@bitblit/ratchet-epsilon-deployment 6.0.145-alpha → 6.0.147-alpha

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@bitblit/ratchet-epsilon-deployment",
-  "version": "6.0.145-alpha",
+  "version": "6.0.147-alpha",
   "description": "Epsilon CDK extensions to simplify deployment",
   "sideEffects": false,
   "type": "module",
   "files": [
+    "src/**",
     "lib/**",
     "bin/**"
   ],
@@ -50,14 +51,14 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@bitblit/ratchet-aws": "6.0.145-alpha",
-    "@bitblit/ratchet-common": "6.0.145-alpha",
-    "@bitblit/ratchet-epsilon-common": "6.0.145-alpha",
+    "@bitblit/ratchet-aws": "6.0.147-alpha",
+    "@bitblit/ratchet-common": "6.0.147-alpha",
+    "@bitblit/ratchet-epsilon-common": "6.0.147-alpha",
     "aws-cdk-lib": "2.221.1",
     "constructs": "10.4.2"
   },
   "peerDependencies": {
-    "@bitblit/ratchet-common": "6.0.145-alpha",
+    "@bitblit/ratchet-common": "6.0.147-alpha",
     "aws-cdk-lib": "^2.221.1",
     "constructs": "^10.4.2"
   }

package/src/build/ratchet-epsilon-deployment-info.ts

@@ -0,0 +1,19 @@
+import { BuildInformation } from '@bitblit/ratchet-common/build/build-information';
+
+export class RatchetEpsilonDeploymentInfo {
+  // Empty constructor prevents instantiation
+  // eslint-disable-next-line @typescript-eslint/no-empty-function
+  private constructor() {}
+
+  public static buildInformation(): BuildInformation {
+    const val: BuildInformation = {
+      version: 'LOCAL-SNAPSHOT',
+      hash: 'LOCAL-HASH',
+      branch: 'LOCAL-BRANCH',
+      tag: 'LOCAL-TAG',
+      timeBuiltISO: 'LOCAL-TIME-ISO',
+      notes: 'LOCAL-NOTES',
+    };
+    return val;
+  }
+}

package/src/deployment/cdk/bucket-and-behavior-options.ts

@@ -0,0 +1,7 @@
+import { IBucket } from 'aws-cdk-lib/aws-s3';
+import { BehaviorOptions } from 'aws-cdk-lib/aws-cloudfront';
+
+export interface BucketAndBehaviorOptions {
+  bucket: IBucket;
+  behaviorOptions: BehaviorOptions;
+}

package/src/deployment/cdk/epsilon-api-stack-feature.ts

@@ -0,0 +1,5 @@
+export enum EpsilonApiStackFeature {
+  WebLambda = 'WebLambda',
+  BackgroundLambda = 'BackgroundLambda',
+  AwsBatchHandler = 'AwsBatchHandler',
+}

package/src/deployment/cdk/epsilon-api-stack-props.ts

@@ -0,0 +1,32 @@
+import { StackProps } from 'aws-cdk-lib';
+import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import { EpsilonApiStackFeature } from './epsilon-api-stack-feature.js';
+import { SubnetAttributes } from 'aws-cdk-lib/aws-ec2';
+import { EpsilonSimpleLambdaCloudfrontDistributionProps } from './epsilon-simple-lambda-cloudfront-distribution-props';
+
+export interface EpsilonApiStackProps extends StackProps {
+  batchInstancesEc2KeyPairName?: string;
+  additionalPolicyStatements: PolicyStatement[];
+
+  disabledFeatures?: EpsilonApiStackFeature[];
+
+  dockerFileFolder: string;
+  dockerFileName: string;
+
+  lambdaSecurityGroupIds: string[];
+  vpcSubnetAttributes: SubnetAttributes[];
+  vpcId: string;
+
+  extraEnvironmentalVars?: Record<string, string>;
+  webLambdaPingMinutes?: number;
+
+  webMemorySizeMb?: number;
+  backgroundMemorySizeMb?: number;
+
+  webTimeoutSeconds?: number;
+  backgroundTimeoutSeconds?: number;
+
+  replaceBatchComputeEnvironment?: boolean;
+
+  autoCloudfrontDistribution?: EpsilonSimpleLambdaCloudfrontDistributionProps;
+}

