@liflig/cdk 2.17.1 → 2.18.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@liflig/cdk",
-  "version": "2.17.1",
+  "version": "2.18.1",
   "description": "CDK library for Liflig",
   "repository": {
     "type": "git",
@@ -37,25 +37,25 @@
     "@aws-cdk/assert": "2.68.0",
     "@commitlint/cli": "18.4.3",
     "@commitlint/config-conventional": "18.4.3",
-    "@types/aws-lambda": "8.10.129",
-    "@types/jest": "29.5.10",
-    "@types/node": "18.18.13",
+    "@types/aws-lambda": "8.10.130",
+    "@types/jest": "29.5.11",
+    "@types/node": "18.19.3",
     "@typescript-eslint/eslint-plugin": "5.62.0",
     "@typescript-eslint/parser": "5.62.0",
     "aws-cdk": "2.111.0",
     "aws-cdk-lib": "2.111.0",
     "constructs": "10.3.0",
-    "eslint": "8.54.0",
-    "eslint-config-prettier": "9.0.0",
+    "eslint": "8.55.0",
+    "eslint-config-prettier": "9.1.0",
     "eslint-plugin-prettier": "5.0.1",
     "husky": "8.0.3",
     "jest": "29.7.0",
     "jest-cdk-snapshot": "2.0.1",
-    "prettier": "3.1.0",
-    "semantic-release": "22.0.8",
+    "prettier": "3.1.1",
+    "semantic-release": "22.0.12",
     "ts-jest": "29.1.1",
-    "ts-node": "10.9.1",
-    "typescript": "5.3.2"
+    "ts-node": "10.9.2",
+    "typescript": "5.3.3"
   },
   "dependencies": {
     "@capraconsulting/webapp-deploy-lambda": "2.1.4",

package/assets/cloudtrail-slack-integration-lambda/main.py

@@ -1,267 +0,0 @@
-#!/usr/bin/env python
-
-"""
-Transform CloudTrail events to payloads formatted for Slack's API, and send them
-directly to Slack or through an SQS FIFO queue for deduplication.
-
-The code below contains entrypoints for two Lambda functions (prefixed with `handler_`).
-"""
-
-import os
-import logging
-import json
-import urllib.request
-import re
-import boto3
-
-logger = logging.getLogger()
-logger.setLevel(logging.INFO)
-
-def augment_strings_with_friendly_names(strings, friendly_names):
-    """A helper method for augmenting various values (e.g., AWS account ID) in
-    a list of strings with a more friendly name"""
-    # We avoid replacing values that are directly prefixed and/or suffixed with ':'
-    # as it is most likely an ARN or similiar. We don't want to replace account IDs
-    # inside ARNs as this would look messy.This is a quite basic heuristic, but it should allow
-    # us to easily replace most relevant values (e.g., principal ID, account ID, etc.) with
-    # friendly names without a complicated regex.
