@digitraffic/common 2024.1.24-3 → 2024.3.11-1

package/src/aws/infra/stack/rest_apis.mts

@@ -1,322 +0,0 @@
-import {
-    CfnDocumentationPart,
-    EndpointType,
-    GatewayResponse,
-    IResource,
-    JsonSchema,
-    MethodLoggingLevel,
-    MockIntegration,
-    Model,
-    Resource,
-    ResponseType,
-    RestApi,
-    RestApiProps,
-} from "aws-cdk-lib/aws-apigateway";
-import {
-    AnyPrincipal,
-    Effect,
-    PolicyDocument,
-    PolicyStatement,
-} from "aws-cdk-lib/aws-iam";
-import { Construct } from "constructs";
-import { getModelReference } from "../../../utils/api-model.mjs";
-import { MediaType } from "../../types/mediatypes.mjs";
-import { ModelWithReference } from "../../types/model-with-reference.mjs";
-import { DocumentationPart, DocumentationProperties } from "../documentation.mjs";
-import { createDefaultUsagePlan, createUsagePlan } from "../usage-plans.mjs";
-import { DigitrafficStack } from "./stack.mjs";
-
-import _ from "lodash";
-
-export class DigitrafficRestApi extends RestApi {
-    readonly apiKeyIds: string[];
-    readonly enableDocumentation: boolean;
-
-    constructor(
-        stack: DigitrafficStack,
-        apiId: string,
-        apiName: string,
-        allowFromIpAddresses?: string[] | undefined,
-        config?: Partial<RestApiProps>
-    ) {
-        const policyDocument =
-            allowFromIpAddresses == null
-                ? createDefaultPolicyDocument()
-                : createIpRestrictionPolicyDocument(allowFromIpAddresses);
-
-        // override default config with given extra config
-        const apiConfig = {
-            ...{
-                deployOptions: {
-                    loggingLevel: MethodLoggingLevel.ERROR,
-                },
-                restApiName: apiName,
-                endpointTypes: [EndpointType.REGIONAL],
-                policy: policyDocument,
-            },
-            ...config,
-        };
-
-        super(stack, apiId, apiConfig);
-
-        this.apiKeyIds = [];
-        this.enableDocumentation =
-            stack.configuration.stackFeatures?.enableDocumentation ?? true;
-
-        add404Support(this, stack);
-    }
-
-    hostname(): string {
-        return `${this.restApiId}.execute-api.${
-            (this.stack as DigitrafficStack).region
-        }.amazonaws.com`;
-    }
-
-    createUsagePlan(apiKeyId: string, apiKeyName: string): string {
-        const newKeyId = createUsagePlan(this, apiKeyId, apiKeyName).keyId;
-
-        this.apiKeyIds.push(newKeyId);
-
-        return newKeyId;
-    }
-
-    createUsagePlanV2(apiName: string, apiKey?: string): string {
-        const newKeyId = createDefaultUsagePlan(this, apiName, apiKey).keyId;
-
-        this.apiKeyIds.push(newKeyId);
-
-        return newKeyId;
-    }
-
-    addJsonModel(modelName: string, schema: JsonSchema) {
-        return this.getModelWithReference(
-            this.addModel(modelName, {
-                contentType: MediaType.APPLICATION_JSON,
-                modelName,
-                schema,
-            })
-        );
-    }
-
-    addCSVModel(modelName: string) {
-        return this.getModelWithReference(
-            this.addModel(modelName, {
-                contentType: MediaType.TEXT_CSV,
-                modelName,
-                schema: {},
-            })
-        );
-    }
-
-    private getModelWithReference(model: Model): ModelWithReference {
-        return _.set(
-            model,
-            "modelReference",
-            getModelReference(model.modelId, this.restApiId)
-        ) as ModelWithReference;
-    }
-
-    private addDocumentationPart(
-        resource: Resource,
-        parameterName: string,
-        resourceName: string,
-        type: string,
-        properties: DocumentationProperties
-    ) {
-        const location: CfnDocumentationPart.LocationProperty = {
-            type,
-            path: resource.path,
-            name: type !== "METHOD" ? parameterName : undefined,
-        };
-
-        new CfnDocumentationPart(this.stack, resourceName, {
-            restApiId: resource.api.restApiId,
-            location,
-            properties: JSON.stringify(properties),
-        });
-    }
-
-    documentResource(
-        resource: Resource,
-        ...documentationPart: DocumentationPart[]
-    ) {
-        if (this.enableDocumentation) {
-            documentationPart.forEach((dp) =>
-                this.addDocumentationPart(
-                    resource,
-                    dp.parameterName,
-                    `${resource.path}.${dp.parameterName}.Documentation`,
-                    dp.type,
-                    dp.documentationProperties
-                )
-            );
-        } else {
-            console.info("Skipping documentation for %s", resource.path);
-        }
-    }
-
-    /**
-     * Add support for HTTP OPTIONS to an API GW resource,
-     * this is required for preflight CORS requests made by browsers.
