@aws/nx-plugin 0.45.1 → 0.47.0

package/src/utils/api-constructs/files/terraform/core/api/http/http-api/http-api.tf.template

@@ -0,0 +1,250 @@
+# Core HTTP API Gateway module
+# This module creates the API Gateway HTTP API, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core HTTP API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the HTTP API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the HTTP API Gateway"
+  type        = string
+  default     = "HTTP API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 86400
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# KMS key for CloudWatch log group encryption
+resource "aws_kms_key" "logs_key" {
+  description             = "KMS key for CloudWatch log group encryption"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow CloudWatch Logs"
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.${data.aws_region.current.name}.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+        Condition = {
+          ArnEquals = {
+            "kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/${var.api_name}"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "logs_key_alias" {
+  name          = "alias/${var.api_name}-api-logs-encryption"
+  target_key_id = aws_kms_key.logs_key.key_id
+}
+
+# HTTP API Gateway
+resource "aws_apigatewayv2_api" "http_api" {
+  name          = var.api_name
+  protocol_type = "HTTP"
+  description   = var.api_description
+
+  cors_configuration {
+    allow_credentials = var.cors_allow_credentials
+    allow_headers     = var.cors_allow_headers
+    allow_methods     = var.cors_allow_methods
+    allow_origins     = var.cors_allow_origins
+    expose_headers    = var.cors_expose_headers
+    max_age          = var.cors_max_age
+  }
+
+  tags = var.tags
+}
+
+# API Gateway stage
+resource "aws_apigatewayv2_stage" "api_stage" {
+  api_id      = aws_apigatewayv2_api.http_api.id
+  name        = var.stage_name
+  auto_deploy = var.stage_auto_deploy
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_logs.arn
+    format = jsonencode({
+      requestId      = "$context.requestId"
+      ip            = "$context.identity.sourceIp"
+      requestTime   = "$context.requestTime"
+      httpMethod    = "$context.httpMethod"
+      routeKey      = "$context.routeKey"
+      status        = "$context.status"
+      protocol      = "$context.protocol"
+      responseLength = "$context.responseLength"
+      error         = "$context.error.message"
+      integrationError = "$context.integrationErrorMessage"
+    })
+  }
+
+  default_route_settings {
+    throttling_burst_limit = 5000
+    throttling_rate_limit = 10000
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_cloudwatch_log_group.api_logs]
+}
+
+# CloudWatch Log Group for API Gateway
+resource "aws_cloudwatch_log_group" "api_logs" {
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name         = "/aws/apigateway/${var.api_name}"
+  kms_key_id   = aws_kms_key.logs_key.arn
+  tags         = var.tags
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.execution_arn
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.id
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.invoke_url
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.arn
+}

package/src/utils/api-constructs/files/terraform/core/api/rest/rest-api/rest-api.tf.template

@@ -0,0 +1,150 @@
+# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://${aws_api_gateway_rest_api.rest_api.id}.execute-api.${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement

package/src/utils/files/terraform/src/core/runtime-config/entry/entry.tf.template

