@aws/nx-plugin 0.1.5 → 0.2.0

package/src/cloudscape-website/app/files/common/constructs/src/__websiteNameKebabCase__/cloudfront-web-acl.ts.template

@@ -1,317 +0,0 @@
-/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
-SPDX-License-Identifier: Apache-2.0 */
-import * as url from "url";
-import { PDKNag } from "@aws/pdk/pdk-nag";
-import { CustomResource, Duration, Stack } from "aws-cdk-lib";
-import {
-  Effect,
-  PolicyDocument,
-  PolicyStatement,
-  Role,
-  ServicePrincipal,
-} from "aws-cdk-lib/aws-iam";
-import { Runtime } from "aws-cdk-lib/aws-lambda";
-import { Provider } from "aws-cdk-lib/custom-resources";
-import { NagSuppressions } from "cdk-nag";
-import { Construct } from "constructs";
-import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
-
-/**
- * Represents a WAF V2 managed rule.
- */
-export interface ManagedRule {
-  /**
-   * The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.
-   */
-  readonly vendor: string;
-
-  /**
-   * The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
-   */
-  readonly name: string;
-}
-
-/**
- * Type of Cidr.
- */
-export type CidrType = "IPV4" | "IPV6";
-
-/**
- * Representation of a CIDR range.
- */
-export interface CidrAllowList {
-  /**
-   * Type of CIDR range.
-   */
-  readonly cidrType: CidrType;
-
-  /**
-   * Specify an IPv4 address by using CIDR notation. For example:
-   * To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32 .
-   * To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 .
-   *
-   * For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .
-   *
-   * Specify an IPv6 address by using CIDR notation. For example:
-   * To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 .
-   * To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 .
-   */
-  readonly cidrRanges: string[];
-}
-
-/**
- * Properties to configure the web acl.
- */
-export interface CloudFrontWebAclProps {
-  /**
-   * List of managed rules to apply to the web acl.
-   *
-   * @default - [{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" }]
-   */
-  readonly managedRules?: ManagedRule[];
-
-  /**
-   * List of cidr ranges to allow.
-   *
-   * @default - undefined
-   */
-  readonly cidrAllowList?: CidrAllowList;
-
-  /**
-   * Set to true to prevent creation of a web acl for the static website
-   * @default false
-   */
-  readonly disable?: boolean;
-}
-
-/**
- * This construct creates a WAFv2 Web ACL for cloudfront in the us-east-1 region (required for cloudfront) no matter the
- * region of the parent cdk stack.
- */
-export class CloudfrontWebAcl extends Construct {
-  public readonly webAclId: string;
-  public readonly webAclArn: string;
-
-  constructor(scope: Construct, id: string, props?: CloudFrontWebAclProps) {
-    super(scope, id);
-
-    const stack = Stack.of(this);
-    const aclName = `${stack.stackName}-${id}-${this.node.addr.slice(-4)}`;
-    const onEventHandler = this.createOnEventHandler(stack, aclName);
-    const customResource = this.createAclCustomResource(
-      stack,
-      aclName,
-      onEventHandler,
-      props
-    );
-
-    this.webAclId = customResource.getAttString("WebAclId");
-    this.webAclArn = customResource.getAttString("WebAclArn");
-  }
-
-  /**
-   * Creates an event handler for managing an ACL in us-east-1.
-   *
-   * @param stack containing Stack instance.
-   * @param aclName name of the ACL to manage.
-   * @private
-   */
-  private createOnEventHandler(stack: Stack, aclName: string): NodejsFunction {
-    // NB without manually defining a name, the cdk generated name for the Provider function can become too long and
-    // deployments fail. This is because the Provider's name references the onEvent handler name and appends "-Provider"
-    // rather than being generated by cdk and truncated appropriately
-    const onEventHandlerName = `${PDKNag.getStackPrefix(stack)
-      .split("/")
-      .join("-")}AclEvent-${this.node.addr.slice(-6)}`;
-    const onEventHandlerRole = new Role(this, "OnEventHandlerRole", {
-      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
-      inlinePolicies: {
-        logs: new PolicyDocument({
-          statements: [
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: [
-                "logs:CreateLogGroup",
-                "logs:CreateLogStream",
-                "logs:PutLogEvents",
-              ],
-              resources: [
-                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${onEventHandlerName}`,
-                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${onEventHandlerName}:*`,
-              ],
-            }),
-          ],
-        }),
-        wafv2: new PolicyDocument({
-          statements: [
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: [
-                "wafv2:CreateWebACL",
-                "wafv2:DeleteWebACL",
-                "wafv2:UpdateWebACL",
-                "wafv2:GetWebACL",
-              ],
-              resources: [