-     * @param apiResource
-     */
-    addCorsOptions(apiResource: IResource): void {
-        apiResource.addMethod(
-            "OPTIONS",
-            new MockIntegration({
-                integrationResponses: [
-                    {
-                        statusCode: "200",
-                        responseParameters: {
-                            "method.response.header.Access-Control-Allow-Headers":
-                                "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,Digitraffic-User'",
-                            "method.response.header.Access-Control-Allow-Origin":
-                                "'*'",
-                            "method.response.header.Access-Control-Allow-Methods":
-                                "'OPTIONS,GET,HEAD'",
-                        },
-                    },
-                ],
-                requestTemplates: {
-                    "application/json": '{"statusCode": 200}',
-                },
-            }),
-            {
-                methodResponses: [
-                    {
-                        statusCode: "200",
-                        responseParameters: {
-                            "method.response.header.Access-Control-Allow-Headers":
-                                true,
-                            "method.response.header.Access-Control-Allow-Methods":
-                                true,
-                            "method.response.header.Access-Control-Allow-Origin":
-                                true,
-                        },
-                    },
-                ],
-            }
-        );
-    }
-}
-
-/**
- * Due to AWS API design API Gateway will always return 403 'Missing Authentication Token' for requests
- * with a non-existent endpoint. This function translates this response to a 404.
- * Requests with an invalid or missing API key are not affected (still return 403 'Forbidden').
- * @param restApi RestApi
- * @param stack Construct
- */
-export function add404Support(restApi: RestApi, stack: Construct) {
-    new GatewayResponse(
-        stack,
-        `MissingAuthenticationTokenResponse-${restApi.restApiName}`,
-        {
-            restApi,
-            type: ResponseType.MISSING_AUTHENTICATION_TOKEN,
-            statusCode: "404",
-            templates: {
-                [MediaType.APPLICATION_JSON]: '{"message": "Not found"}',
-            },
-        }
-    );
-}
-
-export function add401Support(restApi: RestApi, stack: Construct) {
-    new GatewayResponse(
-        stack,
-        `AuthenticationFailedResponse-${restApi.restApiName}`,
-        {
-            restApi,
-            type: ResponseType.UNAUTHORIZED,
-            statusCode: "401",
-            responseHeaders: {
-                "WWW-Authenticate": "'Basic'",
-            },
-        }
-    );
-}
-
-/**
- * Due to AWS API design API Gateway will always return 403 'Missing Authentication Token' for requests
- * with a non-existent endpoint. This function converts this response to a custom one.
- * Requests with an invalid or missing API key are not affected (still return 403 'Forbidden').
