WAF to secure jasper to VPN'd users only - Fixed existing tfsec issues - Fixed publish-infra error - Deleted jasper-aws-bootstrap folder as it is no longer needed - Include sonarlint extension to identify sonar issues earlier * Upgrade Terraform version to 1.10.2 --------- Co-authored-by: Ronaldo Macapobre --- .devcontainer/devcontainer.json | 3 +- .github/workflows/build-infra.yml | 2 +- .github/workflows/publish-infra.yml | 14 +++- .../cloud/environments/dev/providers.tf | 6 +- .../cloud/environments/dev/webapp.tf | 11 +++ .../cloud/environments/test/main.tf | 11 +++ .../cloud/environments/test/providers.tf | 6 +- infrastructure/cloud/modules/ALB/outputs.tf | 4 ++ .../cloud/modules/APIGateway/main.tf | 8 ++- infrastructure/cloud/modules/IAM/main.tf | 2 +- infrastructure/cloud/modules/IAM/variables.tf | 5 ++ .../cloud/modules/SecretsManager/main.tf | 7 +- .../cloud/modules/SecretsManager/output.tf | 5 ++ infrastructure/cloud/modules/WAF/main.tf | 59 +++++++++++++++ infrastructure/cloud/modules/WAF/variables.tf | 25 +++++++ .../jasper-aws-bootstrap/.gitignore | 8 --- .../jasper-aws-bootstrap/.npmignore | 6 -- infrastructure/jasper-aws-bootstrap/README.md | 14 ---- .../bin/jasper-aws-bootstrap.ts | 24 ------- infrastructure/jasper-aws-bootstrap/cdk.json | 72 ------------------- .../jasper-aws-bootstrap/jest.config.js | 8 --- .../lib/jasper-aws-bootstrap-stack.ts | 59 --------------- .../jasper-aws-bootstrap/package.json | 27 ------- .../test/jasper-aws-bootstrap.test.ts | 43 ----------- .../jasper-aws-bootstrap/tsconfig.json | 31 -------- 25 files changed, 153 insertions(+), 307 deletions(-) create mode 100644 infrastructure/cloud/modules/WAF/main.tf create mode 100644 infrastructure/cloud/modules/WAF/variables.tf delete mode 100644 infrastructure/jasper-aws-bootstrap/.gitignore delete mode 100644 infrastructure/jasper-aws-bootstrap/.npmignore delete mode 100644 infrastructure/jasper-aws-bootstrap/README.md delete mode 100644 infrastructure/jasper-aws-bootstrap/bin/jasper-aws-bootstrap.ts delete mode 100644 infrastructure/jasper-aws-bootstrap/cdk.json delete mode 100644 infrastructure/jasper-aws-bootstrap/jest.config.js delete mode 100644 infrastructure/jasper-aws-bootstrap/lib/jasper-aws-bootstrap-stack.ts delete mode 100644 infrastructure/jasper-aws-bootstrap/package.json delete mode 100644 infrastructure/jasper-aws-bootstrap/test/jasper-aws-bootstrap.test.ts delete mode 100644 infrastructure/jasper-aws-bootstrap/tsconfig.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 32d67882..f7f897fd 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -23,7 +23,8 @@ "ms-dotnettools.csharp", "ms-dotnettools.vscode-dotnet-runtime", "amazonwebservices.aws-toolkit-vscode", - "hashicorp.terraform" + "hashicorp.terraform", + "sonarsource.sonarlint-vscode" ], "settings": { "editor.codeActionsOnSave": { diff --git a/.github/workflows/build-infra.yml b/.github/workflows/build-infra.yml index c8b791c9..beec15a0 100644 --- a/.github/workflows/build-infra.yml +++ b/.github/workflows/build-infra.yml @@ -78,7 +78,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: 1.9.0 + terraform_version: 1.10.2 - name: Terraform Init id: init diff --git a/.github/workflows/publish-infra.yml b/.github/workflows/publish-infra.yml index 39c6f787..1a52f296 100644 --- a/.github/workflows/publish-infra.yml +++ b/.github/workflows/publish-infra.yml @@ -32,7 +32,7 @@ jobs: deploy: runs-on: ubuntu-latest environment: - name: ${{ inputs.environment }} + name: ${{ inputs.environment || 'dev' }} env: TF_VAR_app_name: ${{ vars.APP_NAME }} TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }} @@ -46,6 +46,16 @@ jobs: security-events: write packages: write steps: + - name: Determine environment + id: determine-environment + run: | + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_ENV + else + echo "environment=dev" >> $GITHUB_ENV + echo "WORKING_DIRECTORY=${{ env.WORKING_DIRECTORY }}/dev" >> $GITHUB_ENV + fi + - name: Checkout repository uses: actions/checkout@v4 @@ -73,7 +83,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: 1.9.0 + terraform_version: 1.10.2 - name: Terraform Init id: init diff --git a/infrastructure/cloud/environments/dev/providers.tf b/infrastructure/cloud/environments/dev/providers.tf index 4cafa436..ab701174 100644 --- a/infrastructure/cloud/environments/dev/providers.tf +++ b/infrastructure/cloud/environments/dev/providers.tf @@ -1,14 +1,14 @@ terraform { - required_version = "~> 1.9.0" + required_version = "~> 1.10.2" required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0" + version = "~> 5.81.0" } tls = { source = "hashicorp/tls" - version = "4.0.5" + version = "4.0.6" } } diff --git a/infrastructure/cloud/environments/dev/webapp.tf b/infrastructure/cloud/environments/dev/webapp.tf index 0f7afcdf..de1689df 100644 --- a/infrastructure/cloud/environments/dev/webapp.tf +++ b/infrastructure/cloud/environments/dev/webapp.tf @@ -75,6 +75,7 @@ module "iam" { secrets_arn_list = module.secrets_manager.secrets_arn_list account_id = data.aws_caller_identity.current.account_id kms_key_id = module.initial.kms_key_arn + region = var.region } # Parse Subnets @@ -268,3 +269,13 @@ module "ecs_api_service" { subnet_ids = module.subnets.app_subnets_ids port = module.ecs_api_td.port } + +# WAF +module "waf" { + source = "../../modules/WAF" + environment = var.environment + app_name = var.app_name + region = var.region + allowed_ip_ranges = module.secrets_manager.allowed_ip_ranges + default_lb_arn = module.alb.default_lb_arn +} diff --git a/infrastructure/cloud/environments/test/main.tf b/infrastructure/cloud/environments/test/main.tf index 0f7afcdf..de1689df 100644 --- a/infrastructure/cloud/environments/test/main.tf +++ b/infrastructure/cloud/environments/test/main.tf @@ -75,6 +75,7 @@ module "iam" { secrets_arn_list = module.secrets_manager.secrets_arn_list account_id = data.aws_caller_identity.current.account_id kms_key_id = module.initial.kms_key_arn + region = var.region } # Parse Subnets @@ -268,3 +269,13 @@ module "ecs_api_service" { subnet_ids = module.subnets.app_subnets_ids port = module.ecs_api_td.port } + +# WAF +module "waf" { + source = "../../modules/WAF" + environment = var.environment + app_name = var.app_name + region = var.region + allowed_ip_ranges = module.secrets_manager.allowed_ip_ranges + default_lb_arn = module.alb.default_lb_arn +} diff --git a/infrastructure/cloud/environments/test/providers.tf b/infrastructure/cloud/environments/test/providers.tf index 4cafa436..ab701174 100644 --- a/infrastructure/cloud/environments/test/providers.tf +++ b/infrastructure/cloud/environments/test/providers.tf @@ -1,14 +1,14 @@ terraform { - required_version = "~> 1.9.0" + required_version = "~> 1.10.2" required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0" + version = "~> 5.81.0" } tls = { source = "hashicorp/tls" - version = "4.0.5" + version = "4.0.6" } } diff --git a/infrastructure/cloud/modules/ALB/outputs.tf b/infrastructure/cloud/modules/ALB/outputs.tf index d9e6ceb3..afd5377f 100644 --- a/infrastructure/cloud/modules/ALB/outputs.tf +++ b/infrastructure/cloud/modules/ALB/outputs.tf @@ -1,3 +1,7 @@ output "default_lb_dns_name" { value = data.aws_lb.default_lb.dns_name } + +output "default_lb_arn" { + value = data.aws_lb.default_lb.arn +} diff --git a/infrastructure/cloud/modules/APIGateway/main.tf b/infrastructure/cloud/modules/APIGateway/main.tf index d5f65afe..ae0f7ea3 100644 --- a/infrastructure/cloud/modules/APIGateway/main.tf +++ b/infrastructure/cloud/modules/APIGateway/main.tf @@ -51,9 +51,11 @@ resource "aws_api_gateway_method_settings" "apgw_method_settings" { method_path = "*/*" settings { - data_trace_enabled = true - metrics_enabled = true - logging_level = "INFO" + data_trace_enabled = true + metrics_enabled = true + logging_level = "INFO" + cache_data_encrypted = true + caching_enabled = true } } diff --git a/infrastructure/cloud/modules/IAM/main.tf b/infrastructure/cloud/modules/IAM/main.tf index 42542fe9..ff08e3fb 100644 --- a/infrastructure/cloud/modules/IAM/main.tf +++ b/infrastructure/cloud/modules/IAM/main.tf @@ -199,7 +199,7 @@ resource "aws_iam_policy" "openshift_role_policy" { ], "Effect" : "Allow", "Resource" : [ - "arn:aws:ssm:*:*:parameter/iam_users/${var.openshift_iam_user}_keys", + "arn:aws:ssm:${var.region}:${var.account_id}:parameter/iam_users/${var.openshift_iam_user}_keys", var.kms_key_arn ] }, diff --git a/infrastructure/cloud/modules/IAM/variables.tf b/infrastructure/cloud/modules/IAM/variables.tf index c8e3c9c1..a7dc3a44 100644 --- a/infrastructure/cloud/modules/IAM/variables.tf +++ b/infrastructure/cloud/modules/IAM/variables.tf @@ -42,3 +42,8 @@ variable "kms_key_id" { description = "The custom KMS Key Id" type = string } + +variable "region" { + description = "The AWS region" + type = string +} diff --git a/infrastructure/cloud/modules/SecretsManager/main.tf b/infrastructure/cloud/modules/SecretsManager/main.tf index dd09cbe6..bd823c9a 100644 --- a/infrastructure/cloud/modules/SecretsManager/main.tf +++ b/infrastructure/cloud/modules/SecretsManager/main.tf @@ -149,10 +149,15 @@ resource "aws_secretsmanager_secret_version" "misc_secret_value" { apiUrl = "" siteMinderLogoutUrl = "", includeSiteMinderHeaders = "", - mtlsCert = "" + mtlsCert = "", + allowedIpRanges = "" }) } +data "aws_secretsmanager_secret_version" "current_misc_secret_value" { + secret_id = aws_secretsmanager_secret.misc_secret.id +} + resource "aws_secretsmanager_secret" "auth_secret" { name = "external/${var.app_name}-auth-secret-${var.environment}" kms_key_id = var.kms_key_arn diff --git a/infrastructure/cloud/modules/SecretsManager/output.tf b/infrastructure/cloud/modules/SecretsManager/output.tf index 654e7464..4162b9cf 100644 --- a/infrastructure/cloud/modules/SecretsManager/output.tf +++ b/infrastructure/cloud/modules/SecretsManager/output.tf @@ -84,3 +84,8 @@ output "mtls_secret_name" { output "api_authorizer_secret" { value = aws_secretsmanager_secret.api_authorizer_secret } + +output "allowed_ip_ranges" { + value = jsondecode(data.aws_secretsmanager_secret_version.current_misc_secret_value.secret_string).allowedIpRanges + sensitive = true +} diff --git a/infrastructure/cloud/modules/WAF/main.tf b/infrastructure/cloud/modules/WAF/main.tf new file mode 100644 index 00000000..aee0166d --- /dev/null +++ b/infrastructure/cloud/modules/WAF/main.tf @@ -0,0 +1,59 @@ +locals { + ip_list = split(",", var.allowed_ip_ranges) +} + +resource "aws_wafv2_ip_set" "waf_ip_set" { + name = "${var.app_name}-bcgov-ip-set-${var.environment}" + description = "BC Gov CIDRs ranges to restrict JASPER access to users connected to VPN only" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = local.ip_list +} + +resource "aws_wafv2_web_acl" "waf_web_acl" { + name = "${var.app_name}-waf-web-acl-${var.environment}" + description = "Load Balancer Web Application Firewall" + scope = "REGIONAL" + + default_action { + block {} + } + + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "lb-waf-web-acl-metric" + sampled_requests_enabled = true + } + + rule { + name = "${var.app_name}-allow-bcgov-ips-rule-${var.environment}" + priority = 1 + + statement { + ip_set_reference_statement { + arn = aws_wafv2_ip_set.waf_ip_set.arn + + ip_set_forwarded_ip_config { + header_name = "X-Forwarded-For" + position = "ANY" + fallback_behavior = "NO_MATCH" + } + } + } + + action { + allow {} + } + + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "allow-bcgov-ips-rule-metric" + sampled_requests_enabled = true + } + } +} + +resource "aws_wafv2_web_acl_association" "waf_web_acl_assoc" { + resource_arn = var.default_lb_arn + web_acl_arn = aws_wafv2_web_acl.waf_web_acl.arn +} diff --git a/infrastructure/cloud/modules/WAF/variables.tf b/infrastructure/cloud/modules/WAF/variables.tf new file mode 100644 index 00000000..91e59714 --- /dev/null +++ b/infrastructure/cloud/modules/WAF/variables.tf @@ -0,0 +1,25 @@ +variable "app_name" { + description = "The name of the application" + type = string +} + +variable "environment" { + description = "The AWS environment to deploy to" + type = string +} + +variable "region" { + description = "The AWS region" + type = string +} + +variable "allowed_ip_ranges" { + description = "Comma delimited list of BC Gov CIDR IP addresses or CIDR ranges" + type = string + sensitive = true +} + +variable "default_lb_arn" { + description = "The default Load Balancer ARN" + type = string +} diff --git a/infrastructure/jasper-aws-bootstrap/.gitignore b/infrastructure/jasper-aws-bootstrap/.gitignore deleted file mode 100644 index f60797b6..00000000 --- a/infrastructure/jasper-aws-bootstrap/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.js -!jest.config.js -*.d.ts -node_modules - -# CDK asset staging directory -.cdk.staging -cdk.out diff --git a/infrastructure/jasper-aws-bootstrap/.npmignore b/infrastructure/jasper-aws-bootstrap/.npmignore deleted file mode 100644 index c1d6d45d..00000000 --- a/infrastructure/jasper-aws-bootstrap/.npmignore +++ /dev/null @@ -1,6 +0,0 @@ -*.ts -!*.d.ts - -# CDK asset staging directory -.cdk.staging -cdk.out diff --git a/infrastructure/jasper-aws-bootstrap/README.md b/infrastructure/jasper-aws-bootstrap/README.md deleted file mode 100644 index 9315fe5b..00000000 --- a/infrastructure/jasper-aws-bootstrap/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# Welcome to your CDK TypeScript project - -This is a blank project for CDK development with TypeScript. - -The `cdk.json` file tells the CDK Toolkit how to execute your app. - -## Useful commands - -* `npm run build` compile typescript to js -* `npm run watch` watch for changes and compile -* `npm run test` perform the jest unit tests -* `npx cdk deploy` deploy this stack to your default AWS account/region -* `npx cdk diff` compare deployed stack with current state -* `npx cdk synth` emits the synthesized CloudFormation template diff --git a/infrastructure/jasper-aws-bootstrap/bin/jasper-aws-bootstrap.ts b/infrastructure/jasper-aws-bootstrap/bin/jasper-aws-bootstrap.ts deleted file mode 100644 index 4e1e1a2e..00000000 --- a/infrastructure/jasper-aws-bootstrap/bin/jasper-aws-bootstrap.ts +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env node -import 'source-map-support/register'; -import * as cdk from 'aws-cdk-lib'; -import { JasperAwsBootstrapStack } from '../lib/jasper-aws-bootstrap-stack'; - - -const appName = 'bcgov-jasper-aws-bootstrap'; -const branch=process.env.ENV_NAME || 'dev'; -const namespace = `${appName}-${branch}`; - - - -const app = new cdk.App(); -cdk.Tags.of(app).add('Application', namespace); - - - -new JasperAwsBootstrapStack(app, namespace, { - - env: { - account: process.env.CDK_DEFAULT_ACCOUNT, - region: process.env.CDK_DEFAULT_REGION -} -}); \ No newline at end of file diff --git a/infrastructure/jasper-aws-bootstrap/cdk.json b/infrastructure/jasper-aws-bootstrap/cdk.json deleted file mode 100644 index f6a6e632..00000000 --- a/infrastructure/jasper-aws-bootstrap/cdk.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "app": "npx ts-node --prefer-ts-exts bin/jasper-aws-bootstrap.ts", - "watch": { - "include": [ - "**" - ], - "exclude": [ - "README.md", - "cdk*.json", - "**/*.d.ts", - "**/*.js", - "tsconfig.json", - "package*.json", - "yarn.lock", - "node_modules", - "test" - ] - }, - "context": { - "@aws-cdk/aws-lambda:recognizeLayerVersion": true, - "@aws-cdk/core:checkSecretUsage": true, - "@aws-cdk/core:target-partitions": [ - "aws", - "aws-cn" - ], - "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true, - "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true, - "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true, - "@aws-cdk/aws-iam:minimizePolicies": true, - "@aws-cdk/core:validateSnapshotRemovalPolicy": true, - "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true, - "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true, - "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true, - "@aws-cdk/aws-apigateway:disableCloudWatchRole": true, - "@aws-cdk/core:enablePartitionLiterals": true, - "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true, - "@aws-cdk/aws-iam:standardizedServicePrincipals": true, - "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true, - "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true, - "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true, - "@aws-cdk/aws-route53-patters:useCertificate": true, - "@aws-cdk/customresources:installLatestAwsSdkDefault": false, - "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true, - "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true, - "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true, - "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true, - "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true, - "@aws-cdk/aws-redshift:columnId": true, - "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true, - "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true, - "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true, - "@aws-cdk/aws-kms:aliasNameRef": true, - "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true, - "@aws-cdk/core:includePrefixInUniqueNameGeneration": true, - "@aws-cdk/aws-efs:denyAnonymousAccess": true, - "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true, - "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true, - "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true, - "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true, - "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true, - "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true, - "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true, - "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true, - "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true, - "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true, - "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true, - "@aws-cdk/aws-eks:nodegroupNameAttribute": true, - "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, - "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true, - "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false - } -} diff --git a/infrastructure/jasper-aws-bootstrap/jest.config.js b/infrastructure/jasper-aws-bootstrap/jest.config.js deleted file mode 100644 index 08263b89..00000000 --- a/infrastructure/jasper-aws-bootstrap/jest.config.js +++ /dev/null @@ -1,8 +0,0 @@ -module.exports = { - testEnvironment: 'node', - roots: ['/test'], - testMatch: ['**/*.test.ts'], - transform: { - '^.+\\.tsx?$': 'ts-jest' - } -}; diff --git a/infrastructure/jasper-aws-bootstrap/lib/jasper-aws-bootstrap-stack.ts b/infrastructure/jasper-aws-bootstrap/lib/jasper-aws-bootstrap-stack.ts deleted file mode 100644 index 5f900276..00000000 --- a/infrastructure/jasper-aws-bootstrap/lib/jasper-aws-bootstrap-stack.ts +++ /dev/null @@ -1,59 +0,0 @@ -import * as cdk from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -// import * as sqs from 'aws-cdk-lib/aws-sqs'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as ddb from 'aws-cdk-lib/aws-dynamodb'; - -export class JasperAwsBootstrapStack extends cdk.Stack { - stateBucket: s3.Bucket; - stateLockTable: ddb.Table; - constructor(scope: Construct, id: string, props?: cdk.StackProps) { - super(scope, id, props); - - const namespace = this.stackName; - const env = process.env.ENV_NAME || 'dev'; - - let removalPolicy = cdk.RemovalPolicy.DESTROY; - let s3BucketAutoDel: boolean = true; - if (env == 'prod') { - removalPolicy = cdk.RemovalPolicy.RETAIN; - s3BucketAutoDel = false; - } - - const kmsCmkey = new cdk.aws_kms.Key(this, `${namespace}-state-KMSKey`, { - description: `KMS CMK for ${namespace} state`, - enableKeyRotation: true, - alias: `${namespace}-cmk-state-key`, - removalPolicy: removalPolicy, - }); - cdk.Tags.of(kmsCmkey).add('Name', `${namespace}-state-KMSKey`); - const kmsCmkState = kmsCmkey.addAlias(namespace + "-state-alias-key") - - - // create s3 bucket for state - const s3BucketName = `${namespace}-state`; - this.stateBucket = new s3.Bucket(this, s3BucketName, { - versioned: true, - removalPolicy: removalPolicy, - bucketName: s3BucketName, - autoDeleteObjects: s3BucketAutoDel, - encryption: s3.BucketEncryption.KMS, - encryptionKey: kmsCmkState, - objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, - blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, - }); - - // create dynamodb table for state lock - const stateLockTableName = `${namespace}-state-table`; - this.stateLockTable = new ddb.Table(this, stateLockTableName, { - tableName: stateLockTableName, - partitionKey: { name: 'LockID', type: ddb.AttributeType.STRING }, - removalPolicy: cdk.RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE, - billingMode: ddb.BillingMode.PAY_PER_REQUEST, - encryption: ddb.TableEncryption.CUSTOMER_MANAGED, - encryptionKey:kmsCmkey, - }); - - cdk.Tags.of(this.stateLockTable).add('Name', stateLockTableName); - } -} diff --git a/infrastructure/jasper-aws-bootstrap/package.json b/infrastructure/jasper-aws-bootstrap/package.json deleted file mode 100644 index b6aa41f4..00000000 --- a/infrastructure/jasper-aws-bootstrap/package.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "name": "jasper-aws-bootstrap", - "version": "0.1.0", - "bin": { - "jasper-aws-bootstrap": "bin/jasper-aws-bootstrap.js" - }, - "scripts": { - "build": "tsc", - "watch": "tsc -w", - "test": "jest", - "cdk": "cdk" - }, - "devDependencies": { - "@types/jest": "^29.5.12", - "@types/node": "20.14.2", - "jest": "^29.7.0", - "ts-jest": "^29.1.4", - "aws-cdk": "2.146.0", - "ts-node": "^10.9.2", - "typescript": "~5.4.5" - }, - "dependencies": { - "aws-cdk-lib": "2.146.0", - "constructs": "^10.0.0", - "source-map-support": "^0.5.21" - } -} \ No newline at end of file diff --git a/infrastructure/jasper-aws-bootstrap/test/jasper-aws-bootstrap.test.ts b/infrastructure/jasper-aws-bootstrap/test/jasper-aws-bootstrap.test.ts deleted file mode 100644 index 1a8c7312..00000000 --- a/infrastructure/jasper-aws-bootstrap/test/jasper-aws-bootstrap.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import * as cdk from 'aws-cdk-lib'; -import { Template,Match } from 'aws-cdk-lib/assertions'; -import * as JasperAwsBootstrap from '../lib/jasper-aws-bootstrap-stack'; - -// example test. To run these tests, uncomment this file along with the -// example resource in lib/jasper-aws-bootstrap-stack.ts -test('State S3 bucket created', () => { - const app = new cdk.App(); - // WHEN - const stack = new JasperAwsBootstrap.JasperAwsBootstrapStack(app, 'jasper-bootstrap-dev', { - env: { - account: '123456789012', - region: 'ca-central-1' - } - - }); - // THEN - - const template = Template.fromStack(stack); - - template.resourceCountIs('AWS::S3::Bucket', 1); - - -}); - -// test dynamodb table created -test('State Lock Table Created', () => { - const app = new cdk.App(); - // WHEN - const stack = new JasperAwsBootstrap.JasperAwsBootstrapStack(app, 'jasper-bootstrap-dev', { - env: { - account: '123456789012', - region: 'ca-central-1' - } - - }); - // THEN - - const template = Template.fromStack(stack); - - template.resourceCountIs('AWS::DynamoDB::Table', 1); - -}); diff --git a/infrastructure/jasper-aws-bootstrap/tsconfig.json b/infrastructure/jasper-aws-bootstrap/tsconfig.json deleted file mode 100644 index aaa7dc51..00000000 --- a/infrastructure/jasper-aws-bootstrap/tsconfig.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "compilerOptions": { - "target": "ES2020", - "module": "commonjs", - "lib": [ - "es2020", - "dom" - ], - "declaration": true, - "strict": true, - "noImplicitAny": true, - "strictNullChecks": true, - "noImplicitThis": true, - "alwaysStrict": true, - "noUnusedLocals": false, - "noUnusedParameters": false, - "noImplicitReturns": true, - "noFallthroughCasesInSwitch": false, - "inlineSourceMap": true, - "inlineSources": true, - "experimentalDecorators": true, - "strictPropertyInitialization": false, - "typeRoots": [ - "./node_modules/@types" - ] - }, - "exclude": [ - "node_modules", - "cdk.out" - ] -}