@byaga/cdk-patterns 0.10.0 → 0.11.1

package/{lib/Role.d.ts → archive/Role.ts}

@@ -1,139 +1,165 @@
-import { IPrincipal, Role as CdkRole } from "aws-cdk-lib/aws-iam";
-import { Duration } from "aws-cdk-lib";
-import { DeployStack } from "./DeployStack";
-import { IManagedPolicy } from "aws-cdk-lib/aws-iam/lib/managed-policy";
-import { PolicyDocument } from "aws-cdk-lib/aws-iam/lib/policy-document";
-interface IRoleProps {
-    identityPool: string;
-    amr: string;
-    /**
-     * The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role.
-     *
-     * You can later modify the assume role policy document by accessing it via
-     * the `assumeRolePolicy` property.
-     *
-     * @stability stable
-     */
-    assumedBy?: IPrincipal;
-    /**
-     * (deprecated) ID that the role assumer needs to provide when assuming this role.
-     *
-     * If the configured and provided external IDs do not match, the
-     * AssumeRole operation will fail.
-     *
-     * @default No external ID required
-     * @deprecated see {@link externalIds}
-     */
-    readonly externalId?: string;
-    /**
-     * List of IDs that the role assumer needs to provide one of when assuming this role.
-     *
-     * If the configured and provided external IDs do not match, the
-     * AssumeRole operation will fail.
-     *
-     * @default No external ID required
-     * @stability stable
-     */
-    readonly externalIds?: string[];
-    /**
-     * A list of managed policies associated with this role.
-     *
-     * You can add managed policies later using
-     * `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
-     *
-     * @default - No managed policies.
-     * @stability stable
-     */
-    readonly managedPolicies?: IManagedPolicy[];
-    /**
-     * A list of named policies to inline into this role.
-     *
-     * These policies will be
-     * created with the role, whereas those added by ``addToPolicy`` are added
-     * using a separate CloudFormation resource (allowing a way around circular
-     * dependencies that could otherwise be introduced).
-     *
-     * @default - No policy is inlined in the Role resource.
-     * @stability stable
-     */
-    readonly inlinePolicies?: {
-        [name: string]: PolicyDocument;
-    };
-    /**
-     * The path associated with this role.
-     *
-     * For information about IAM paths, see
-     * Friendly Names and Paths in IAM User Guide.
-     *
-     * @default /
-     * @stability stable
-     */
-    readonly path?: string;
-    /**
-     * AWS supports permissions boundaries for IAM entities (users or roles).
-     *
-     * A permissions boundary is an advanced feature for using a managed policy
-     * to set the maximum permissions that an identity-based policy can grant to
-     * an IAM entity. An entity's permissions boundary allows it to perform only
-     * the actions that are allowed by both its identity-based policies and its
-     * permissions boundaries.
-     *
-     * @default - No permissions boundary.
-     * @stability stable
-     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
-     */
-    readonly permissionsBoundary?: IManagedPolicy;
-    /**
-     * A name for the IAM role.
-     *
-     * For valid values, see the RoleName parameter for
-     * the CreateRole action in the IAM API Reference.
-     *
-     * IMPORTANT: If you specify a name, you cannot perform updates that require
-     * replacement of this resource. You can perform updates that require no or
-     * some interruption. If you must replace the resource, specify a new name.
-     *
-     * If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
-     * acknowledge your template's capabilities. For more information, see
-     * Acknowledging IAM Resources in AWS CloudFormation Templates.
-     *
-     * @default - AWS CloudFormation generates a unique physical ID and uses that ID
-     * for the role name.
-     * @stability stable
-     */
-    readonly roleName?: string;
-    /**
-     * The maximum session duration that you want to set for the specified role.
-     *
-     * This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
-     *
-     * Anyone who assumes the role from the AWS CLI or API can use the
-     * DurationSeconds API parameter or the duration-seconds CLI parameter to
-     * request a longer session. The MaxSessionDuration setting determines the
-     * maximum duration that can be requested using the DurationSeconds
-     * parameter.
-     *
-     * If users don't specify a value for the DurationSeconds parameter, their
-     * security credentials are valid for one hour by default. This applies when
-     * you use the AssumeRole* API operations or the assume-role* CLI operations
-     * but does not apply when you use those operations to create a console URL.
-     *
-     * @default Duration.hours(1)
-     * @stability stable
-     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-     */
-    readonly maxSessionDuration?: Duration;
-    /**
-     * A description of the role.
-     *
-     * It can be up to 1000 characters long.
-     *
-     * @default - No description.
-     * @stability stable
-     */
-    readonly description?: string;
-}
-export declare class Role extends CdkRole {
-    constructor(stack: DeployStack, id: string, props: IRoleProps);
-}
-export {};
+import {FederatedPrincipal, IPrincipal, Role as CdkRole} from "aws-cdk-lib/aws-iam";
+import {Duration} from "aws-cdk-lib";
+import {Output} from './Output'
+import {DeployStack} from "./DeployStack";
+import {IManagedPolicy} from "aws-cdk-lib/aws-iam/lib/managed-policy";
+import {PolicyDocument} from "aws-cdk-lib/aws-iam/lib/policy-document";
+
+interface IRoleProps {