- * @param returnCode
- * @param message
- * @param restApi RestApi
- * @param stack Construct
- */
-export function setReturnCodeForMissingAuthenticationToken(
-    returnCode: number,
-    message: string,
-    restApi: RestApi,
-    stack: Construct
-) {
-    new GatewayResponse(
-        stack,
-        `MissingAuthenticationTokenResponse-${restApi.restApiName}`,
-        {
-            restApi,
-            type: ResponseType.MISSING_AUTHENTICATION_TOKEN,
-            statusCode: `${returnCode}`,
-            templates: {
-                [MediaType.APPLICATION_JSON]: `{"message": ${message}}`,
-            },
-        }
-    );
-}
-
-export function createRestApi(
-    stack: Construct,
-    apiId: string,
-    apiName: string,
-    allowFromIpAddresses?: string[] | undefined
-): RestApi {
-    const policyDocument =
-        allowFromIpAddresses == null
-            ? createDefaultPolicyDocument()
-            : createIpRestrictionPolicyDocument(allowFromIpAddresses);
-    const restApi = new RestApi(stack, apiId, {
-        deployOptions: {
-            loggingLevel: MethodLoggingLevel.ERROR,
-        },
-        restApiName: apiName,
-        endpointTypes: [EndpointType.REGIONAL],
-        policy: policyDocument,
-    });
-    add404Support(restApi, stack);
-    return restApi;
-}
-
-export function createDefaultPolicyDocument() {
-    return new PolicyDocument({
-        statements: [
-            new PolicyStatement({
-                effect: Effect.ALLOW,
-                actions: ["execute-api:Invoke"],
-                resources: ["*"],
-                principals: [new AnyPrincipal()],
-            }),
-        ],
-    });
-}
-
-export function createIpRestrictionPolicyDocument(
-    allowFromIpAddresses: string[]
-): PolicyDocument {
-    return new PolicyDocument({
-        statements: [
-            new PolicyStatement({
-                effect: Effect.ALLOW,
-                conditions: {
-                    IpAddress: {
-                        "aws:SourceIp": allowFromIpAddresses,
-                    },
-                },
-                actions: ["execute-api:Invoke"],
-                resources: ["*"],
-                principals: [new AnyPrincipal()],
-            }),
-        ],
-    });
-}

package/src/aws/infra/stack/stack-checking-aspect.mts

@@ -1,233 +0,0 @@
-import { Annotations, IAspect, Stack } from "aws-cdk-lib";
-import { CfnFunction, Runtime } from "aws-cdk-lib/aws-lambda";
-import { CfnBucket } from "aws-cdk-lib/aws-s3";
-import { DigitrafficStack, SOLUTION_KEY } from "./stack.mjs";
-import { IConstruct } from "constructs";
-import { CfnMethod, CfnResource } from "aws-cdk-lib/aws-apigateway";
-import { CfnQueue } from "aws-cdk-lib/aws-sqs";
-import { LogRetention } from "aws-cdk-lib/aws-logs";
-import { kebabCase } from "change-case";
-import _ from "lodash";
-import IntegrationProperty = CfnMethod.IntegrationProperty;
-
-const MAX_CONCURRENCY_LIMIT = 100;
-const NODE_RUNTIMES = [Runtime.NODEJS_20_X.name, Runtime.NODEJS_18_X.name];
-
-enum ResourceType {
-    stackName = "STACK_NAME",
-    reservedConcurrentConcurrency = "RESERVED_CONCURRENT_CONCURRENCY",
-    functionTimeout = "FUNCTION_TIMEOUT",
-    functionMemorySize = "FUNCTION_MEMORY_SIZE",
-    functionRuntime = "FUNCTION_RUNTIME",
-    functionName = "FUNCTION_NAME",
-    tagSolution = "TAG_SOLUTION",