package/src/deployment/cdk/epsilon-api-stack.ts

@@ -0,0 +1,284 @@
+import { Duration, Lazy, Size, Stack } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { DockerImageCode, DockerImageFunction, FunctionUrl, FunctionUrlAuthType, HttpMethod } from 'aws-cdk-lib/aws-lambda';
+import { ManagedPolicy, PolicyDocument, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import { Topic } from 'aws-cdk-lib/aws-sns';
+import { Queue } from 'aws-cdk-lib/aws-sqs';
+import { LambdaSubscription } from 'aws-cdk-lib/aws-sns-subscriptions';
+
+import { Rule, Schedule } from 'aws-cdk-lib/aws-events';
+import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
+import { DockerImageAsset } from 'aws-cdk-lib/aws-ecr-assets';
+import { StringRatchet } from '@bitblit/ratchet-common/lang/string-ratchet';
+import { EpsilonStackUtil } from './epsilon-stack-util.js';
+import { EpsilonApiStackProps } from './epsilon-api-stack-props.js';
+import { RatchetEpsilonDeploymentInfo } from '../../build/ratchet-epsilon-deployment-info.js';
+import {
+  EcsFargateContainerDefinition,
+  EcsFargateContainerDefinitionProps,
+  EcsJobDefinition,
+  EcsJobDefinitionProps,
+  FargateComputeEnvironment,
+  FargateComputeEnvironmentProps,
+  JobQueue,
+  JobQueueProps,
+} from 'aws-cdk-lib/aws-batch';
+import { SecurityGroup, Subnet, SubnetSelection, Vpc } from 'aws-cdk-lib/aws-ec2';
+
+import { ContainerImage } from 'aws-cdk-lib/aws-ecs';
+import { EpsilonApiStackFeature } from './epsilon-api-stack-feature.js';
+import { EpsilonSimpleLambdaCloudfrontDistributionProps } from './epsilon-simple-lambda-cloudfront-distribution-props';
+import { EpsilonSimpleLambdaCloudfrontDistribution } from './epsilon-simple-lambda-cloudfront-distribution';
+import { EpsilonRoute53Handling } from './epsilon-route-53-handling';
+import { HostedZone, RecordSet, RecordType } from 'aws-cdk-lib/aws-route53';
+import { CloudFrontTarget } from 'aws-cdk-lib/aws-route53-targets';
+
+export class EpsilonApiStack extends Stack {
+  private webHandler: DockerImageFunction;
+  private backgroundHandler: DockerImageFunction;
+
+  public webFunctionUrl: FunctionUrl;
+  public apiDomain: string;
+
+  constructor(scope: Construct, id: string, props?: EpsilonApiStackProps) {
+    super(scope, id, props);
+
+    const disabledFeatures: EpsilonApiStackFeature[] = props?.disabledFeatures || [];
+
+    // Build the docker image first
+    const dockerImageAsset: DockerImageAsset = new DockerImageAsset(this, id + 'DockerImage', {
+      directory: props.dockerFileFolder,
+      file: props.dockerFileName,
+    });
+    const dockerImageCode: DockerImageCode = DockerImageCode.fromImageAsset(props.dockerFileFolder, { file: props.dockerFileName });
+
+    const notificationTopic: Topic = new Topic(this, id + 'WorkNotificationTopic');
+    const workQueue: Queue = new Queue(this, id + 'WorkQueue', {
+      fifo: true,
+      retentionPeriod: Duration.hours(8),
+      visibilityTimeout: Duration.minutes(5),
+      contentBasedDeduplication: true,
+      ...props,
+    });
+
+    const interApiGenericEventTopic: Topic = new Topic(this, id + 'InterApiTopic');
+
+    const epsilonEnv: Record<string, string> = {
+      EPSILON_AWS_REGION: StringRatchet.safeString(Stack.of(this).region),
+      EPSILON_AWS_AVAILABILITY_ZONES: StringRatchet.safeString(JSON.stringify(Stack.of(this).availabilityZones)),
+      EPSILON_BACKGROUND_SQS_QUEUE_URL: StringRatchet.safeString(workQueue.queueUrl),
+      EPSILON_BACKGROUND_SNS_TOPIC_ARN: StringRatchet.safeString(notificationTopic.topicArn),
+      EPSILON_INTER_API_EVENT_TOPIC_ARN: StringRatchet.safeString(interApiGenericEventTopic.topicArn),
+      EPSILON_LIB_BUILD_HASH: StringRatchet.safeString(RatchetEpsilonDeploymentInfo.buildInformation().hash),
+      EPSILON_LIB_BUILD_TIME: StringRatchet.safeString(RatchetEpsilonDeploymentInfo.buildInformation().timeBuiltISO),
+      EPSILON_LIB_BUILD_BRANCH_OR_TAG: StringRatchet.safeString(
+        RatchetEpsilonDeploymentInfo.buildInformation().branch || RatchetEpsilonDeploymentInfo.buildInformation().tag,
+      ),
+      EPSILON_LIB_BUILD_VERSION: StringRatchet.safeString(RatchetEpsilonDeploymentInfo.buildInformation().version),
+    };
+    const env: Record<string, string> = Object.assign({}, props.extraEnvironmentalVars || {}, epsilonEnv);
+
+    if (!disabledFeatures.includes(EpsilonApiStackFeature.AwsBatchHandler)) {
+      // Then build the Batch compute stuff...
