@aws/nx-plugin 0.0.0

package/src/cloudscape-website/app/files/app/src/layouts/Routes/index.tsx.template

@@ -0,0 +1,18 @@
+/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0 */
+import * as React from "react";
+import { Route, Routes as ReactRoutes } from "react-router-dom";
+import Home from "../../pages/Home";
+
+/**
+ * Defines the Routes.
+ */
+const Routes: React.FC = () => {
+  return (
+    <ReactRoutes>
+      <Route key={0} path="/" element={<Home />} />
+    </ReactRoutes>
+  );
+};
+
+export default Routes;

package/src/cloudscape-website/app/files/app/src/main.tsx.template

@@ -0,0 +1,22 @@
+/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0 */
+import { NorthStarThemeProvider } from "@aws-northstar/ui";
+import React from "react";
+import { createRoot } from "react-dom/client";
+import { BrowserRouter } from "react-router-dom";
+import { I18nProvider } from '@cloudscape-design/components/i18n';
+import messages from '@cloudscape-design/components/i18n/messages/all.en';
+import App from "./layouts/App";
+
+const root = document.getElementById("root");
+root && createRoot(root).render(
+  <React.StrictMode>
+    <NorthStarThemeProvider>
+      <I18nProvider locale="en" messages={[messages]}>
+      <BrowserRouter>
+        <App />
+      </BrowserRouter>
+      </I18nProvider>
+    </NorthStarThemeProvider>
+  </React.StrictMode>
+);

package/src/cloudscape-website/app/files/app/src/pages/Home/index.tsx.template

@@ -0,0 +1,25 @@
+/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0 */
+import {
+  Container,
+  ContentLayout,
+  Header,
+  SpaceBetween,
+} from "@cloudscape-design/components";
+
+/**
+ * Component to render the home "/" route.
+ */
+const Home: React.FC = () => {
+  return (
+    <ContentLayout header={<Header>Home</Header>}>
+      <SpaceBetween size="l">
+        <Container>
+          Hello World!
+        </Container>
+      </SpaceBetween>
+    </ContentLayout>
+  );
+};
+
+export default Home;

package/src/cloudscape-website/app/files/common/constructs/src/__websiteNameKebabCase__/cloudfront-web-acl.ts.template