-    bucketPublicity = "BUCKET_PUBLICITY",
-    resourcePath = "RESOURCE_PATH",
-    queueEncryption = "QUEUE_ENCRYPTION",
-    logGroupRetention = "LOG_GROUP_RETENTION",
-}
-
-export class StackCheckingAspect implements IAspect {
-    private readonly stackShortName?: string;
-    private readonly whitelistedResources?: string[];
-
-    constructor(stackShortName?: string, whitelistedResources?: string[]) {
-        this.stackShortName = stackShortName;
-        this.whitelistedResources = whitelistedResources;
-    }
-
-    static create(stack: DigitrafficStack) {
-        return new StackCheckingAspect(
-            stack.configuration.shortName,
-            stack.configuration.whitelistedResources
-        );
-    }
-
-    public visit(node: IConstruct): void {
-        //console.info("visiting class " + node.constructor.name);
-
-        this.checkStack(node);
-        this.checkFunction(node);
-        this.checkTags(node);
-        this.checkBucket(node);
-        this.checkResourceCasing(node);
-        this.checkQueueEncryption(node);
-        this.checkLogGroupRetention(node);
-    }
-
-    private isWhitelisted(key: string) {
-        return this.whitelistedResources?.some((wl) => {
-            return key.matchAll(new RegExp(wl, "g"));
-        });
-    }
-
-    private addAnnotation(node: IConstruct, key: ResourceType | string, message: string, isError = true) {
-        const resourceKey = `${node.node.path}/${key}`;
-        const isWhiteListed = this.isWhitelisted(resourceKey);
-        const annotationMessage = `${resourceKey}:${message}`;
-
-        // error && whitelisted -> warning
-        // warning && whitelisted -> nothing
-        if (isError && !isWhiteListed) {
-            Annotations.of(node).addError(annotationMessage);
-        } else if ((!isError && !isWhiteListed) || (isError && isWhiteListed)) {
-            Annotations.of(node).addWarning(annotationMessage);
-        }
-    }
-
-    private checkStack(node: IConstruct) {
-        if (node instanceof DigitrafficStack) {
-            if (
-                (node.stackName.includes("Test") || node.stackName.includes("Tst")) &&
-                node.configuration.production
-            ) {
-                this.addAnnotation(node, ResourceType.stackName, "Production is set for Test-stack");
-            }
-
-            if (
-                (node.stackName.includes("Prod") || node.stackName.includes("Prd")) &&
-                !node.configuration.production
-            ) {
-                this.addAnnotation(
-                    node,
-                    ResourceType.stackName,
-                    "Production is not set for Production-stack"
-                );
-            }
-        }
-    }
-
-    private checkFunction(node: IConstruct) {
-        if (node instanceof CfnFunction) {
-            if (!node.reservedConcurrentExecutions) {
-                this.addAnnotation(
-                    node,
-                    ResourceType.reservedConcurrentConcurrency,
-                    "Function must have reservedConcurrentConcurrency"
-                );
-            } else if (node.reservedConcurrentExecutions > MAX_CONCURRENCY_LIMIT) {
-                this.addAnnotation(
-                    node,
-                    ResourceType.reservedConcurrentConcurrency,
-                    "Function reservedConcurrentConcurrency too high!"