-                `arn:aws:wafv2:us-east-1:${stack.account}:global/ipset/${aclName}-IPSet/*`,
-                `arn:aws:wafv2:us-east-1:${stack.account}:global/webacl/${aclName}/*`,
-                `arn:aws:wafv2:us-east-1:${stack.account}:global/managedruleset/*/*`,
-              ],
-            }),
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: [
-                "wafv2:CreateIPSet",
-                "wafv2:DeleteIPSet",
-                "wafv2:UpdateIPSet",
-                "wafv2:GetIPSet",
-              ],
-              resources: [
-                `arn:aws:wafv2:us-east-1:${stack.account}:global/ipset/${aclName}-IPSet/*`,
-              ],
-            }),
-          ],
-        }),
-      },
-    });
-
-    const onEventHandler = new NodejsFunction(
-      this,
-      "CloudfrontWebAclOnEventHandler",
-      {
-        entry: url.fileURLToPath(new URL('./webacl_event_handler/index.ts', import.meta.url)),
-        role: onEventHandlerRole,
-        functionName: onEventHandlerName,
-        handler: "onEvent",
-        runtime: Runtime.NODEJS_18_X,
-        timeout: Duration.seconds(300),
-      }
-    );
-
-    ["AwsSolutions-IAM5", "AwsPrototyping-IAMNoWildcardPermissions"].forEach(
-      (RuleId) => {
-        NagSuppressions.addResourceSuppressions(
-          onEventHandlerRole,
-          [
-            {
-              id: RuleId,
-              reason:
-                "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.",
-              appliesTo: [
-                {
-                  regex: `/^Resource::arn:aws:wafv2:us-east-1:${PDKNag.getStackAccountRegex(
-                    stack
-                  )}:global/(.*)$/g`,
-                },
-              ],
-            },
-            {
-              id: RuleId,
-              reason:
-                "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.",
-              appliesTo: [
-                {
-                  regex: `/^Resource::arn:aws:logs:${PDKNag.getStackRegionRegex(
-                    stack
-                  )}:${PDKNag.getStackAccountRegex(
-                    stack
-                  )}:log-group:/aws/lambda/${onEventHandlerName}:*/g`,
-                },
-              ],
-            },
-          ],
-          true
-        );
-      }
-    );
-
-    return onEventHandler;
-  }
-
-  /**
-   * Creates a Custom resource to manage the deployment of the ACL.
-   *
-   * @param stack containing Stack instance.
-   * @param aclName name of the ACL to manage.
-   * @param onEventHandler event handler to use for deployment.
-   * @param props user provided properties for configuring the ACL.
-   * @private
-   */
-  private createAclCustomResource(
-    stack: Stack,
-    aclName: string,
-    onEventHandler: NodejsFunction,
-    props?: CloudFrontWebAclProps
-  ): CustomResource {
-    const providerFunctionName = `${onEventHandler.functionName}-Provider`;
-    const providerRole = new Role(this, "CloudfrontWebAclProviderRole", {
-      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
-      inlinePolicies: {
-        logs: new PolicyDocument({
-          statements: [
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: [
-                "logs:CreateLogGroup",
-                "logs:CreateLogStream",
-                "logs:PutLogEvents",
-              ],
-              resources: [
-                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${providerFunctionName}`,
-                `arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${providerFunctionName}:*`,
-              ],
-            }),
-          ],
-        }),
-      },
-    });
-    const provider = new Provider(this, "CloudfrontAclProvider", {
-      onEventHandler,
-      role: providerRole,
-      providerFunctionName,
-    });
-
-    ["AwsSolutions-IAM5", "AwsPrototyping-IAMNoWildcardPermissions"].forEach(
-      (RuleId) => {
-        NagSuppressions.addResourceSuppressions(
-          providerRole,
-          [
-            {
-              id: RuleId,
-              reason:
-                "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.",
-            },
-          ],
-          true
-        );
-      }
-    );
-
-    ["AwsSolutions-L1", "AwsPrototyping-LambdaLatestVersion"].forEach(
-      (RuleId) => {
-        NagSuppressions.addResourceSuppressions(
-          provider,
-          [
-            {
-              id: RuleId,
-              reason:
-                "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.",
-            },
-          ],
-          true
-        );
-      }
-    );
-
-    return new CustomResource(this, "CFAclCustomResource", {
-      serviceToken: provider.serviceToken,
-      properties: {
-        ID: aclName,
-        MANAGED_RULES: props?.managedRules ?? [
-          { vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" },
-        ],
-        CIDR_ALLOW_LIST: props?.cidrAllowList,
-      },
-    });
-  }
-}