@@ -0,0 +1,317 @@
+/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0 */
+import * as url from "url";
+import { PDKNag } from "@aws/pdk/pdk-nag";
+import { CustomResource, Duration, Stack } from "aws-cdk-lib";
+import {
+  Effect,
+  PolicyDocument,
+  PolicyStatement,
+  Role,
+  ServicePrincipal,
+} from "aws-cdk-lib/aws-iam";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Provider } from "aws-cdk-lib/custom-resources";
+import { NagSuppressions } from "cdk-nag";
+import { Construct } from "constructs";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+
+/**
+ * Represents a WAF V2 managed rule.
+ */
+export interface ManagedRule {
+  /**
+   * The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.
+   */
+  readonly vendor: string;
+
+  /**
+   * The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
+   */
+  readonly name: string;
+}
+
+/**
+ * Type of Cidr.
+ */
+export type CidrType = "IPV4" | "IPV6";
+
+/**
+ * Representation of a CIDR range.
+ */
+export interface CidrAllowList {
+  /**
+   * Type of CIDR range.
+   */
+  readonly cidrType: CidrType;
+
+  /**
+   * Specify an IPv4 address by using CIDR notation. For example:
+   * To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32 .
+   * To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 .
+   *
+   * For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .
+   *
+   * Specify an IPv6 address by using CIDR notation. For example:
+   * To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 .
+   * To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 .
+   */
+  readonly cidrRanges: string[];
+}
+
+/**
+ * Properties to configure the web acl.
+ */
+export interface CloudFrontWebAclProps {
+  /**
+   * List of managed rules to apply to the web acl.
+   *
+   * @default - [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]
+   */
+  readonly managedRules?: ManagedRule[];
+
+  /**
+   * List of cidr ranges to allow.
+   *
+   * @default - undefined
+   */
+  readonly cidrAllowList?: CidrAllowList;
+
+  /**
+   * Set to true to prevent creation of a web acl for the static website
+   * @default false
+   */
+  readonly disable?: boolean;
+}
+
+/**
+ * This construct creates a WAFv2 Web ACL for cloudfront in the us-east-1 region (required for cloudfront) no matter the
+ * region of the parent cdk stack.
+ */
+export class CloudfrontWebAcl extends Construct {
+  public readonly webAclId: string;
+  public readonly webAclArn: string;
+
+  constructor(scope: Construct, id: string, props?: CloudFrontWebAclProps) {
+    super(scope, id);
+
+    const stack = Stack.of(this);
+    const aclName = `${stack.stackName}-${id}-${this.node.addr.slice(-4)}`;
+    const onEventHandler = this.createOnEventHandler(stack, aclName);
+    const customResource = this.createAclCustomResource(
+      stack,
+      aclName,
+      onEventHandler,
+      props
+    );
+
+    this.webAclId = customResource.getAttString("WebAclId");
+    this.webAclArn = customResource.getAttString("WebAclArn");
+  }
+
+  /**
+   * Creates an event handler for managing an ACL in us-east-1.
+   *
+   * @param stack containing Stack instance.
+   * @param aclName name of the ACL to manage.
+   * @private
+   */
+  private createOnEventHandler(stack: Stack, aclName: string): NodejsFunction {
+    // NB without manually defining a name, the cdk generated name for the Provider function can become too long and
+    // deployments fail. This is because the Provider's name references the onEvent handler name and appends "-Provider"
+    // rather than being generated by cdk and truncated appropriately
+    const onEventHandlerName = `${PDKNag.getStackPrefix(stack)
+      .split("/")
+      .join("-")}AclEvent-${this.node.addr.slice(-6)}`;
+    const onEventHandlerRole = new Role(this, "OnEventHandlerRole", {
+      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+      inlinePolicies: {
+        logs: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+              ],
+              resources: [
+                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${onEventHandlerName}`,
+                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${onEventHandlerName}:*`,
+              ],
+            }),
+          ],
+        }),
+        wafv2: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: [
+                "wafv2:CreateWebACL",
+                "wafv2:DeleteWebACL",
+                "wafv2:UpdateWebACL",
+                "wafv2:GetWebACL",
+              ],
+              resources: [
+                `arn:aws:wafv2:us-east-1:${stack.account}:global/ipset/${aclName}-IPSet/*`,