+    identityPool: string,
+    amr: string,
+    /**
+     * The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role.
+     *
+     * You can later modify the assume role policy document by accessing it via
+     * the `assumeRolePolicy` property.
+     *
+     * @stability stable
+     */
+    assumedBy?: IPrincipal,
+
+    /**
+     * (deprecated) ID that the role assumer needs to provide when assuming this role.
+     *
+     * If the configured and provided external IDs do not match, the
+     * AssumeRole operation will fail.
+     *
+     * @default No external ID required
+     * @deprecated see {@link externalIds}
+     */
+    readonly externalId?: string;
+    /**
+     * List of IDs that the role assumer needs to provide one of when assuming this role.
+     *
+     * If the configured and provided external IDs do not match, the
+     * AssumeRole operation will fail.
+     *
+     * @default No external ID required
+     * @stability stable
+     */
+    readonly externalIds?: string[];
+    /**
+     * A list of managed policies associated with this role.
+     *
+     * You can add managed policies later using
+     * `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
+     *
+     * @default - No managed policies.
+     * @stability stable
+     */
+    readonly managedPolicies?: IManagedPolicy[];
+    /**
+     * A list of named policies to inline into this role.
+     *
+     * These policies will be
+     * created with the role, whereas those added by ``addToPolicy`` are added
+     * using a separate CloudFormation resource (allowing a way around circular
+     * dependencies that could otherwise be introduced).
+     *
+     * @default - No policy is inlined in the Role resource.
+     * @stability stable
+     */
+    readonly inlinePolicies?: {
+        [name: string]: PolicyDocument;
+    };
+    /**
+     * The path associated with this role.
+     *
+     * For information about IAM paths, see
+     * Friendly Names and Paths in IAM User Guide.
+     *
+     * @default /
+     * @stability stable
+     */
+    readonly path?: string;
+    /**
+     * AWS supports permissions boundaries for IAM entities (users or roles).
+     *
+     * A permissions boundary is an advanced feature for using a managed policy
+     * to set the maximum permissions that an identity-based policy can grant to
+     * an IAM entity. An entity's permissions boundary allows it to perform only
+     * the actions that are allowed by both its identity-based policies and its
+     * permissions boundaries.
+     *
+     * @default - No permissions boundary.
+     * @stability stable
+     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+     */
+    readonly permissionsBoundary?: IManagedPolicy;
+    /**
+     * A name for the IAM role.
+     *
+     * For valid values, see the RoleName parameter for
+     * the CreateRole action in the IAM API Reference.
+     *
+     * IMPORTANT: If you specify a name, you cannot perform updates that require
+     * replacement of this resource. You can perform updates that require no or
+     * some interruption. If you must replace the resource, specify a new name.
+     *
+     * If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
+     * acknowledge your template's capabilities. For more information, see
+     * Acknowledging IAM Resources in AWS CloudFormation Templates.
+     *
+     * @default - AWS CloudFormation generates a unique physical ID and uses that ID
+     * for the role name.
+     * @stability stable
+     */
+    readonly roleName?: string;
+    /**
+     * The maximum session duration that you want to set for the specified role.
+     *
+     * This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
+     *
+     * Anyone who assumes the role from the AWS CLI or API can use the
+     * DurationSeconds API parameter or the duration-seconds CLI parameter to
+     * request a longer session. The MaxSessionDuration setting determines the
+     * maximum duration that can be requested using the DurationSeconds
+     * parameter.
+     *
+     * If users don't specify a value for the DurationSeconds parameter, their
+     * security credentials are valid for one hour by default. This applies when
+     * you use the AssumeRole* API operations or the assume-role* CLI operations
+     * but does not apply when you use those operations to create a console URL.
+     *
+     * @default Duration.hours(1)
+     * @stability stable
+     * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+     */
+    readonly maxSessionDuration?: Duration;
+    /**
+     * A description of the role.
+     *
+     * It can be up to 1000 characters long.
+     *
+     * @default - No description.
+     * @stability stable
+     */
+    readonly description?: string;
+}
+
+export class Role extends CdkRole {
+    constructor(stack: DeployStack, id: string, props: IRoleProps) {
+        console.log('Defining Role', stack.genId(id))
+        if (!props.assumedBy) {
+            props.assumedBy = new FederatedPrincipal(
+                'cognito-identity.amazonaws.com',
+                {
+                    StringEquals: {
+                        'cognito-identity.amazonaws.com:aud': props.identityPool
+                    },
+                    "ForAnyValue:StringLike": {
+                        'cognito-identity.amazonaws.com:amr': props.amr
+                    }
+                },
+                'sts:AssumeRoleWithWebIdentity'
+            )
+        }
+
+        super(stack, stack.genId(id), {
+            ...props,
+            roleName: stack.genName(props.roleName || id),
+            assumedBy: props.assumedBy
+        })
+        new Output(stack, `${id}-arn`, this.roleArn)
+    }
+}