package/src/cloudscape-website/app/files/common/constructs/src/__websiteNameKebabCase__/index.ts.template

@@ -1,4 +0,0 @@
-/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
-SPDX-License-Identifier: Apache-2.0 */
-export * from './cloudfront-web-acl.js';
-export * from './static-website.js';

package/src/cloudscape-website/app/files/common/constructs/src/__websiteNameKebabCase__/webacl_event_handler/index.ts.template

@@ -1,301 +0,0 @@
-/* eslint-disable @typescript-eslint/no-non-null-asserted-optional-chain */
-/* eslint-disable @typescript-eslint/no-non-null-assertion */
-/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
-SPDX-License-Identifier: Apache-2.0 */
-import { CreateIPSetCommandOutput, Rule, WAFUnavailableEntityException, WAFV2 } from "@aws-sdk/client-wafv2"; // eslint-disable-line
-
-const DELIMITER = ":";
-const SCOPE = "CLOUDFRONT";
-const client = new WAFV2({
-  region: "us-east-1",
-  customUserAgent: "aws-pdk/static-website/waf",
-});
-
-const MAX_CREATE_RETRY = 10;
-const RETRY_INTERVAL = 2000;
-
-/**
- * Handler for creating a WAF V2 ACL in US-EAST-1.
- */
-export const onEvent = async (event: any) => {
-  const { ID, MANAGED_RULES, CIDR_ALLOW_LIST } = event.ResourceProperties;
-  const [WEB_ACL_ID, IP_SET_ID] = event.PhysicalResourceId
-    ? event.PhysicalResourceId.split(DELIMITER)
-    : [];
-  let response = {};
-
-  switch (event.RequestType) {
-    case "Create":
-      response = await createWaf(ID, MANAGED_RULES, CIDR_ALLOW_LIST);
-      break;
-    case "Update":
-      response = await updateWaf(
-        WEB_ACL_ID,
-        IP_SET_ID,
-        ID,
-        getIpSetName(ID),
-        MANAGED_RULES,
-        CIDR_ALLOW_LIST
-      );
-      break;
-    case "Delete":
-      response = await deleteWaf(WEB_ACL_ID, IP_SET_ID, ID, getIpSetName(ID));
-      break;
-    default:
-      throw new Error(`Invalid RequestType: ${event.RequestType}`);
-  }
-
-  return response;
-};
-
-/**
- * Generates the name of the IP Set.
- *
- * @param id param passed in.
- * @returns name of IP Set.
- */
-const getIpSetName = (id: string) => `${id}-IPSet`;
-
-/**
- * Returns a set of rules to apply.
- *
- * @param ipSetArn ip set arn
- * @param ipSetName  ip set name
- * @param managedRules  managed rules
- * @param cidrAllowList cidr allow list
- * @returns set of rules to apply.
- */
-const getWafRules = (
-  ipSetArn: string,
-  ipSetName: string,
-  managedRules?: any,
-  cidrAllowList?: any
-): Array<Rule> => {
-  const rules: Array<Rule> = [];
-
-  if (cidrAllowList) {
-    rules.push({
-      Name: ipSetName,
-      Priority: 1,
-      VisibilityConfig: {
-        MetricName: ipSetName,
-        CloudWatchMetricsEnabled: true,
-        SampledRequestsEnabled: true,
-      },
-      Action: {
-        Block: {},
-      },
-      Statement: {
-        NotStatement: {
-          Statement: {
-            IPSetReferenceStatement: {
-              ARN: ipSetArn,
-            },
-          },
-        },
-      },
-    });
-  }
-
-  if (managedRules) {
-    rules.push(
-      ...managedRules
-        .map((r: any) => ({ VendorName: r.vendor, Name: r.name }))
-        .map((rule: any, Priority: any) => ({
-          Name: `${rule.VendorName}-${rule.Name}`,
-          Priority,
-          Statement: { ManagedRuleGroupStatement: rule },
-          OverrideAction: { None: {} },
-          VisibilityConfig: {
-            MetricName: `${rule.VendorName}-${rule.Name}`,
-            CloudWatchMetricsEnabled: true,
-            SampledRequestsEnabled: true,
-          },
-        }))
-    );
-  }
-
-  return rules;
-};
-
-const createWaf = async (
-  id: string,
-  managedRules?: any,
-  cidrAllowList?: any
-) => {
-  const ipSetName = getIpSetName(id);
-  const createIpSetResponse = await client.createIPSet({
-    Name: ipSetName,
-    Scope: SCOPE,
-    Addresses: cidrAllowList?.cidrRanges ?? [],