+                `arn:aws:wafv2:us-east-1:${stack.account}:global/webacl/${aclName}/*`,
+                `arn:aws:wafv2:us-east-1:${stack.account}:global/managedruleset/*/*`,
+              ],
+            }),
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: [
+                "wafv2:CreateIPSet",
+                "wafv2:DeleteIPSet",
+                "wafv2:UpdateIPSet",
+                "wafv2:GetIPSet",
+              ],
+              resources: [
+                `arn:aws:wafv2:us-east-1:${stack.account}:global/ipset/${aclName}-IPSet/*`,
+              ],
+            }),
+          ],
+        }),
+      },
+    });
+
+    const onEventHandler = new NodejsFunction(
+      this,
+      "CloudfrontWebAclOnEventHandler",
+      {
+        entry: url.fileURLToPath(new URL('./webacl_event_handler/index.ts', import.meta.url)),
+        role: onEventHandlerRole,
+        functionName: onEventHandlerName,
+        handler: "onEvent",
+        runtime: Runtime.NODEJS_18_X,
+        timeout: Duration.seconds(300),
+      }
+    );
+
+    ["AwsSolutions-IAM5", "AwsPrototyping-IAMNoWildcardPermissions"].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          onEventHandlerRole,
+          [
+            {
+              id: RuleId,
+              reason:
+                "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.",
+              appliesTo: [
+                {
+                  regex: `/^Resource::arn:aws:wafv2:us-east-1:${PDKNag.getStackAccountRegex(
+                    stack
+                  )}:global/(.*)$/g`,
+                },
+              ],
+            },
+            {
+              id: RuleId,
+              reason:
+                "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.",
+              appliesTo: [
+                {
+                  regex: `/^Resource::arn:aws:logs:${PDKNag.getStackRegionRegex(
+                    stack
+                  )}:${PDKNag.getStackAccountRegex(
+                    stack
+                  )}:log-group:/aws/lambda/${onEventHandlerName}:*/g`,
+                },
+              ],
+            },
+          ],
+          true
+        );
+      }
+    );
+
+    return onEventHandler;
+  }
+
+  /**
+   * Creates a Custom resource to manage the deployment of the ACL.
+   *
+   * @param stack containing Stack instance.
+   * @param aclName name of the ACL to manage.
+   * @param onEventHandler event handler to use for deployment.
+   * @param props user provided properties for configuring the ACL.
+   * @private
+   */
+  private createAclCustomResource(
+    stack: Stack,
+    aclName: string,
+    onEventHandler: NodejsFunction,
+    props?: CloudFrontWebAclProps
+  ): CustomResource {
+    const providerFunctionName = `${onEventHandler.functionName}-Provider`;
+    const providerRole = new Role(this, "CloudfrontWebAclProviderRole", {
+      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+      inlinePolicies: {
+        logs: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+              ],
+              resources: [
+                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${providerFunctionName}`,
+                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${providerFunctionName}:*`,
+              ],
+            }),
+          ],
+        }),
+      },
+    });
+    const provider = new Provider(this, "CloudfrontAclProvider", {
+      onEventHandler,
+      role: providerRole,
+      providerFunctionName,
+    });
+
+    ["AwsSolutions-IAM5", "AwsPrototyping-IAMNoWildcardPermissions"].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          providerRole,
+          [
+            {
+              id: RuleId,
+              reason:
+                "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.",
+            },
+          ],
+          true
+        );
+      }
+    );
+
+    ["AwsSolutions-L1", "AwsPrototyping-LambdaLatestVersion"].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          provider,
+          [
+            {
+              id: RuleId,
+              reason:
+                "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.",
+            },
+          ],
+          true
+        );
+      }
+    );
+
+    return new CustomResource(this, "CFAclCustomResource", {
+      serviceToken: provider.serviceToken,
+      properties: {
+        ID: aclName,
+        MANAGED_RULES: props?.managedRules ?? [
+          { vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" },
+        ],
+        CIDR_ALLOW_LIST: props?.cidrAllowList,
+      },
+    });
+  }
+}