package/archive/StaticWebSite.ts

@@ -0,0 +1,159 @@
+import {RemovalPolicy} from "aws-cdk-lib/core";
+import {Output} from './Output'
+import {DeployStack} from "./DeployStack";
+import {execSync} from "child_process";
+import {Bucket} from "aws-cdk-lib/aws-s3"
+import {BucketDeployment, Source} from "aws-cdk-lib/aws-s3-deployment"
+import ApiCertificate from "./ApiCertificate";
+import {
+    CloudFrontAllowedMethods,
+    CloudFrontWebDistribution,
+    OriginAccessIdentity,
+    OriginProtocolPolicy, SourceConfiguration,
+    SSLMethod,
+    ViewerCertificate,
+    ViewerProtocolPolicy
+} from "aws-cdk-lib/aws-cloudfront"
+import IDomainConfig from "./IDomainConfig";
+import {PolicyStatement} from "aws-cdk-lib/aws-iam";
+import {ARecord, RecordTarget} from "aws-cdk-lib/aws-route53";
+import {CloudFrontTarget} from "aws-cdk-lib/aws-route53-targets";
+import duration from './methods/duration';
+import {buildNodeSource} from './methods/build-node-source'
+import {Duration} from "aws-cdk-lib";
+
+/**
+ * Configuration interface for the StaticWebSite class.
+ */
+export interface StaticWebSiteConfig {
+    srcDir?: string,
+    domain: IDomainConfig,
+    env: NodeJS.ProcessEnv,
+    proxy?: SourceConfiguration[]
+}
+
+/**
+ * Logic which will setup a static web site in AWS with an S3 Bucket, CloudFront Distribution, and Route53 A-Name Record.
+ */
+export class StaticWebSite {
+    /**
+     * Constructs a new StaticWebSite instance.
+     * @param {DeployStack} stack - The deployment stack.
+     * @param {string} id - The ID of the website.
+     * @param {StaticWebSiteConfig} props - The configuration properties of the website.
+     */
+    constructor(stack: DeployStack, id: string, props: StaticWebSiteConfig) {
+        console.log('Deploying Static Web Site', id)
+
+        const done = duration()
+        const buildDir = buildNodeSource('web', id)
+
+        console.log('Building UI Source', id)
+        execSync('npm run export', {
+                cwd: buildDir,
+                env: props.env
+        })
+
+        console.log('Total Build Duration (ms)', done())
+        const exportDir: string = buildDir + '/out';
+
+        console.log('Creating HTTPS Certificate', id + '-certificate')
+        const certificate = new ApiCertificate(stack, id + '-certificate', props.domain);
+        console.log('Deploying Site Content Bucket', stack.genId(id, "content-bucket"))
+        const s3BucketSource = new Bucket(stack, stack.genId(id, "content-bucket"), {
+            bucketName: certificate.domain,
+            websiteIndexDocument: "index.html",
+            websiteErrorDocument: "error.html",
+            removalPolicy: RemovalPolicy.DESTROY,
+            autoDeleteObjects: true,
+            publicReadAccess: false,
+            blockPublicAccess: {
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: true
+            }
+        });
+        new Output(stack, `${id}-content-bucket`, s3BucketSource.bucketName);
+
+        const cloudFrontPolicy = new PolicyStatement({
+            actions: ['s3:GetBucket*', 's3:GetObject*', 's3:List*'],
+            resources: [s3BucketSource.bucketArn, s3BucketSource.bucketArn + '/*'],