-    IPAddressVersion: cidrAllowList?.cidrType ?? "IPV4",
-  });
-
-  const createWebAclResponse = await createWafAcl(
-    id,
-    ipSetName,
-    createIpSetResponse,
-    managedRules,
-    cidrAllowList
-  );
-
-  return {
-    PhysicalResourceId: `${createWebAclResponse.Summary?.Id}${DELIMITER}${createIpSetResponse.Summary?.Id}`,
-    Data: {
-      WebAclArn: createWebAclResponse.Summary?.ARN,
-      WebAclId: createWebAclResponse.Summary?.Id,
-      IPSetArn: createIpSetResponse.Summary?.ARN,
-      IPSetId: createIpSetResponse.Summary?.Id,
-    },
-  };
-};
-
-const createWafAcl = async (
-  id: string,
-  ipSetName: string,
-  createIpSetResponse: CreateIPSetCommandOutput,
-  managedRules?: any,
-  cidrAllowList?: any
-) => {
-  let counter = 0;
-
-  while (true) {
-    try {
-      const createWebAclResponse = await client.createWebACL({
-        Name: id,
-        DefaultAction: { Allow: {} },
-        Scope: SCOPE,
-        VisibilityConfig: {
-          CloudWatchMetricsEnabled: true,
-          MetricName: id,
-          SampledRequestsEnabled: true,
-        },
-        Rules: getWafRules(
-          createIpSetResponse.Summary!.ARN!,
-          ipSetName,
-          managedRules,
-          cidrAllowList
-        ),
-      });
-
-      return createWebAclResponse;
-    } catch (e) {
-      if (
-        e instanceof WAFUnavailableEntityException &&
-        counter < MAX_CREATE_RETRY
-      ) {
-        counter++;
-        console.log(
-          `Received error: ${e.message}; Waiting for retrying ${counter}`
-        );
-        await sleep(RETRY_INTERVAL);
-        continue;
-      }
-
-      throw e;
-    }
-  }
-};
-
-const updateWaf = async (
-  webAclId: string,
-  ipSetId: string,
-  id: string,
-  ipSetName: string,
-  managedRules?: any,
-  cidrAllowList?: any
-) => {
-  const getIpSetResponse = await client.getIPSet({
-    Id: ipSetId,
-    Name: ipSetName,
-    Scope: SCOPE,
-  });
-
-  await client.updateIPSet({
-    Id: ipSetId,
-    Name: ipSetName,
-    Addresses: cidrAllowList?.cidrRanges ?? [],
-    Scope: SCOPE,
-    LockToken: getIpSetResponse.LockToken!,
-  });
-
-  const getWebAclResponse = await client.getWebACL({
-    Id: webAclId,
-    Name: id,
-    Scope: SCOPE,
-  });
-
-  await client.updateWebACL({
-    Name: id,
-    DefaultAction: { Allow: {} },
-    Scope: SCOPE,
-    VisibilityConfig: {
-      CloudWatchMetricsEnabled: true,
-      MetricName: id,
-      SampledRequestsEnabled: true,
-    },
-    Rules: getWafRules(
-      getIpSetResponse.IPSet?.ARN!,
-      ipSetName,
-      managedRules,
-      cidrAllowList
-    ),
-    Id: getWebAclResponse.WebACL?.Id!,
-    LockToken: getWebAclResponse.LockToken!,
-  });
-
-  return {
-    Data: {
-      WebAclArn: getWebAclResponse.WebACL?.ARN,
-      WebAclId: getWebAclResponse.WebACL?.Id,
-      IPSetArn: getIpSetResponse.IPSet?.ARN,
-      IPSetId: getIpSetResponse.IPSet?.Id,
-    },
-  };
-};
-
-const deleteWaf = async (
-  webAclId: string,
-  ipSetId: string,
-  id: string,
-  ipSetName: string
-) => {
-  const getWebAclResponse = await client.getWebACL({
-    Id: webAclId,
-    Name: id,
-    Scope: SCOPE,
-  });
-
-  await client.deleteWebACL({
-    Id: webAclId,
-    Name: id,
-    Scope: SCOPE,
-    LockToken: getWebAclResponse.LockToken!,
-  });
-
-  const getIpSetResponse = await client.getIPSet({
-    Id: ipSetId,
-    Name: ipSetName,
-    Scope: SCOPE,
-  });
-
-  await client.deleteIPSet({
-    Id: ipSetId,
-    Name: ipSetName,
-    Scope: SCOPE,
-    LockToken: getIpSetResponse.LockToken!,
-  });
-
-  return {
-    Data: {
-      WebAclArn: getWebAclResponse.WebACL?.ARN,
-      WebAclId: getWebAclResponse.WebACL?.Id,
-      IPSetArn: getIpSetResponse.IPSet?.ARN,
-      IPSetId: getIpSetResponse.IPSet?.Id,
-    },
-  };
-};
-
-const sleep = async (duration: number) => {
-  return new Promise((resolve) => setTimeout(resolve, duration));
-};