+      // This is the role that ECS uses to pull containers, secrets, etc
+      const executionRole = new Role(this, id + 'BatchExecutionRole', {
+        assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'), //'ec2.amazonaws.com'),
+        managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole')],
+        inlinePolicies: {
+          root: new PolicyDocument({
+            statements: EpsilonStackUtil.ECS_POLICY_STATEMENTS,
+          }),
+        },
+      });
+
+      // This is the role used by the container to actually do business logic (your code uses this role)
+      const jobRole = new Role(this, id + 'BatchJobRole', {
+        assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
+        managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole')],
+        inlinePolicies: {
+          root: new PolicyDocument({
+            statements: EpsilonStackUtil.createDefaultPolicyStatementList(props, workQueue, notificationTopic, interApiGenericEventTopic),
+          }),
+        },
+      });
+
+      const subnetSelection: SubnetSelection = {
+        subnets: props.vpcSubnetAttributes.map((subnetAttr, index) => Subnet.fromSubnetAttributes(this, `VpcSubnet${index}`, subnetAttr)),
+      };
+
+      // Created AWSServiceBatchRole
+      // https://docs.aws.amazon.com/batch/latest/userguide/service_IAM_role.html
+      const compEnvProps: FargateComputeEnvironmentProps = {
+        vpc: Vpc.fromLookup(this, `Vpc`, { vpcId: props.vpcId }),
+        computeEnvironmentName: id + 'ComputeEnv',
+        enabled: true,
+        maxvCpus: 16,
+        replaceComputeEnvironment: props.replaceBatchComputeEnvironment ?? false,
+        securityGroups: props.lambdaSecurityGroupIds.map((sgId, index) =>
+          SecurityGroup.fromSecurityGroupId(this, `SecurityGroup${index}`, `sg-${sgId}`),
+        ),
+        serviceRole: Role.fromRoleArn(
+          this,
+          `${id}ServiceRole`,
+          'arn:aws:iam::' + props.env.account + ':role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch',
+        ),
+        //Role.fromRoleArn(this, `${id}ServiceRole`, 'arn:aws:iam::' + props.env.account + ':role/AWSBatchServiceRole'),
+        spot: false,
+        terminateOnUpdate: false,
+        updateTimeout: Duration.hours(4),
+        updateToLatestImageVersion: true,
+        vpcSubnets: subnetSelection,
+        //vpcSubnets: subnetSelection,
+      };
+
+      const compEnv: FargateComputeEnvironment = new FargateComputeEnvironment(this, id + 'ComputeEnv', compEnvProps);
+
+      const batchJobQueueProps: JobQueueProps = {
+        computeEnvironments: [{ order: 1, computeEnvironment: compEnv }],
+        enabled: true,
+        jobQueueName: id + 'BatchJobQueue',
+        priority: 10,
+        schedulingPolicy: undefined, // Implement later?
+      };
+
+      const batchJobQueue = new JobQueue(this, id + 'BatchJobQueue', batchJobQueueProps);
+
+      const batchEnvVars: Record<string, any> = EpsilonStackUtil.toEnvironmentVariables([
+        env,
+        props.extraEnvironmentalVars || {},
+        {
+          EPSILON_RUNNING_IN_AWS_BATCH: true,
+        },
+      ]);
+
+      const containerDef: EcsFargateContainerDefinitionProps = {
+        cpu: 4,
+        image: ContainerImage.fromRegistry(dockerImageAsset.imageUri),
+        memory: Size.mebibytes(8192),
+        assignPublicIp: true, // Need this to talk to ECS to get the container
+        command: ['Ref::taskName', 'Ref::taskDataBase64', 'Ref::traceId', 'Ref::traceDepth', 'Ref::taskMetaDataBase64'], // Bootstrap to the Lambda handler
+        environment: batchEnvVars,
+        executionRole: executionRole,
+        //fargatePlatformVersion: undefined,
+        jobRole: jobRole, //Role.fromRoleArn(this, `${id}JobRole`, jobRole.roleArn),
+        //linuxParameters: undefined,
+        readonlyRootFilesystem: false,
+        //secrets: undefined,
+        //user: undefined,
+        volumes: [],
+      };
+
+      const fargateContainerDefinitionDef = new EcsFargateContainerDefinition(this, `${id}FargateContainerDefinition`, containerDef);
+
+      const jobProps: EcsJobDefinitionProps = {
+        jobDefinitionName: id + 'JobDefinition',
+        retryAttempts: 3,
+        retryStrategies: undefined,
+        schedulingPriority: undefined,
+        timeout: undefined,
+        container: fargateContainerDefinitionDef,
+      };
+