@@ -0,0 +1,119 @@
+terraform {
+  required_providers {
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.0"
+    }
+  }
+}
+
+# Variables
+variable "key_path" {
+  description = "Dot-separated path for the configuration key (e.g., 'apis.FooApi', 'cognito.userPoolId')"
+  type        = string
+}
+
+variable "value" {
+  description = "Value to set at the key path"
+  type        = any
+}
+
+locals {
+  config_file_path = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config.json"
+}
+
+# This module writes an entry to runtime-config.json which is provided to any static websites
+# as a way to pass deploy-time values to the UI such as API urls
+
+data "external" "updated_config" {
+  program = ["uv", "run", "python", "-c", <<-EOT
+import json
+import sys
+import os
+import time
+import fcntl
+from pathlib import Path
+
+# Read input from Terraform
+input_data = json.load(sys.stdin)
+config_file = input_data['config_file']
+key_path = input_data['key_path']
+value = json.loads(input_data['value'])
+
+# Create lock file path
+lock_file = config_file + '.lock'
+
+# Ensure directory exists
+Path(config_file).parent.mkdir(parents=True, exist_ok=True)
+
+# Acquire exclusive lock with retry mechanism
+max_retries = 30
+retry_delay = 1.0
+
+for attempt in range(max_retries):
+    try:
+        # Open lock file for exclusive access
+        with open(lock_file, 'w') as lock_fd:
+            # Try to acquire exclusive lock (non-blocking)
+            fcntl.flock(lock_fd.fileno(), fcntl.LOCK_EX | fcntl.LOCK_NB)
+
+            # Critical section - file operations under lock
+            try:
+                # Create empty base config if file doesn't exist
+                if not os.path.exists(config_file):
+                    base_config = {}
+                    with open(config_file, 'w') as f:
+                        json.dump(base_config, f, indent=2)
+
+                # Read current config
+                with open(config_file, 'r') as f:
+                    config = json.load(f)
+
+                # Set the nested key using dot notation
+                keys = key_path.split('.')
+                current = config
+                for key in keys[:-1]:
+                    if key not in current:
+                        current[key] = {}
+                    current = current[key]
+                current[keys[-1]] = value
+
+                # Write updated config back to file atomically
+                temp_file = config_file + '.tmp'
+                with open(temp_file, 'w') as f:
+                    json.dump(config, f, indent=2)
+                os.rename(temp_file, config_file)
+
+                # Output the updated config for Terraform
+                print(json.dumps({"updated_json": json.dumps(config)}))
+
+                # Success - break out of retry loop
+                break
+
+            finally:
+                # Lock is automatically released when file is closed
+                pass
+
+    except (IOError, OSError) as e:
+        if attempt < max_retries - 1:
+            # Wait before retrying
+            time.sleep(retry_delay)
+            continue
+        else:
+            # Final attempt failed
+            raise Exception(f"Failed to acquire lock after {max_retries} attempts: {e}")
+
+# Clean up lock file if it exists
+try:
+    os.remove(lock_file)
+except OSError:
+    pass
+EOT
+  ]
+
+  query = {
+    config_file = local.config_file_path
+    key_path    = var.key_path
+    value       = jsonencode(var.value)
+  }
+}

package/src/utils/files/terraform/src/core/runtime-config/read/read.tf.template

@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.0"
+    }
+  }
+}
+
+locals {
+  config_file_path = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config.json"
+}
+
+# Read the runtime config file - will fail gracefully if file doesn't exist
+data "local_file" "runtime_config" {
+  filename = local.config_file_path
+}
+
+# Outputs
+output "config" {
+  description = "Runtime configuration object"
+  value       = jsondecode(data.local_file.runtime_config.content)
+}
+
+output "config_json" {
+  description = "Runtime configuration as JSON string"
+  value       = data.local_file.runtime_config.content
+}

package/src/utils/files/terraform/src/metrics/metrics.tf.template

@@ -1,7 +1,8 @@
 # CloudFormation stack for metrics tracking
 resource "aws_cloudformation_stack" "metrics" {
+  #checkov:skip=CKV_AWS_124:Metrics stack does not require SNS notifications
   name = "nx-plugin-metrics"
-  
+
   template_body = jsonencode({
     AWSTemplateFormatVersion = "2010-09-09"
     Description = "<%= metricId %> (version:<%= version %>) (tag:<%= tags %>)"
@@ -12,7 +13,7 @@ resource "aws_cloudformation_stack" "metrics" {
       }
     }
   })
-  
+
   tags = {
     Purpose = "nx-plugin-metrics"
   }

package/src/{py/lambda-function/files/common/constructs/src/app/lambda-functions/__constructFunctionKebabCase__.ts.template → utils/function-constructs/files/cdk/app/lambda-functions/__functionNameKebabCase__.ts.template}

@@ -3,15 +3,15 @@ import * as url from 'url';
 import { Code, Function, Runtime, Tracing } from 'aws-cdk-lib/aws-lambda';
 import { Duration } from 'aws-cdk-lib';
 
-export class <%= constructFunctionClassName %> extends Function {
+export class <%= functionNameClassName %> extends Function {
   constructor(scope: Construct, id: string) {
     super(scope, id, {
         timeout: Duration.seconds(30),
-        runtime: Runtime.PYTHON_3_12,
-        handler: '<%= constructHandlerFilePath %>',
+        runtime: <%= runtime %>,
+        handler: '<%= handler %>',
         code: Code.fromAsset(url.fileURLToPath(
           new URL(
-            '../../../../../../dist/<%= dir %>/bundle',
+            '../../../../../../<%- bundlePathFromRoot %>',
             import.meta.url
           )
         )),
@@ -21,4 +21,4 @@ export class <%= constructFunctionClassName %> extends Function {
         },
     });
   }
-}
+}