npm - @aws/nx-plugin - Versions diffs - 0.45.1 → 0.47.0 - Mend

@aws/nx-plugin 0.45.1 → 0.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (114) hide show

package/src/utils/function-constructs/files/terraform/app/lambda-functions/__functionNameKebabCase__/__functionNameKebabCase__.tf.template ADDED Viewed

@@ -0,0 +1,150 @@
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
+variable "env" {
+  description = "Additional environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements to attach to the Lambda role"
+  type = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+locals {
+  aws_account_id = data.aws_caller_identity.current.account_id
+  aws_region     = data.aws_region.current.name
+}
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+resource "aws_iam_role" "lambda_role" {
+  name = "<%- functionNameKebabCase %>-role-${random_string.suffix.result}"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "LambdaAssumeRolePolicy"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+  tags = var.tags
+}
+resource "aws_iam_policy" "lambda_policy" {
+  name        = "<%- functionNameKebabCase %>-policy-${random_string.suffix.result}"
+  description = "Policy for <%- functionNameKebabCase %> Lambda function"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = concat([
+      {
+        Sid    = "CloudWatchLogsAccess"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = [
+          "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:/aws/lambda/<%- functionNameKebabCase %>-${random_string.suffix.result}:*"
+        ]
+      },
+      {
+        Sid    = "XRayAccess"
+        Effect = "Allow"
+        Action = [
+          "xray:PutTraceSegments",
+          "xray:PutTelemetryRecords"
+        ]
+        Resource = ["*"]
+      }
+    ], var.additional_iam_policy_statements)
+  })
+  tags = var.tags
+}
+# Attach the policy to the role
+resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_policy.arn
+}
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "${path.module}/../../../../../../../<%- bundlePathFromRoot %>"
+  output_path = "${path.module}/../../../../../../../dist/packages/common/terraform/lambda-functions/<%- functionNameKebabCase %>/lambda.zip"
+}
+resource "aws_lambda_function" "lambda_function" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "<%- functionNameKebabCase %>-${random_string.suffix.result}"
+  role            = aws_iam_role.lambda_role.arn
+  handler         = "<%- handler %>"
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+  runtime         = "<%- runtime %>"
+  timeout         = 30
+  tracing_config {
+    mode = "Active"
+  }
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+  tags = var.tags
+  depends_on = [aws_iam_role_policy_attachment.lambda_policy_attachment]
+}
+output "function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.lambda_function.function_name
+}
+output "function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.lambda_function.arn
+}
+output "role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_role.arn
+}
+output "role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_role.name
+}

package/src/utils/function-constructs/function-constructs.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Tree } from '@nx/devkit';
+export interface AddLambdaFunctionConstructOptions {
+    functionProjectName: string;
+    functionNameClassName: string;
+    functionNameKebabCase: string;
+    bundlePathFromRoot: string;
+    handler: string;
+    runtime: 'node' | 'python';
+}
+/**
+ * Add infrastructure for a lambda function
+ */
+export declare const addLambdaFunctionInfra: (tree: Tree, options: AddLambdaFunctionConstructOptions & {
+    iacProvider: "CDK" | "Terraform";
+}) => void;