-    pattern = re.compile("|".join([f"(?<!:)({re.escape(key)})(?!:)" for key in friendly_names]))
-    return [pattern.sub(lambda m: m[0] + f" ({friendly_names[m.string[m.start():m.end()]]})", s) for s in strings]
-
-
-def get_slack_payload_for_assume_role_event(event, friendly_names):
-    """Parse a CloudTrail event related to the API call sts:AssumeRole,
-    and return a Slack-formatted attachment"""
-    event_detail = event["detail"]
-    recipient_account_id = event_detail["recipientAccountId"]
-    request_parameters = event_detail.get("requestParameters", {}) or {}
-
-    timestamp = event_detail["eventTime"]
-    user_identity = event_detail["userIdentity"]
-    principal_id = user_identity["principalId"]
-    principal_account_id = user_identity["accountId"]
-    source_identity = request_parameters.get("sourceIdentity", "")
-    source_ip = event_detail.get("sourceIPAddress", "")
-    role_arn = request_parameters.get("roleArn", "")
-
-    fallback = f"Sensitive role accessed in '{recipient_account_id}'"
-    pretext_messages = [f":warning: Sensitive role in `{recipient_account_id}` assumed by"]
-    if principal_id.startswith("AIDA"):
-        pretext_messages.append("IAM user")
-    elif principal_id.startswith("AROA"):
-        # The other part of the principal ID for a role is the name of the session
-        principal_id = principal_id.split(":")[0]
-        pretext_messages.append(f"IAM role")
-    else:
-        pretext_messages.append("principal")
-    pretext_messages.append(f"in `{principal_account_id}`")
-    pretext = " ".join(pretext_messages)
-
-    text = [
-        f"*Role ARN:* `{role_arn}`",
-        f"*Principal Account ID:* `{principal_account_id}`",
-        f"*Principal ID:* `{principal_id}`",
-        f"*Source IP:* `{source_ip}`",
-        f"*Source Identity:* `{source_identity}`" if source_identity else "",
-        f"*Timestamp:* `{timestamp}`",
-    ]
-    text = "\n".join(line for line in text if line)
-
-    try:
-        pretext, fallback, text = augment_strings_with_friendly_names([pretext, fallback, text], friendly_names)
-    except:
-        logger.exception("Failed to augment strings with friendly names")
-    return {
-        "attachments": [
-            {
-                "pretext": pretext,
-                "color": "warning",
-                "text": text,
-                "fallback": fallback,
-                "mrkdwn_in": ["pretext", "text"],
-            }
-        ]
-    }
-
-
-def get_fallback_slack_payload_for_event(
-    event, friendly_names, fallback_parse_behavior=""
-):
-    """Parse a generic CloudTrail event related to an API call
-    and return a Slack-formatted attachment"""
-    event_detail = event["detail"]
-    event_name = event_detail["eventName"]
-    event_type = event_detail["eventType"]
-    event_time = event_detail["eventTime"]
-    recipient_account_id = event_detail["recipientAccountId"]
-    pretext = f":warning: CloudTrail event in account `{recipient_account_id}`"
-    fallback = f"CloudTrail event in account '{recipient_account_id}'"
-    if fallback_parse_behavior == "DUMP_EVENT":
-        text = "\n".join(
-            ["*Event:*", "```", json.dumps(event, sort_keys=True, indent=2), "```"]
-        )
-    else:
-        error_message = event_detail.get("errorMessage", "")
-        # This may be None, in which case we force it to an empty dict instead
-        response_element = (event_detail.get("responseElements", {}) or {}).get(
-            event_name, ""
-        )
-        user_identity = event_detail["userIdentity"]
-        principal_id = user_identity.get("principalId", "")
-        principal_type = user_identity.get("type", "")
-        principal_account_id = user_identity.get("accountId", "")
-        principal_arn = user_identity.get("arn", "")
-        source_ip = event_detail.get("sourceIPAddress", "")
-        resources = event_detail.get("resources", []) or []
-        text = [
-            f"*Event Type:* `{event_type}`",
-            f"*Event Name:* `{event_name}`",
-            f"*Event Time:* `{event_time}`",
-            f"*Error Message:* `{error_message}`" if error_message else "",
-            f"*Response Code:* `{response_element}`" if response_element else "",