+        })
+
+        new BucketDeployment(stack, stack.genId(id, 'bucket-deployment'), {
+            sources: [Source.asset(exportDir)],
+            destinationBucket: s3BucketSource
+        })
+        const originAccessIdentity = new OriginAccessIdentity(stack, "WebsiteOAI");
+         cloudFrontPolicy.addArnPrincipal(originAccessIdentity.cloudFrontOriginAccessIdentityS3CanonicalUserId);
+         s3BucketSource.grantRead(originAccessIdentity)
+
+        const distro = new CloudFrontWebDistribution(stack, stack.genId(id, 'cloudfront-web-distribution'), {
+            enabled: true,
+             originConfigs: [...props.proxy || [], {
+                 s3OriginSource: {
+                     s3BucketSource,
+                     originAccessIdentity
+                 },
+                 behaviors: [{
+                     allowedMethods: CloudFrontAllowedMethods.GET_HEAD_OPTIONS,
+                     isDefaultBehavior: true
+                 }]
+             }],
+            viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            viewerCertificate: ViewerCertificate.fromAcmCertificate(certificate, {
+                aliases: [certificate.domain],
+                sslMethod: SSLMethod.SNI
+            })
+        })
+        new Output(stack, `${id}-base-url`, "https://" + certificate.domain);
+
+        console.log('Setting Route53 A-Name Record', props.domain.domainName)
+         new ARecord(stack, stack.genId('alias'), {
+             zone: certificate.hostedZone,
+             recordName: certificate.domain,
+             target: RecordTarget.fromAlias(new CloudFrontTarget(distro))
+         })
+    }
+
+    /**
+     * Defines a proxy for the static website.
+     * @param {DeployStack} stack - The deployment stack.
+     * @param {string} domainName - The domain name.
+     * @param {string} pathPattern - The path pattern.
+     * @returns {SourceConfiguration} The source configuration for the proxy.
+     */
+    static defineProxy(stack: DeployStack, domainName: string, pathPattern: string): SourceConfiguration {
+        return {
+            customOriginSource: {
+                domainName: domainName,
+                originPath:  `/${stack.stage}`,
+                originProtocolPolicy: OriginProtocolPolicy.HTTPS_ONLY
+            },
+            behaviors: [{
+                pathPattern,
+                allowedMethods: CloudFrontAllowedMethods.ALL,
+                maxTtl: Duration.seconds(0),
+                minTtl: Duration.seconds(0),
+                defaultTtl: Duration.seconds(0),
+                compress: false,
+                forwardedValues: {
+                    queryString: true,
+                    headers: [
+                        "Authorization",
+                        "User-Agent",
+                        "X-Trace-Id",
+                        "X-Span-Id",
+                        "X-Correlation-Id",
+                        'Referer',
+                        "User-Agent",
+                        "Accept-Language",
+                        'Content-Type',
+                        'Content-Length'
+                    ]
+                }
+            }]
+        }
+    }
+}