package/src/utils/function-constructs/function-constructs.js ADDED Viewed

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addLambdaFunctionInfra = void 0;
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+const devkit_1 = require("@nx/devkit");
+const shared_constructs_constants_1 = require("../shared-constructs-constants");
+const ast_1 = require("../ast");
+/**
+ * Add infrastructure for a lambda function
+ */
+const addLambdaFunctionInfra = (tree, options) => {
+    if (options.iacProvider === 'CDK') {
+        addLambdaFunctionCdkConstructs(tree, options);
+    }
+    else if (options.iacProvider === 'Terraform') {
+        addLambdaFunctionTerraformModules(tree, options);
+    }
+    else {
+        throw new Error(`Unsupported iacProvider ${options.iacProvider}`);
+    }
+    (0, devkit_1.updateJson)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, options.iacProvider === 'CDK'
+        ? shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR
+        : shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'project.json'), (config) => {
+        var _a;
+        if (!config.targets) {
+            config.targets = {};
+        }
+        if (!config.targets.build) {
+            config.targets.build = {};
+        }
+        config.targets.build.dependsOn = [
+            ...((_a = config.targets.build.dependsOn) !== null && _a !== void 0 ? _a : []),
+            `${options.functionProjectName}:build`,
+        ];
+        return config;
+    });
+};
+exports.addLambdaFunctionInfra = addLambdaFunctionInfra;
+const addLambdaFunctionCdkConstructs = (tree, options) => {
+    // Generate app specific CDK construct
+    (0, devkit_1.generateFiles)(tree, (0, devkit_1.joinPathFragments)(__dirname, 'files', 'cdk', 'app', 'lambda-functions'), (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'app', 'lambda-functions'), Object.assign(Object.assign({}, options), { runtime: `Runtime.${options.runtime === 'python' ? 'PYTHON_3_12' : 'NODEJS_LATEST'}` }), {
+        overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting,
+    });
+    // Export app specific CDK construct
+    (0, ast_1.addStarExport)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'app', 'lambda-functions', 'index.ts'), `./${options.functionNameKebabCase}.js`);
+    (0, ast_1.addStarExport)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'app', 'index.ts'), './lambda-functions/index.js');
+};
+const addLambdaFunctionTerraformModules = (tree, options) => {
+    // Generate app specific terraform module
+    (0, devkit_1.generateFiles)(tree, (0, devkit_1.joinPathFragments)(__dirname, 'files', 'terraform', 'app', 'lambda-functions'), (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'src', 'app', 'lambda-functions'), Object.assign(Object.assign({}, options), { runtime: options.runtime === 'python' ? 'python3.12' : 'nodejs22.x' }), {
+        overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting,
+    });
+};
+//# sourceMappingURL=function-constructs.js.map

package/src/utils/function-constructs/function-constructs.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"function-constructs.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/utils/function-constructs/function-constructs.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,uCAOoB;AACpB,gFAIwC;AACxC,gCAAuC;AAWvC;;GAEG;AACI,MAAM,sBAAsB,GAAG,CACpC,IAAU,EACV,OAEC,EACD,EAAE;IACF,IAAI,OAAO,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;QAClC,8BAA8B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAChD,CAAC;SAAM,IAAI,OAAO,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QAC/C,iCAAiC,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,IAAA,mBAAU,EACR,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,OAAO,CAAC,WAAW,KAAK,KAAK;QAC3B,CAAC,CAAC,mDAAqB;QACvB,CAAC,CAAC,kDAAoB,EACxB,cAAc,CACf,EACD,CAAC,MAA4B,EAAE,EAAE;;QAC/B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,CAAC,OAAO,GAAG,EAAE,CAAC;QACtB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YAC1B,MAAM,CAAC,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG;YAC/B,GAAG,CAAC,MAAA,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,mCAAI,EAAE,CAAC;YACzC,GAAG,OAAO,CAAC,mBAAmB,QAAQ;SACvC,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC,CACF,CAAC;AACJ,CAAC,CAAC;AArCW,QAAA,sBAAsB,0BAqCjC;AAEF,MAAM,8BAA8B,GAAG,CACrC,IAAU,EACV,OAA0C,EAC1C,EAAE;IACF,sCAAsC;IACtC,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,CAAC,EACvE,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,KAAK,EACL,kBAAkB,CACnB,kCAEI,OAAO,KACV,OAAO,EAAE,WAAW,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,eAAe,EAAE,KAEtF;QACE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY;KAClD,CACF,CAAC;IAEF,oCAAoC;IACpC,IAAA,mBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,KAAK,EACL,kBAAkB,EAClB,UAAU,CACX,EACD,KAAK,OAAO,CAAC,qBAAqB,KAAK,CACxC,CAAC;IACF,IAAA,mBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,KAAK,EACL,UAAU,CACX,EACD,6BAA6B,CAC9B,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,iCAAiC,GAAG,CACxC,IAAU,EACV,OAA0C,EAC1C,EAAE;IACF,yCAAyC;IACzC,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,SAAS,EACT,OAAO,EACP,WAAW,EACX,KAAK,EACL,kBAAkB,CACnB,EACD,IAAA,0BAAiB,EACf,0CAAY,EACZ,kDAAoB,EACpB,KAAK,EACL,KAAK,EACL,kBAAkB,CACnB,kCAEI,OAAO,KACV,OAAO,EAAE,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,KAErE;QACE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY;KAClD,CACF,CAAC;AACJ,CAAC,CAAC"}

package/src/utils/identity-constructs/files/terraform/core/user-identity/add-callback-url/add-callback-url.tf.template ADDED Viewed