+      const jobDef: EcsJobDefinition = new EcsJobDefinition(this, id + 'JobDefinition', jobProps);
+
+      // Add AWS batch vars to the environment
+      env['EPSILON_AWS_BATCH_JOB_DEFINITION_ARN'] = jobDef.jobDefinitionArn; //  .ref;
+      env['EPSILON_AWS_BATCH_JOB_QUEUE_ARN'] = batchJobQueue.jobQueueArn; //  .ref;
+    }
+
+    // This is needed for both background and web lambdas
+    const lambdaRole = new Role(this, 'customRole', {
+      roleName: id + 'LambdaCustomRole',
+      assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole')],
+      inlinePolicies: {
+        root: new PolicyDocument({
+          statements: EpsilonStackUtil.createDefaultPolicyStatementList(props, workQueue, notificationTopic, interApiGenericEventTopic),
+        }),
+      },
+    });
+
+    if (!disabledFeatures.includes(EpsilonApiStackFeature.WebLambda)) {
+      this.webHandler = new DockerImageFunction(this, id + 'Web', {
+        //reservedConcurrentExecutions: 1,
+        retryAttempts: 2,
+        //allowAllOutbound: true, // Needs a VPC
+        memorySize: props.webMemorySizeMb || 128,
+        ephemeralStorageSize: Size.mebibytes(512),
+        timeout: Duration.seconds(props.webTimeoutSeconds || 20),
+        code: dockerImageCode,
+        role: lambdaRole,
+        environment: env,
+      });
+
+      if (props?.webLambdaPingMinutes && props.webLambdaPingMinutes > 0) {
+        // Wire up the cron handler
+        const rule = new Rule(this, id + 'WebKeepaliveRule', {
+          schedule: Schedule.rate(Duration.minutes(Math.ceil(props.webLambdaPingMinutes))),
+        });
+        rule.addTarget(new LambdaFunction(this.webHandler));
+      }
+
+      this.webFunctionUrl = this.webHandler.addFunctionUrl({
+        authType: FunctionUrlAuthType.NONE,
+        cors: {
+          allowedOrigins: ['*'],
+          allowedHeaders: ['Content-Type', 'X-Amz-Date', 'Authorization', 'X-Api-Key'],
+          allowedMethods: [HttpMethod.ALL],
+          allowCredentials: true,
+        },
+      });
+
+      this.apiDomain = Lazy.uncachedString({
+        produce: (context) => {
+          const resolved = context.resolve(this.webFunctionUrl.url);
+          return { 'Fn::Select': [2, { 'Fn::Split': ['/', resolved] }] } as any;
+        },
+      });
+
+      if (props.autoCloudfrontDistribution) {
+        const distroPropsCopy: EpsilonSimpleLambdaCloudfrontDistributionProps = Object.assign({}, props.autoCloudfrontDistribution);
+        distroPropsCopy.lambdaFunctionDomain = this.webFunctionUrl;
+        const dist = new EpsilonSimpleLambdaCloudfrontDistribution(this, id + 'DirectApiCloudfrontDistro', distroPropsCopy);
+        // Have to be able to skip this since SOME people don't do DNS in Route53
+        if (props?.autoCloudfrontDistribution.route53Handling === EpsilonRoute53Handling.Update) {
+          if (props?.autoCloudfrontDistribution.domainNames?.length) {
+            for (const dn of props.autoCloudfrontDistribution.domainNames) {
+              const _domain: RecordSet = new RecordSet(this, id + 'DomainName-' + dn, {
+                recordType: RecordType.A,
+                recordName: dn,
+                target: {
+                  aliasTarget: new CloudFrontTarget(dist),
+                },
+                zone: HostedZone.fromLookup(this, id + 'HostZone-' + dn, { domainName: EpsilonStackUtil.extractApexDomain(dn) }),
+              });
+            }
+          }
+        }
+      }
+    }
+
+    if (!disabledFeatures.includes(EpsilonApiStackFeature.BackgroundLambda)) {
+      this.backgroundHandler = new DockerImageFunction(this, id + 'Background', {
+        //reservedConcurrentExecutions: 1,
+        retryAttempts: 2,
+        // allowAllOutbound: true,
+        memorySize: props.backgroundMemorySizeMb || 3000,
+        ephemeralStorageSize: Size.mebibytes(512),
+        timeout: Duration.seconds(props.backgroundTimeoutSeconds || 900),
+        code: dockerImageCode,
+        role: lambdaRole,
+        environment: env,
+      });
+
+      notificationTopic.addSubscription(new LambdaSubscription(this.backgroundHandler));
+      interApiGenericEventTopic.addSubscription(new LambdaSubscription(this.backgroundHandler));
+
+      // Wire up the cron handler
+      const rule = new Rule(this, id + 'CronRule', {
+        schedule: Schedule.rate(Duration.minutes(1)),
+      });
+      rule.addTarget(new LambdaFunction(this.backgroundHandler));
+    }
+  }
+}