-                );
-            }
-
-            if (!node.timeout) {
-                this.addAnnotation(node, ResourceType.functionTimeout, "Function must have timeout");
-            }
-
-            if (!node.memorySize) {
-                this.addAnnotation(node, ResourceType.functionMemorySize, "Function must have memorySize");
-            }
-
-            if (node.runtime !== undefined && !NODE_RUNTIMES.includes(node.runtime)) {
-                this.addAnnotation(
-                    node,
-                    ResourceType.functionRuntime,
-                    `Function has wrong runtime ${node.runtime}!`
-                );
-            }
-
-            if (
-                this.stackShortName &&
-                node.functionName &&
-                !node.functionName.startsWith(this.stackShortName)
-            ) {
-                this.addAnnotation(
-                    node,
-                    ResourceType.functionName,
-                    `Function name does not begin with ${this.stackShortName}`
-                );
-            }
-        }
-    }
-
-    private checkTags(node: IConstruct) {
-        if (node instanceof Stack) {
-            if (!node.tags.tagValues()[SOLUTION_KEY]) {
-                this.addAnnotation(node, ResourceType.tagSolution, "Solution tag is missing");
-            }
-        }
-    }
-
-    private checkBucket(node: IConstruct) {
-        if (node instanceof CfnBucket) {
-            const c = node.publicAccessBlockConfiguration as
-                | CfnBucket.PublicAccessBlockConfigurationProperty
-                | undefined;
-
-            if (
-                c &&
-                (!c.blockPublicAcls ||
-                    !c.blockPublicPolicy ||
-                    !c.ignorePublicAcls ||
-                    !c.restrictPublicBuckets)
-            ) {
-                this.addAnnotation(node, ResourceType.bucketPublicity, "Check bucket publicity");
-            }
-        }
-    }
-
-    private static isValidPath(path: string): boolean {
-        // if path includes . or { check only the trailing part of path
-        if (path.includes(".")) {
-            return this.isValidPath(path.split(".")[0]);
-        }
-
-        if (path.includes("{")) {
-            return this.isValidPath(path.split("{")[0]);
-        }
-
-        return kebabCase(path) === path;
-    }
-
-    private static isValidQueryString(name: string) {
-        return _.snakeCase(name) === name;
-    }
-
-    private checkResourceCasing(node: IConstruct) {
-        if (node instanceof CfnResource) {
-            if (!StackCheckingAspect.isValidPath(node.pathPart)) {
-                this.addAnnotation(node, ResourceType.resourcePath, "Path part should be in kebab-case");
-            }
-        } else if (node instanceof CfnMethod) {
-            const integration = node.integration as IntegrationProperty | undefined;
-
-            if (integration?.requestParameters) {
-                Object.keys(integration.requestParameters).forEach((key) => {
-                    const split = key.split(".");
-                    const type = split[2];
-                    const name = split[3];
-
-                    if (type === "querystring" && !StackCheckingAspect.isValidQueryString(name)) {
-                        this.addAnnotation(node, name, "Querystring should be in snake_case");
-                    }
-                });
-            }
-        }
-    }
-
-    private checkQueueEncryption(node: IConstruct) {
-        if (node instanceof CfnQueue) {
-            if (!node.kmsMasterKeyId) {
-                this.addAnnotation(node, ResourceType.queueEncryption, "Queue must have encryption enabled");
-            }
-        }
-    }
-
-    private checkLogGroupRetention(node: IConstruct) {
-        if (node instanceof LogRetention) {
-            const child = node.node.defaultChild as unknown as Record<string, Record<string, string>>;
-            const retention = child._cfnProperties.RetentionInDays;
-
-            if (!retention) {
-                this.addAnnotation(
-                    node,
-                    ResourceType.logGroupRetention,
-                    "Log group must define log group retention"
-                );
-            }
-        }
-    }
-}

package/src/aws/infra/stack/stack.mts

@@ -1,144 +0,0 @@
-import { Aspects, Stack, StackProps } from "aws-cdk-lib";
-import { type ISecurityGroup, IVpc, SecurityGroup, Vpc } from "aws-cdk-lib/aws-ec2";