@@ -0,0 +1,123 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+# Variables
+variable "callback_url" {
+  description = "Callback URL to add (e.g., https://d123456789.cloudfront.net)"
+  type        = string
+}
+# Read runtime config to get user pool client details
+module "runtime_config_reader" {
+  source = "../../runtime-config/read"
+}
+# Extract cognito details from runtime config
+locals {
+  cognito_props = try(module.runtime_config_reader.config.cognitoProps, null)
+  user_pool_id        = local.cognito_props != null ? local.cognito_props.userPoolId : null
+  user_pool_client_id = local.cognito_props != null ? local.cognito_props.userPoolWebClientId : null
+}
+# Validation: Ensure cognito props exist in runtime config
+resource "terraform_data" "validate_cognito_props" {
+  lifecycle {
+    precondition {
+      condition     = local.cognito_props != null
+      error_message = "ERROR: cognitoProps not found in runtime config. Ensure user-identity module has been deployed first and has added cognitoProps to the runtime configuration."
+    }
+    precondition {
+      condition     = local.user_pool_id != null && local.user_pool_id != ""
+      error_message = "ERROR: cognitoProps.userPoolId is missing or empty in runtime config. Check that user-identity module completed successfully."
+    }
+    precondition {
+      condition     = local.user_pool_client_id != null && local.user_pool_client_id != ""
+      error_message = "ERROR: cognitoProps.userPoolWebClientId is missing or empty in runtime config. Check that user-identity module completed successfully."
+    }
+  }
+}
+# Update the user pool client with additional callback URL
+resource "null_resource" "add_callback_url" {
+  triggers = {
+    callback_url        = var.callback_url
+    user_pool_id        = local.user_pool_id
+    user_pool_client_id = local.user_pool_client_id
+  }
+  provisioner "local-exec" {
+    command = <<-EOT
+      uv run --with boto3 python -c "
+import boto3
+import sys
+# Configuration
+user_pool_id = '${local.user_pool_id}'
+client_id = '${local.user_pool_client_id}'
+new_callback_url = '${var.callback_url}'
+# Initialize Cognito client
+cognito = boto3.client('cognito-idp')
+try:
+    # Get current user pool client configuration
+    response = cognito.describe_user_pool_client(
+        UserPoolId=user_pool_id,
+        ClientId=client_id
+    )
+    client_config = response['UserPoolClient']
+    current_callback_urls = client_config.get('CallbackURLs', [])
+    current_logout_urls = client_config.get('LogoutURLs', [])
+    # Check if URL already exists
+    if new_callback_url in current_callback_urls:
+        print(f'Callback URL {new_callback_url} already exists')
+    else:
+        # Add new URL to both callback and logout URLs
+        updated_callback_urls = current_callback_urls + [new_callback_url]
+        updated_logout_urls = current_logout_urls + [new_callback_url]
+        # Update the user pool client
+        # Only include valid update parameters (exclude read-only fields and ones we're setting)
+        valid_update_params = [
+            'ClientName', 'RefreshTokenValidity', 'AccessTokenValidity', 'IdTokenValidity',
+            'TokenValidityUnits', 'ReadAttributes', 'WriteAttributes', 'ExplicitAuthFlows',
+            'SupportedIdentityProviders', 'DefaultRedirectURI', 'AllowedOAuthFlows',
+            'AllowedOAuthScopes', 'AllowedOAuthFlowsUserPoolClient', 'AnalyticsConfiguration',
+            'PreventUserExistenceErrors', 'EnableTokenRevocation',
+            'EnablePropagateAdditionalUserContextData', 'AuthSessionValidity', 'RefreshTokenRotation'
+        ]
+        update_config = {k: v for k, v in client_config.items() if k in valid_update_params}
+        cognito.update_user_pool_client(
+            UserPoolId=user_pool_id,
+            ClientId=client_id,
+            CallbackURLs=updated_callback_urls,
+            LogoutURLs=updated_logout_urls,
+            **update_config
+        )
+        print(f'Successfully added callback URL: {new_callback_url}')
+except Exception as e:
+    print(f'Error updating callback URLs: {e}')
+    sys.exit(1)
+"
+    EOT
+  }
+  depends_on = [terraform_data.validate_cognito_props]
+}