package/src/deployment/cdk/epsilon-lambda-to-cloudfront-path-mapping.ts

@@ -0,0 +1,9 @@
+import { FunctionUrl } from 'aws-cdk-lib/aws-lambda';
+import { Construct } from 'constructs';
+import { IResponseHeadersPolicy } from 'aws-cdk-lib/aws-cloudfront';
+
+export interface EpsilonLambdaToCloudfrontPathMapping {
+  lambdaFunctionUrl: FunctionUrl;
+  pathPattern: string;
+  responseHeadersPolicyCreator?: (scope: Construct, id: string) => IResponseHeadersPolicy;
+}

package/src/deployment/cdk/epsilon-route-53-handling.ts

@@ -0,0 +1,7 @@
+// NOTE: This is a psuedo-enum to fix some issues with Typescript enums.  See: https://exploringjs.com/tackling-ts/ch_enum-alternatives.html for details
+
+export const EpsilonRoute53Handling = {
+  Update: 'Update',
+  DoNotUpdate: 'DoNotUpdate',
+};
+export type EpsilonRoute53Handling = (typeof EpsilonRoute53Handling)[keyof typeof EpsilonRoute53Handling];

package/src/deployment/cdk/epsilon-simple-lambda-cloudfront-distribution-props.ts

@@ -0,0 +1,25 @@
+import { StackProps } from 'aws-cdk-lib';
+import {
+  AllowedMethods,
+  ICachePolicy,
+  IResponseHeadersPolicy,
+  PriceClass,
+  SSLMethod,
+  ViewerProtocolPolicy,
+} from 'aws-cdk-lib/aws-cloudfront';
+import { FunctionUrl } from 'aws-cdk-lib/aws-lambda';
+import { EpsilonRoute53Handling } from './epsilon-route-53-handling';
+import { Construct } from 'constructs';
+
+export interface EpsilonSimpleLambdaCloudfrontDistributionProps extends StackProps {
+  lambdaFunctionDomain: FunctionUrl;
+  httpsCertArn: string;
+  domainNames: string[];
+  protocolPolicy?: ViewerProtocolPolicy;
+  cachePolicy?: ICachePolicy;
+  priceClass?: PriceClass;
+  sslMethod?: SSLMethod;
+  route53Handling?: EpsilonRoute53Handling;
+  allowedMethods?: AllowedMethods;
+  responseHeadersPolicyCreator?: (scope: Construct, id: string) => IResponseHeadersPolicy;
+}

package/src/deployment/cdk/epsilon-simple-lambda-cloudfront-distribution.ts

@@ -0,0 +1,48 @@
+import { Construct } from 'constructs';
+import {
+  AllowedMethods,
+  BehaviorOptions,
+  CachePolicy,
+  Distribution,
+  DistributionProps,
+  IResponseHeadersPolicy,
+  OriginRequestPolicy,
+  PriceClass,
+  ResponseHeadersPolicy,
+  SSLMethod,
+  ViewerProtocolPolicy,
+} from 'aws-cdk-lib/aws-cloudfront';
+import { FunctionUrlOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
+import { EpsilonSimpleLambdaCloudfrontDistributionProps } from './epsilon-simple-lambda-cloudfront-distribution-props.js';
+import { Certificate, ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
+
+export class EpsilonSimpleLambdaCloudfrontDistribution extends Distribution {
+  constructor(scope: Construct, id: string, props?: EpsilonSimpleLambdaCloudfrontDistributionProps) {
+    let policy: IResponseHeadersPolicy = ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS;
+    if (props.responseHeadersPolicyCreator) {
+      policy = props.responseHeadersPolicyCreator(scope, id);
+    }
+
+    const behavior: BehaviorOptions = {
+      origin: new FunctionUrlOrigin(props.lambdaFunctionDomain),
+      compress: true,
+      viewerProtocolPolicy: props.protocolPolicy ?? ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      cachePolicy: props.cachePolicy ?? CachePolicy.CACHING_DISABLED,
+      allowedMethods: props.allowedMethods ?? AllowedMethods.ALLOW_ALL,
+      originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+      responseHeadersPolicy: policy,
+    };
+
+    const httpsCertificate: ICertificate = Certificate.fromCertificateArn(scope, id + 'HttpsCert', props.httpsCertArn);
+
+    const distributionProps: DistributionProps = {
+      defaultBehavior: behavior,
+      priceClass: props.priceClass ?? PriceClass.PRICE_CLASS_ALL,
+      certificate: httpsCertificate,
+      domainNames: props.domainNames,
+      sslSupportMethod: props.sslMethod ?? SSLMethod.SNI,
+    };
+
+    super(scope, id + 'CloudfrontDistro', distributionProps);
+  }
+}

package/src/deployment/cdk/epsilon-stack-util.spec.ts

@@ -0,0 +1,10 @@
+import { describe, expect, test } from 'vitest';
+import { EpsilonStackUtil } from './epsilon-stack-util.js';
+
+describe('#EpsilonStackUtil', function () {
+  test('should extract apex domains', async () => {
+    expect(EpsilonStackUtil.extractApexDomain('a.b.test.com')).toEqual('test.com');
+    expect(EpsilonStackUtil.extractApexDomain('www.test.com')).toEqual('test.com');
+    expect(EpsilonStackUtil.extractApexDomain('test.com')).toEqual('test.com');
+  }, 500);
+});