-            f"*Principal Type:* `{principal_type}`" if principal_type else "",
-            f"*Principal Account ID:* `{principal_account_id}`"
-            if principal_account_id
-            else "",
-            f"*Principal ARN:* `{principal_arn}`" if principal_arn else "",
-            f"*Principal ID:* `{principal_id}`" if principal_id else "",
-            f"*Source IP:* `{source_ip}`" if source_ip else "",
-            f"*Resources:*\n```{json.dumps(resources, indent=2, sort_keys=True)}\n```"
-            if len(resources)
-            else "",
-        ]
-        # Filter out empty strings
-        text = "\n".join(line for line in text if line)
-
-    try:
-        pretext, fallback, text = augment_strings_with_friendly_names([pretext, fallback, text], friendly_names)
-    except:
-        logger.exception("Failed to augment strings with friendly names")
-
-    return {
-        "attachments": [
-            {
-                "pretext": pretext,
-                "color": "warning",
-                "text": text,
-                "fallback": fallback,
-                "mrkdwn_in": ["pretext", "text"],
-            }
-        ]
-    }
-
-
-def get_augmented_friendly_names(event, friendly_names):
-    """Return an augmented dictionary containing the alias of the current
-    AWS account as a friendly name for the current account ID if relevant"""
-    augmented_friendly_names = {**friendly_names}
-    try:
-        event_account_id = event["account"]
-        event_detail = event["detail"]
-        recipient_account_id = event_detail["recipientAccountId"]
-        if (
-            not friendly_names.get(event_account_id, "")
-            and event_account_id == recipient_account_id
-        ):
-            logger.info(
-                "No friendly name was supplied for current account '%s', so looking up account alias",
-                event_account_id,
-            )
-            iam = boto3.client("iam")
-            aliases = iam.list_account_aliases()["AccountAliases"]
-            if len(aliases):
-                augmented_friendly_names[event_account_id] = aliases[0]
-    except:
-        logger.exception("Failed to look up alias of current AWS account")
-
-    return augmented_friendly_names
-
-
-def post_to_slack(slack_payload, slack_webhook_url):
-    """Post a payload to Slack's webhook API"""
-    encoded_slack_payload = json.dumps(slack_payload).encode("utf-8")
-    try:
-        slack_request = urllib.request.Request(
-            slack_webhook_url,
-            data=encoded_slack_payload,
-            headers={"Content-Type": "application/json"},
-        )
-        urllib.request.urlopen(slack_request)
-    except:
-        logger.exception("Failed to post to Slack")
-        raise
-
-
-def handler_event_transformer(event, context):
-    """Lambda handler for the event transformer Lambda"""
-    logger.info("Triggered with event: %s", json.dumps(event, indent=2))
-
-    friendly_names = json.loads(os.environ["FRIENDLY_NAMES"])
-    slack_webhook_url = os.environ["SLACK_WEBHOOK_URL"]
-    slack_channel = os.environ["SLACK_CHANNEL"]
-    sqs_queue_url = os.environ.get("SQS_QUEUE_URL", "")
-    fallback_parse_behavior = os.environ.get("FALLBACK_PARSE_BEHAVIOR", "")
-    deduplicate_events = os.environ.get("DEDUPLICATE_EVENTS", "false") == "true"
-
-    friendly_names = get_augmented_friendly_names(
-        event, friendly_names
-    )
-
-    if not event["detail-type"].endswith("via CloudTrail"):
-        logger.warn("Invalid event received")
-        return
-
-    slack_payload = {}
-    try:
-        if event["detail"]["eventName"] == "AssumeRole":
-            slack_payload = get_slack_payload_for_assume_role_event(
-                event, friendly_names
-            )
-    except:
-        logger.exception("Failed to parse event using predefined schema")
-    if not slack_payload:
-        logger.warn("Using a fallback schema to parse event")
-        slack_payload = get_fallback_slack_payload_for_event(
-            event,
-            friendly_names,
-            fallback_parse_behavior=fallback_parse_behavior,
-        )
-    slack_payload = {**slack_payload, "channel": slack_channel}
-
-    if deduplicate_events and sqs_queue_url:
-        logger.info("Sending message to SQS for deduplication")
-        deduplication_id = (
-            event["detail"].get("requestID", "")
-            or event["detail"].get("eventID", "")
-            or event["id"]
-        )
-        body = {
-            "slackWebhookUrl": slack_webhook_url,
-            "slackPayload": slack_payload,
-        }
-
-        sqs = boto3.client("sqs")
-        sqs.send_message(
-            QueueUrl=sqs_queue_url,
-            MessageBody=json.dumps(body),
-            MessageDeduplicationId=deduplication_id,
-            MessageGroupId=deduplication_id,
-        )
-    else:
-        logger.info("Sending message directly to Slack")
-        post_to_slack(slack_payload, slack_webhook_url)
-
-
-def handler_slack_forwarder(event, context):
-    """Lambda handler for the Slack forwarder Lambda"""
-    logger.info("Triggered with event: %s", json.dumps(event, indent=2))
-    records = event["Records"]
-    for record in records:
-        body = json.loads(record["body"])
-        slack_channel = body.get("slackChannel", "")
-        slack_webhook_url = body.get("slackWebhookUrl", "")
-        slack_payload = {
-            **body["slackPayload"],
-            **({"channel": slack_channel} if slack_channel else {}),
-        }
-        post_to_slack(slack_payload, slack_webhook_url)

package/assets/pipeline-slack-notification-lambda/index.py

@@ -1,300 +0,0 @@
-import json
-import logging
-import os
-import typing as t
-from urllib.error import HTTPError, URLError
-from urllib.parse import quote
-from urllib.request import Request, urlopen
-
-import boto3
-
-client = boto3.client("codepipeline")
-s3 = boto3.client("s3")
-secrets_manager = boto3.client("secretsmanager")
-
-ACCOUNT_FRIENDLY_NAME = os.getenv("ACCOUNT_FRIENDLY_NAME", None)
-SLACK_URL_SECRET_NAME = os.getenv("SLACK_URL_SECRET_NAME", None)
-NOTIFICATION_LEVEL = os.getenv("NOTIFICATION_LEVEL", "WARN")
-
-# Example event:
-#
-# {
-#   version: '0',
-#   id: '01896665-9ef2-b417-cccd-333acf6a9320',
-#   'detail-type': 'CodePipeline Pipeline Execution State Change',
-#   source: 'aws.codepipeline',
-#   account: '123456789123',
-#   time: '2021-06-11T23:02:20Z',
-#   region: 'eu-west-1',
-#   resources: [
-#     'arn:aws:codepipeline:eu-west-1:123456789123:hst-tester-pipeline-PipelineC660917D-OLEMKURBGPBG'
-#   ],
-#   detail: {
-#     pipeline: 'hst-tester-pipeline-PipelineC660917D-OLEMKURBGPBG',
-#     'execution-id': '91daefbf-658a-4c6f-ad9e-13de7df5eaeb',
-#     state: 'SUCCEEDED',
-#     version: 3
-#   }
-# }
-
-STYLES = {
-    "FAILED": {"emoji_prefix": ":x:", "message_color": "#ff0000"},
-    "SUCCEEDED": {"emoji_prefix": ":white_check_mark:", "message_color": "#008000"},
-    "STARTED": {"emoji_prefix": ":rocket:", "message_color": "#00bfff"},
-    "SUPERSEDED": {"emoji_prefix": ":arrow_heading_down:", "message_color": "#373737"},
-}
-
-
-class TriggerMetadataVcs(t.TypedDict):
-    branchName: str
-    commitAuthor: str
-    commitHash: str
-    repositoryName: str
-    repositoryOwner: str
-
-
-class TriggerMetadataCi(t.TypedDict):
-    type: t.Literal["JENKINS", "GITHUB_ACTIONS"]
-    triggeredBy: str
-
-
-class TriggerMetadata(t.TypedDict):
-    version: t.Literal["0.1"]
-    ci: TriggerMetadataCi
-    vcs: TriggerMetadataVcs
-
-
-def get_masked_slack_webhook_url(slack_webhook_url: str):
-    """
-    Return a string that masks the final path segment of a Slack webhook URL.
-    The URL is typically formatted as such: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
-    """
-    trimmed_url = slack_webhook_url.rstrip("/")
-    [*url, final_path_segment] = trimmed_url.split("/")
-    return "/".join(url + [len(final_path_segment) * "*"])
-
-
-def get_previous_pipeline_execution(
-    pipeline_name: str, execution_id: str
-) -> dict | None:
-    """Return the newest past execution that either succeeded or failed"""
-
-    pipeline_executions = client.list_pipeline_executions(
-        pipelineName=pipeline_name,
-    )["pipelineExecutionSummaries"]
-
-    is_next = False
-
-    for item in pipeline_executions:
-        # Only include succeeded and failed executions.
-        # This is needed to properly detect a recovered
-        # pipeline (failed -> succeeded, even if e.g. superseeded in between).