package/src/cloudscape-website/app/files/common/constructs/src/__websiteNameKebabCase__/index.ts.template

@@ -0,0 +1,4 @@
+/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0 */
+export * from "./cloudfront-web-acl.js";
+export * from "./static-website.js";

package/src/cloudscape-website/app/files/common/constructs/src/__websiteNameKebabCase__/static-website.ts.template

@@ -0,0 +1,237 @@
+/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0 */
+import * as url from 'url';
+import { PDKNag } from '@aws/pdk/pdk-nag';
+import { CfnOutput, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { Distribution, ViewerProtocolPolicy } from 'aws-cdk-lib/aws-cloudfront';
+import { S3BucketOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
+import {
+  BlockPublicAccess,
+  Bucket,
+  BucketEncryption,
+  IBucket,
+  ObjectOwnership,
+} from 'aws-cdk-lib/aws-s3';
+import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
+import { NagSuppressions } from 'cdk-nag';
+import { Construct } from 'constructs';
+import { CloudfrontWebAcl } from './cloudfront-web-acl.js';
+import { RuntimeConfig } from '../runtime-config/index.js';
+
+const DEFAULT_RUNTIME_CONFIG_FILENAME = 'runtime-config.json';
+
+/**
+ * Deploys a Static Website using by default a private S3 bucket as an origin and Cloudfront as the entrypoint.
+ *
+ * This construct configures a webAcl containing rules that are generally applicable to web applications. This
+ * provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk
+ * and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10.
+ *
+ */
+export class StaticWebsite extends Construct {
+  public readonly websiteBucket: IBucket;
+  public readonly cloudFrontDistribution: Distribution;
+  public readonly bucketDeployment: BucketDeployment;
+
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    this.node.setContext(
+      '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy',
+      true
+    );
+
+    const accessLogsBucket = new Bucket(this, 'AccessLogsBucket', {
+      versioned: false,
+      enforceSSL: true,
+      autoDeleteObjects: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+      encryption: BucketEncryption.S3_MANAGED,
+      objectOwnership: ObjectOwnership.OBJECT_WRITER,
+      publicReadAccess: false,
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+    });
+
+    // S3 Bucket to hold website files
+    this.websiteBucket = new Bucket(this, 'WebsiteBucket', {
+      versioned: true,
+      enforceSSL: true,
+      autoDeleteObjects: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+      encryption: BucketEncryption.S3_MANAGED,
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED,
+      publicReadAccess: false,
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+      serverAccessLogsPrefix: 'website-access-logs',
+      serverAccessLogsBucket: accessLogsBucket,
+    });
+
+    // Web ACL
+    const webAclArn = new CloudfrontWebAcl(this, 'WebsiteAcl').webAclArn;
+
+    // Cloudfront Distribution
+    const logBucket = new Bucket(this, 'DistributionLogBucket', {
+      enforceSSL: true,
+      autoDeleteObjects: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+      encryption: BucketEncryption.S3_MANAGED,
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_PREFERRED,
+      publicReadAccess: false,
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+      serverAccessLogsPrefix: 'distribution-access-logs',
+      serverAccessLogsBucket: accessLogsBucket,
+    });
+
+    const defaultRootObject = 'index.html';
+    this.cloudFrontDistribution = new Distribution(
+      this,
+      'CloudfrontDistribution',
+      {
+        webAclId: webAclArn,
+        enableLogging: true,
+        logBucket: logBucket,
+        defaultBehavior: {
+          origin: S3BucketOrigin.withOriginAccessControl(this.websiteBucket),
+          viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        },
+        defaultRootObject,
+        errorResponses: [
+          {
+            httpStatus: 404, // We need to redirect "key not found errors" to index.html for single page apps
+            responseHttpStatus: 200,
+            responsePagePath: `/${defaultRootObject}`,
+          },
+        ],
+      }
+    );
+
+    // Deploy Website
+    const runtimeConfig = RuntimeConfig.ensure(this).config;
+    this.bucketDeployment = new BucketDeployment(this, 'WebsiteDeployment', {
+      sources: [
+        Source.asset(url.fileURLToPath(new URL('../../../../../<%= websiteContentPath %>', import.meta.url))),
+        ...(Object.keys(runtimeConfig).length > 0
+          ? [
+              Source.jsonData(DEFAULT_RUNTIME_CONFIG_FILENAME, runtimeConfig),
+            ]
+          : []),
+      ],
+      destinationBucket: this.websiteBucket,
+      // Files in the distribution's edge caches will be invalidated after files are uploaded to the destination bucket.
+      distribution: this.cloudFrontDistribution,
+    });
+
+    new CfnOutput(this, 'DistributionDomainName', {
+      value: this.cloudFrontDistribution.domainName,
+    });
+
+    this.suppressCDKNagViolations();
+  }
+
+  private suppressCDKNagViolations = () => {
+    const stack = Stack.of(this);
+
+    NagSuppressions.addResourceSuppressions(
+      this,
+      [
+        {
+          id: 'AwsPrototyping-CloudFrontDistributionGeoRestrictions',
+          reason:
+            'Suppressed to allow unrestricted access. Not recommended in production.',
+        },
+      ],
+      true
+    );
+
+    [
+      'AwsSolutions-CFR4',
+      'AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL',
+    ].forEach((RuleId) => {
+      NagSuppressions.addResourceSuppressions(this.cloudFrontDistribution, [
+        {
+          id: RuleId,
+          reason:
+            'Certificate is not mandatory therefore the Cloudfront certificate will be used.',
+        },
+      ]);
+    });
+
+    ['AwsSolutions-L1', 'AwsPrototyping-LambdaLatestVersion'].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          this,
+          [
+            {
+              id: RuleId,
+              reason:
+                'Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.',
+            },
+          ],
+          true
+        );
+      }
+    );
+
+    ['AwsSolutions-IAM5', 'AwsPrototyping-IAMNoWildcardPermissions'].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          this,
+          [
+            {
+              id: RuleId,
+              reason:
+                'All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.',
+              appliesTo: [
+                {
+                  regex: '/^Action::s3:.*$/g',
+                },
+                {
+                  regex: `/^Resource::.*$/g`,
+                },
+              ],
+            },
+          ],
+          true
+        );
+      }
+    );
+
+    ['AwsSolutions-IAM4', 'AwsPrototyping-IAMNoManagedPolicies'].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          this,
+          [
+            {
+              id: RuleId,
+              reason:
+                'Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.',
+              appliesTo: [
+                {
+                  regex: `/^Policy::arn:${PDKNag.getStackPartitionRegex(
+                    stack
+                  )}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g`,
+                },
+              ],
+            },
+          ],
+          true
+        );
+      }
+    );
+
+    ['AwsSolutions-S1', 'AwsPrototyping-S3BucketLoggingEnabled'].forEach(
+      (RuleId) => {
+        NagSuppressions.addResourceSuppressions(
+          this,
+          [
+            {
+              id: RuleId,
+              reason: 'Access Log buckets should not have s3 bucket logging',
+            },
+          ],
+          true
+        );
+      }
+    );
+  };
+}