package/src/deployment/cdk/epsilon-stack-util.ts

@@ -0,0 +1,164 @@
+import { Logger } from '@bitblit/ratchet-common/logger/logger';
+import { StringRatchet } from '@bitblit/ratchet-common/lang/string-ratchet';
+import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import { Topic } from 'aws-cdk-lib/aws-sns';
+import { Queue } from 'aws-cdk-lib/aws-sqs';
+import { EpsilonApiStackProps } from './epsilon-api-stack-props.js';
+import { ErrorRatchet } from '@bitblit/ratchet-common/lang/error-ratchet';
+import { HeadersFrameOption, HeadersReferrerPolicy, ResponseHeadersPolicy } from 'aws-cdk-lib/aws-cloudfront';
+import { Construct } from 'constructs';
+import { Duration } from 'aws-cdk-lib';
+
+export class EpsilonStackUtil {
+  // Prevent instantiation
+  // eslint-disable-next-line @typescript-eslint/no-empty-function
+  private constructor() {}
+
+  public static toEnvironmentVariables(input: Record<string, any>[]): Record<string, string> {
+    const rval: Record<string, string> = {};
+    input.forEach((inval) => {
+      Object.keys(inval).forEach((k) => {
+        rval[k] = StringRatchet.safeString(inval[k]);
+      });
+    });
+
+    return rval;
+  }
+
+  public static createDefaultPolicyStatementList(
+    props: EpsilonApiStackProps,
+    backgroundLambdaSqs: Queue,
+    backgroundLambdaSns: Topic,
+    interApiSns: Topic,
+  ): PolicyStatement[] {
+    const rval: PolicyStatement[] = (props.additionalPolicyStatements || []).concat([
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
+        resources: ['arn:aws:logs:*:*:*'],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['ses:SendEmail', 'ses:SendRawEmail'],
+        resources: ['arn:aws:ses:*'],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['sqs:*'],
+        resources: [backgroundLambdaSqs.queueArn],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['sns:*'],
+        resources: [backgroundLambdaSns.topicArn, interApiSns.topicArn],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['batch:*'],
+        resources: ['*'],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['ec2:DescribeSecurityGroups'],
+        resources: ['*'],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['ec2:DescribeSubnets'],
+        resources: ['*'],
+      }),
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ['ec2:DescribeVpcs'],
+        resources: ['*'],
+      }),
+    ]);
+    Logger.info('Created policy statement list: %j', rval);
+    return rval;
+  }
+
+  public static readonly ALLOW_ECS: PolicyStatement = new PolicyStatement({
+    effect: Effect.ALLOW,
+    actions: ['ecs:*'],
+    resources: ['*'],
+  });
+
+  public static readonly ALLOW_ECR: PolicyStatement = new PolicyStatement({
+    effect: Effect.ALLOW,
+    actions: ['ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage', 'ecr:GetDownloadUrlForLayer', 'ecr:GetAuthorizationToken'],
+    resources: ['*'],
+  });
+
+  public static readonly ALLOW_RESTRICTED_LOGS: PolicyStatement = new PolicyStatement({
+    effect: Effect.ALLOW,
+    actions: ['logs:CreateLogStream', 'logs:PutLogEvents', 'logs:DescribeLogStreams', 'logs:CreateLogGroup'],
+    resources: ['*'],
+  });
+
+  // Used by fargate to read containers, etc
+  public static readonly ALLOW_FARGATE_SECRET_READING: PolicyStatement[] = [
+    new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ['ssm:GetParameters'],
+      resources: ['*'],
+    }),
+    new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ['secretsmanager:GetSecretValue'],
+      resources: ['*'],
+    }),
+    new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ['kms:Decrypt'],
+      resources: ['*'],
+    }),
+  ];
+
+  public static readonly ECS_POLICY_STATEMENTS: PolicyStatement[] = [
+    EpsilonStackUtil.ALLOW_ECS,
+    EpsilonStackUtil.ALLOW_ECR,
+    EpsilonStackUtil.ALLOW_RESTRICTED_LOGS,
+  ].concat(EpsilonStackUtil.ALLOW_FARGATE_SECRET_READING);
+
+  public static extractApexDomain(domainName: string): string {
+    const pieces: string[] = StringRatchet.trimToEmpty(domainName).split('.');
+    if (pieces.length < 2) {
+      ErrorRatchet.throwFormattedErr('Not a valid domain name : %s', domainName);
+    }
+    return pieces[pieces.length - 2] + '.' + pieces[pieces.length - 1];
+  }
+
+  public static createForwardCorsPolicy(app: Construct, id: string, xssReportUri: string): ResponseHeadersPolicy {
+    // Creating a custom response headers policy -- all parameters optional
+    const rval: ResponseHeadersPolicy = new ResponseHeadersPolicy(app, id + 'CFRespHeadersPolicy', {
+      responseHeadersPolicyName: id + 'CustomCloudfrontPolicy',
+      comment: 'Policy allowing passthru for CORS headers',
+      corsBehavior: {
+        accessControlAllowCredentials: false,
+        accessControlAllowHeaders: ['*'],
+        accessControlAllowMethods: ['*'],
+        accessControlAllowOrigins: ['*'],
+        accessControlExposeHeaders: [],
+        accessControlMaxAge: Duration.seconds(600),
+        originOverride: false, // Use the origin values, if any
+      },
+      customHeadersBehavior: {
+        customHeaders: [
+          //{ header: 'X-Amz-Date', value: 'some-value', override: true },
+          //{ header: 'X-Amz-Security-Token', value: 'some-value', override: false },
+        ],
+      },
+      securityHeadersBehavior: {
+        contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
+        contentTypeOptions: { override: true },
+        frameOptions: { frameOption: HeadersFrameOption.DENY, override: true },
+        referrerPolicy: { referrerPolicy: HeadersReferrerPolicy.NO_REFERRER, override: true },
+        strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
+        xssProtection: { protection: true, modeBlock: false, reportUri: xssReportUri, override: true },
+      },
+      removeHeaders: ['Server'],
+      serverTimingSamplingRate: 50,
+    });
+    return rval;
+  }
+}