package/src/cloudscape-website/cognito-auth/files/common/constructs/src/identity/index.ts.template

@@ -1,4 +0,0 @@
-/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
-SPDX-License-Identifier: Apache-2.0 */
-export * from './user-identity.js';
-export * from './userpool-with-mfa.js';

package/src/cloudscape-website/cognito-auth/files/common/constructs/src/identity/user-identity.ts.template

@@ -1,66 +0,0 @@
-/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved.
-SPDX-License-Identifier: Apache-2.0 */
-import {
-  IdentityPool,
-  UserPoolAuthenticationProvider,
-} from '@aws-cdk/aws-cognito-identitypool-alpha';
-import { CfnOutput, Stack } from 'aws-cdk-lib';
-import { UserPool, UserPoolClient } from 'aws-cdk-lib/aws-cognito';
-import { Construct } from 'constructs';
-import { UserPoolWithMfa } from './userpool-with-mfa.js';
-import { RuntimeConfig } from '../runtime-config/index.js';
-
-const WEB_CLIENT_ID = 'WebClient';
-
-/**
- * Creates a UserPool and Identity Pool with sane defaults configured intended for usage from a web client.
- */
-export class UserIdentity extends Construct {
-  public readonly identityPool: IdentityPool;
-  public readonly userPool: UserPool;
-  public readonly userPoolClient: UserPoolClient;
-
-  constructor(scope: Construct, id: string) {
-    super(scope, id);
-
-    // Unless explicitly stated, created a default Cognito User Pool and Web Client.
-    this.userPool = new UserPoolWithMfa(this, 'UserPool');
-
-    this.identityPool = new IdentityPool(this, 'IdentityPool');
-
-    const existingClient = this.userPool.node.children.find(
-      (e) => e.node.id === WEB_CLIENT_ID && e instanceof UserPoolClient
-    ) as UserPoolClient | undefined;
-
-    this.userPoolClient =
-      existingClient ??
-      this.userPool.addClient(WEB_CLIENT_ID, {
-        authFlows: {
-          userPassword: true,
-          userSrp: true,
-        },
-      });
-
-    this.identityPool.addUserPoolAuthentication(
-      new UserPoolAuthenticationProvider({
-        userPool: this.userPool,
-        userPoolClient: this.userPoolClient,
-      })
-    );
-
-    new CfnOutput(this, `${id}-UserPoolId`, {
-      value: this.userPool.userPoolId,
-    });
-
-    new CfnOutput(this, `${id}-IdentityPoolId`, {
-      value: this.identityPool.identityPoolId,
-    });
-
-    RuntimeConfig.ensure(this).config.cognitoProps = {
-      region: Stack.of(this).region,
-      identityPoolId: this.identityPool.identityPoolId,
-      userPoolId: this.userPool?.userPoolId,
-      userPoolWebClientId: this.userPoolClient?.userPoolClientId,
-    };
-  }
-}