-import { ITopic, Topic } from "aws-cdk-lib/aws-sns";
-import { StringParameter } from "aws-cdk-lib/aws-ssm";
-import { ISecret, Secret } from "aws-cdk-lib/aws-secretsmanager";
-import { Function as AWSFunction } from "aws-cdk-lib/aws-lambda";
-
-import { StackCheckingAspect } from "./stack-checking-aspect.mjs";
-import { Construct } from "constructs";
-import { TrafficType } from "../../../types/traffictype.mjs";
-import { DBLambdaEnvironment } from "./lambda-configs.mjs";
-
-const SSM_ROOT = "/digitraffic";
-export const SOLUTION_KEY = "Solution";
-const MONITORING_ROOT = "/monitoring";
-
-export const SSM_KEY_WARNING_TOPIC = `${SSM_ROOT}${MONITORING_ROOT}/warning-topic`;
-export const SSM_KEY_ALARM_TOPIC = `${SSM_ROOT}${MONITORING_ROOT}/alarm-topic`;
-
-export interface StackConfiguration {
-    readonly shortName: string;
-    readonly secretId?: string;
-    readonly alarmTopicArn: string;
-    readonly warningTopicArn: string;
-    readonly logsDestinationArn?: string;
-
-    readonly vpcId?: string;
-    readonly lambdaDbSgId?: string;
-    readonly privateSubnetIds?: string[];
-    readonly availabilityZones?: string[];
-
-    readonly trafficType: TrafficType;
-    readonly production: boolean;
-    readonly stackProps: StackProps;
-
-    readonly stackFeatures?: {
-        readonly enableCanaries?: boolean;
-        readonly enableDocumentation?: boolean;
-    };
-
-    /// whitelist resources for StackCheckingAspect
-    readonly whitelistedResources?: string[];
-}
-
-export class DigitrafficStack extends Stack {
-    readonly vpc?: IVpc;
-    readonly lambdaDbSg?: ISecurityGroup;
-    readonly alarmTopic: ITopic;
-    readonly warningTopic: ITopic;
-    readonly secret?: ISecret;
-
-    readonly configuration: StackConfiguration;
-
-    constructor(
-        scope: Construct,
-        id: string,
-        configuration: StackConfiguration
-    ) {
-        super(scope, id, configuration.stackProps);
-
-        this.configuration = configuration;
-
-        if (configuration.secretId) {
-            this.secret = Secret.fromSecretNameV2(
-                this,
-                "Secret",
-                configuration.secretId
-            );
-        }
-
-        // VPC reference construction requires vpcId and availability zones
-        // private subnets are used in Lambda configuration
-        if (configuration.vpcId) {
-            this.vpc = Vpc.fromVpcAttributes(this, "vpc", {
-                vpcId: configuration.vpcId,
-                privateSubnetIds: configuration.privateSubnetIds,
-                availabilityZones: configuration.availabilityZones ?? [],
-            });
-        }
-
-        // security group that allows Lambda database access
-        if (configuration.lambdaDbSgId) {
-            this.lambdaDbSg = SecurityGroup.fromSecurityGroupId(
-                this,
-                "LambdaDbSG",
-                configuration.lambdaDbSgId
-            );
-        }
-
-        this.alarmTopic = Topic.fromTopicArn(
-            this,
-            "AlarmTopic",
-            StringParameter.fromStringParameterName(
-                this,
-                "AlarmTopicParam",
-                SSM_KEY_ALARM_TOPIC
-            ).stringValue
-        );
-        this.warningTopic = Topic.fromTopicArn(
-            this,
-            "WarningTopic",
-            StringParameter.fromStringParameterName(
-                this,
-                "WarningTopicParam",
-                SSM_KEY_WARNING_TOPIC
-            ).stringValue
-        );
-
-        this.addAspects();
-    }
-
-    addAspects() {
-        Aspects.of(this).add(StackCheckingAspect.create(this));
-    }
-
-    createLambdaEnvironment(): DBLambdaEnvironment {
-        return this.createDefaultLambdaEnvironment(
-            this.configuration.shortName
-        );
-    }
-
-    createDefaultLambdaEnvironment(dbApplication: string): DBLambdaEnvironment {
-        return this.configuration.secretId
-            ? {
-                  SECRET_ID: this.configuration.secretId,
-                  DB_APPLICATION: dbApplication,
-              }
-            : {
-                  DB_APPLICATION: dbApplication,
-              };
-    }
-
-    getSecret(): ISecret {
-        if (this.secret === undefined) {
-            throw new Error("Secret is undefined");
-        }
-        return this.secret;
-    }
-
-    grantSecret(...lambdas: AWSFunction[]) {
-        const secret = this.getSecret();
-        lambdas.forEach((l: AWSFunction) => secret.grantRead(l));
-    }
-}