package/src/deployment/cdk/epsilon-website-cache-behavior.ts

@@ -0,0 +1,5 @@
+export enum EpsilonWebsiteCacheBehavior {
+  Default = 'Default',
+  NoCache = 'NoCache',
+  Custom = 'Custom',
+}

package/src/deployment/cdk/epsilon-website-stack-props.ts

@@ -0,0 +1,19 @@
+import { StackProps } from 'aws-cdk-lib';
+import { SimpleAdditionalS3WebsiteMapping } from './simple-additional-s3-website-mapping.js';
+import { EpsilonLambdaToCloudfrontPathMapping } from './epsilon-lambda-to-cloudfront-path-mapping.js';
+import { Behavior } from 'aws-cdk-lib/aws-cloudfront';
+import { EpsilonWebsiteCacheBehavior } from './epsilon-website-cache-behavior.js';
+import { EpsilonRoute53Handling } from './epsilon-route-53-handling.js';
+
+export interface EpsilonWebsiteStackProps extends StackProps {
+  targetBucketName: string;
+  cloudFrontHttpsCertificateArn: string;
+  cloudFrontDomainNames: string[];
+  apiMappings: EpsilonLambdaToCloudfrontPathMapping[];
+  pathsToAssets: string[];
+  route53Handling: EpsilonRoute53Handling;
+  simpleAdditionalMappings?: SimpleAdditionalS3WebsiteMapping[];
+  websiteCacheBehavior?: EpsilonWebsiteCacheBehavior;
+  websiteBehaviorOverride?: Behavior[];
+  retainWebsiteBucketOnDestroy?: boolean;
+}