package/archive/index.ts

@@ -0,0 +1,18 @@
+export {ApiCertificate} from "./ApiCertificate";
+export {CognitoApiGatewayAuthorizer} from "./CognitoApiGatewayAuthorizer";
+export {DeployStack} from "./DeployStack";
+export {DynamoDbTable} from "./DynamoDbTable";
+export {IHostedZoneConfig} from "./IHostedZoneConfig";
+export {IDomainConfig} from "./IDomainConfig";
+export {IStackArguments} from "./IStackArguments";
+export {NodeJsLambdaLayer} from "./NodeJsLambdaLayer";
+export {Output} from "./Output";
+export {RestApi} from "./RestApi";
+export {Role} from "./Role";
+export {SsmParameter} from "./SsmParameter";
+export {StaticWebSite} from "./StaticWebSite";
+
+export {createFunction} from "./create-function";
+export {createNodejsLambda} from "./create-nodejs-lambda";
+export {attachFunctionToApi} from "./methods/attach-function-to-api";
+export {applySchemaToMethodOptions} from "./methods/apply-schema-to-method-options";

package/archive/methods/apply-schema-to-method-options.ts

@@ -0,0 +1,38 @@
+import {DeployStack} from "../DeployStack";
+import {
+    JsonSchema,
+    MethodOptions,
+    Model,
+    RequestValidator,
+    IResource
+} from "aws-cdk-lib/aws-apigateway";
+
+/**
+ * Applies a schema to a method.
+ * @param {DeployStack} stack - The deployment stack.
+ * @param {string} name - The name of the method.
+ * @param {JsonSchema} schema - The schema.
+ * @param {MethodOptions} options - The method options.
+ * @param {IResource} path - The path.
+ * @returns {MethodOptions} The method options with the schema applied.
+ */
+export function applySchemaToMethodOptions(stack: DeployStack, name: string, schema: JsonSchema, options: MethodOptions, path: IResource): MethodOptions {
+    return {
+        ...options,
+        requestValidator: new RequestValidator(stack, stack.genId(name, 'validator'), {
+            restApi: path.api,
+            requestValidatorName: stack.genName(name, 'validator'),
+            validateRequestBody: true
+        }),
+        requestModels: {
+            'application/json': new Model(stack, stack.genId(name, 'model'), {
+                schema: schema,
+                contentType: 'application/json',
+                restApi: path.api,
+                modelName: stack.genId(name, 'model')
+            })
+        }
+    }
+}
+
+export default applySchemaToMethodOptions;

package/archive/methods/attach-function-to-api.ts

@@ -0,0 +1,69 @@
+import {DeployStack} from "../DeployStack";
+import {
+    JsonSchema,
+    LambdaIntegration,
+    MethodOptions,
+    IResource, Method
+} from "aws-cdk-lib/aws-apigateway";
+import {RestApi} from "../RestApi";
+import {applySchemaToMethodOptions} from "./apply-schema-to-method-options";
+import {FunctionIntegration} from "../create-function";
+
+/**
+ * Type alias for the properties when attaching a function to an API or a resource.
+ */
+type AttachFunctionToApiProps = AttachFunctionToRestApiProps | AttachFunctionToResourceProps
+
+/**
+ * Interface for the properties when attaching a function to an API.
+ */
+export interface AttachFunctionToRestApiProps {
+    api: RestApi
+    httpMethod: string
+    path: string
+    requestSchema?: JsonSchema,
+    methodOptions?: MethodOptions
+}
+
+/**
+ * Interface for the properties when attaching a function to a resource.
+ */
+export interface AttachFunctionToResourceProps {
+    resource: IResource
+    httpMethod: string
+    requestSchema?: JsonSchema,
+    methodOptions?: MethodOptions
+}
+
+export interface ApiAttachedFunction extends FunctionIntegration {
+    resourceArn: string
+    method: Method
+}
+
+/**
+ * Attaches a function to an API or a resource.
+ * @param {DeployStack} stack - The deployment stack.
+ * @param lambda - The Function that is being attached
+ * @param {AttachFunctionToApiProps} props - The properties for attaching the function.
+ * @returns {ApiAttachPoint} The API attach point.
+ */
+export function attachFunctionToApi(stack: DeployStack, lambda: FunctionIntegration, props: AttachFunctionToApiProps) : ApiAttachedFunction {
+    const resource: IResource = (props as AttachFunctionToResourceProps).resource || (props as AttachFunctionToRestApiProps).api.path((props as AttachFunctionToRestApiProps).path)
+    const integration = new LambdaIntegration(lambda.function, {
+        requestTemplates: {
+            'application/json': '{ "statusCode": "200" }'
+        }
+    })
+
+    let options: MethodOptions = props?.methodOptions || {}
+    const schema = props?.requestSchema
+    if (schema) options = applySchemaToMethodOptions(stack, lambda.id, schema, options, resource)
+
+    const method = resource.addMethod(props.httpMethod, integration, options)
+
+    return {
+        ...lambda,
+        method,
+        resourceArn: `arn:aws:execute-api:${stack.region}:${stack.account}:${resource.api.restApiId}/${stack.stage}/${props.httpMethod}${resource.path}`
+    };
+}

package/lib/{methods → build}/copy-files.js

@@ -29,7 +29,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.copyFiles = void 0;
 const path = __importStar(require("path"));
 const fse = __importStar(require("fs-extra"));
-const duration_1 = __importDefault(require("./duration"));
+const duration_1 = __importDefault(require("../tools/duration"));
 /**
  * Copies files from the source directory to the build directory.
  * @function copyFiles

package/lib/{methods → build/nodejs}/build-ecmascript.d.ts

@@ -1,9 +1,9 @@
 /**
  * Builds ECMAScript files.
  * Copies the files from the source directory to the build directory and installs the necessary node modules.
- * @function buildEcmascript
+ * @function buildEcmaScript
  * @param {string[]} files - The files to build.
  * @param {string} srcDir - The source directory.
  * @param {string} buildDir - The build directory.
  */
-export declare function buildEcmascript(files: string[], srcDir: string, buildDir: string): void;
+export declare function buildEcmaScript(files: string[], srcDir: string, buildDir: string): void;

package/lib/{methods → build/nodejs}/build-ecmascript.js

@@ -1,20 +1,20 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.buildEcmascript = void 0;
-const copy_files_1 = require("./copy-files");
+exports.buildEcmaScript = void 0;
+const copy_files_1 = require("../copy-files");
 const install_node_modules_1 = require("./install-node-modules");
 /**
  * Builds ECMAScript files.
  * Copies the files from the source directory to the build directory and installs the necessary node modules.
- * @function buildEcmascript
+ * @function buildEcmaScript
  * @param {string[]} files - The files to build.
  * @param {string} srcDir - The source directory.
  * @param {string} buildDir - The build directory.
  */
-function buildEcmascript(files, srcDir, buildDir) {
+function buildEcmaScript(files, srcDir, buildDir) {
     // Copies the files from the source directory to the build directory
     (0, copy_files_1.copyFiles)(files, srcDir, buildDir);
     // Installs the necessary node modules
     (0, install_node_modules_1.installNodeModules)(buildDir, ['dev', 'optional', 'peer']);
 }
-exports.buildEcmascript = buildEcmascript;
+exports.buildEcmaScript = buildEcmaScript;

package/lib/{methods → build/nodejs}/build-node-source.d.ts

@@ -1,4 +1,6 @@
-import { BuildOptions } from "./BuildOptions";
+export interface BuildOptions {
+    subdirectory?: string;
+}
 /**
  * Builds the source code for a Node.js project.
  * @function buildNodeSource