package/src/deployment/cdk/epsilon-website-stack.ts

@@ -0,0 +1,148 @@
+import { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
+import { CfnOutput, Duration, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import path from 'path';
+import {
+  AllowedMethods,
+  BehaviorOptions,
+  CachePolicy,
+  Distribution,
+  DistributionProps,
+  PriceClass,
+  ResponseHeadersPolicy,
+  SSLMethod,
+  ViewerProtocolPolicy,
+} from 'aws-cdk-lib/aws-cloudfront';
+import { HostedZone, RecordSet, RecordType } from 'aws-cdk-lib/aws-route53';
+import { CloudFrontTarget } from 'aws-cdk-lib/aws-route53-targets';
+import { BucketDeployment, ISource, Source } from 'aws-cdk-lib/aws-s3-deployment';
+import { EpsilonWebsiteStackProps } from './epsilon-website-stack-props.js';
+import { EpsilonStackUtil } from './epsilon-stack-util.js';
+import { EpsilonRoute53Handling } from './epsilon-route-53-handling';
+import { FunctionUrlOrigin, S3BucketOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
+import { Certificate, ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
+import { Logger } from '@bitblit/ratchet-common/logger/logger';
+
+export class EpsilonWebsiteStack extends Stack {
+  constructor(scope: Construct, id: string, props?: EpsilonWebsiteStackProps) {
+    super(scope, id, props);
+
+    // Create the bucket to hold the SPA
+    const websiteBucket: Bucket = new Bucket(this, id + 'DeployBucket', {
+      bucketName: props.targetBucketName,
+      removalPolicy: props.retainWebsiteBucketOnDestroy ? undefined : RemovalPolicy.DESTROY,
+      autoDeleteObjects: !props.retainWebsiteBucketOnDestroy,
+      versioned: false,
+      publicReadAccess: false,
+      encryption: BucketEncryption.S3_MANAGED,
+    });
+    // Create the access id for that bucket
+    //const originAccessId: OriginAccessIdentity = new OriginAccessIdentity(this, id + 'OriginAccessId');
+    //websiteBucket.grantRead(originAccessId);
+    // Cache policy for that bucket
+    const cachePolicy: CachePolicy = new CachePolicy(this, id + 'ShortCachePolicy', {
+      defaultTtl: Duration.seconds(1),
+      maxTtl: Duration.seconds(1),
+      minTtl: Duration.seconds(1),
+    });
+
+    const defaultBehavior: BehaviorOptions = {
+      origin: S3BucketOrigin.withOriginAccessControl(websiteBucket), //  new FunctionUrlOrigin(props.lambdaFunctionDomain),
+      compress: true,
+      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      cachePolicy: cachePolicy,
+      allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+    };
+
+    const httpsCertificate: ICertificate = Certificate.fromCertificateArn(this, id + 'HttpsCert', props.cloudFrontHttpsCertificateArn);
+
+    const distributionProps: DistributionProps = {
+      defaultBehavior: defaultBehavior,
+      defaultRootObject: 'index.html',
+      priceClass: PriceClass.PRICE_CLASS_ALL,
+      certificate: httpsCertificate,
+      domainNames: props.cloudFrontDomainNames,
+      sslSupportMethod: SSLMethod.SNI,
+      additionalBehaviors: {}, // Will be added after
+      errorResponses: [
+        {
+          httpStatus: 404,
+          ttl: Duration.seconds(300),
+          responseHttpStatus: 200,
+          responsePagePath: '/index.html',
+        },
+        {
+          httpStatus: 403,
+          ttl: Duration.seconds(300),
+          responseHttpStatus: 200,
+          responsePagePath: '/index.html',
+        },
+      ],
+    };
+
+    // Add api sources, if any
+    (props.apiMappings || []).forEach((s) => {
+      const next: BehaviorOptions = {
+        origin: new FunctionUrlOrigin(s.lambdaFunctionUrl),
+        compress: true,
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        cachePolicy: CachePolicy.CACHING_DISABLED,
+        allowedMethods: AllowedMethods.ALLOW_ALL,
+        responseHeadersPolicy: s.responseHeadersPolicyCreator
+          ? s.responseHeadersPolicyCreator(this, id)
+          : ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS,
+      };
+      distributionProps.additionalBehaviors[s.pathPattern] = next;
+    });
+
+    // Add extra bucket mappings, if any
+    // They are assumed to have been created outside of Epsilon, so they are imported not created
+    (props.simpleAdditionalMappings || []).forEach((eb) => {
+      const nextBucket = Bucket.fromBucketAttributes(this, eb.bucketName + 'ImportedBucket', {
+        bucketName: eb.bucketName,
+      });
+
+      const behaviorOptions: BehaviorOptions = {
+        origin: S3BucketOrigin.withOriginAccessControl(nextBucket),
+        compress: true,
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        cachePolicy: cachePolicy,
+        allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+      };
+
+      distributionProps.additionalBehaviors[eb.pathPattern] = behaviorOptions;
+    });
+
+    // Create the distro
+    const cloudfrontDistro: Distribution = new Distribution(this, id + 'CloudfrontDistro', distributionProps);
+    new CfnOutput(this, 'DistributionUrl', { value: 'https://' + cloudfrontDistro.domainName });
+
+    // Have to be able to skip this since SOME people don't do DNS in Route53
+    if (props?.route53Handling === EpsilonRoute53Handling.Update) {
+      if (props?.cloudFrontDomainNames?.length) {
+        props.cloudFrontDomainNames.forEach((dn, _idx) => {
+          const _domain: RecordSet = new RecordSet(this, id + 'DomainName-' + dn, {
+            recordType: RecordType.A,
+            recordName: dn,
+            target: {
+              aliasTarget: new CloudFrontTarget(cloudfrontDistro),
+            },
+            zone: HostedZone.fromLookup(this, id, { domainName: EpsilonStackUtil.extractApexDomain(dn) }),
+          });
+        });
+      }
+    }
+
+    const assetSources: ISource[] = props.pathsToAssets.map((inPath) => Source.asset(path.resolve(inPath)));
+    Logger.info('Found %d asset sources to push to S3', assetSources.length);
+
+    // Sync files to the S3 Bucket
+    //  [Source.asset(path.resolve('../website/dist'))],
+    new BucketDeployment(this, id + 'SiteDeploy', {
+      sources: assetSources,
+      destinationBucket: websiteBucket,
+      distribution: cloudfrontDistro,
+      distributionPaths: ['/*'], //'/locales/*', '/index.html', '/manifest.webmanifest', '/service-worker.js']
+    });
+  }
+}

package/src/deployment/cdk/simple-additional-s3-website-mapping.ts

@@ -0,0 +1,4 @@
+export interface SimpleAdditionalS3WebsiteMapping {
+  bucketName: string;
+  pathPattern: string;
+}

package/src/deployment/index.ts

@@ -0,0 +1,14 @@
+/**
+ * @file Automatically generated by barrelsby.
+ */
+
+export * from './cdk/bucket-and-behavior-options';
+export * from './cdk/epsilon-api-stack-feature.js';
+export * from './cdk/epsilon-api-stack-props.js';
+export * from './cdk/epsilon-api-stack.js';
+export * from './cdk/epsilon-lambda-to-cloudfront-path-mapping.js';
+export * from './cdk/epsilon-stack-util.js';
+export * from './cdk/epsilon-website-cache-behavior.js';
+export * from './cdk/epsilon-website-stack-props.js';
+export * from './cdk/epsilon-website-stack.js';
+export * from './cdk/simple-additional-s3-website-mapping.js';