-        if is_next and item["status"] in ["Succeeded", "Failed"]:
-            return item
-        if item["pipelineExecutionId"] == execution_id:
-            is_next = True
-
-    return None
-
-
-def get_text_for_failed(pipeline_name: str, execution_id: str, state: str) -> str:
-    """Return a Slack-formatted string that describes failed pipeline execution actions,
-    if any, in a failed execution"""
-
-    # We only show details if the pipeline has completed with failed state.
-    # If we were to process this for other events such as started events,
-    # we would include details from after the event took place.
-    if state != "FAILED":
-        return ""
-
-    action_executions = client.list_action_executions(
-        pipelineName=pipeline_name,
-        filter={
-            "pipelineExecutionId": execution_id,
-        },
-    )["actionExecutionDetails"]
-
-    failures = []
-
-    for action_execution in action_executions:
-        if action_execution["status"] == "Failed":
-            stage = action_execution["stageName"]
-            action = action_execution["actionName"]
-            summary = action_execution["output"]["executionResult"][
-                "externalExecutionSummary"
-            ]
-            failures.append(f"{stage}.{action} failed:\n{summary}")
-
-    result = ""
-
-    if len(failures):
-        result = "```\n" + "\n\n".join(failures) + "\n```"
-
-    return result
-
-
-def get_metadata_from_trigger(
-    pipeline_name: str, execution_id: str
-) -> TriggerMetadata | None:
-    """Returns a dictionary containing the metadata, if any, stored in the trigger file"""
-
-    action_response = client.list_action_executions(
-        pipelineName=pipeline_name, filter={"pipelineExecutionId": execution_id}
-    )
-
-    action = next(
-        (
-            action
-            for action in action_response["actionExecutionDetails"]
-            if action["input"]["actionTypeId"]["category"] == "Source"
-            and action["input"]["actionTypeId"]["provider"] == "S3"
-        ),
-        None,
-    )
-    if action:
-        s3_version_id = action["output"]["outputVariables"]["VersionId"]
-        artifacts_bucket = action["input"]["configuration"]["S3Bucket"]
-        trigger_file = action["input"]["configuration"]["S3ObjectKey"]
-
-    try:
-        response = s3.get_object(
-            Bucket=artifacts_bucket, Key=trigger_file, VersionId=s3_version_id
-        )
-        file_content = response["Body"].read().decode("utf-8")
-        ci_metadata = json.loads(file_content)
-        return ci_metadata
-    except Exception as e:
-        print(f"Could not obtain metadata from trigger file: {e}")
-
-    return None
-
-
-def get_footer_text(ci_metadata: TriggerMetadata) -> str:
-    """Returns the footer text for the Slack message if the metadata contains the required fields"""
-
-    footer_text = ""
-    if ci_metadata and ci_metadata.get("version", "") == "0.1":
-        ci = ci_metadata.get("ci", {})
-        vcs = ci_metadata.get("vcs", {})
-        triggering_actor = ci.get("triggeredBy", "")
-        repository_owner = vcs.get("repositoryOwner", "")
-        repository_name = vcs.get("repositoryName", "")
-        short_commit_hash = vcs.get("commitHash", "")[:8]
-        branch_name = vcs.get("branchName", "")
-        if (
-            triggering_actor
-            and repository_owner
-            and repository_name
-            and short_commit_hash
-            and branch_name
-        ):
-            commit_link_text = f"{repository_owner}/{repository_name} @ {branch_name} ({short_commit_hash})"
-            github_commit_link = f"https://github.com/{repository_owner}/{repository_name}/commit/{short_commit_hash}"
-            footer_text = f"Triggered by {triggering_actor} in <{github_commit_link}|{commit_link_text}>"
-
-    return footer_text
-
-
-def get_secret(secret):
-    try:
-        return secrets_manager.get_secret_value(SecretId=secret)["SecretString"]
-    except Exception as e:
-        raise Exception(f"Error retrieving secret: {e}")
-
-
-def handler(event, context):
-
-    print("Event: " + json.dumps(event))
-
-    region = event["region"]
-    account_id = event["account"]
-    pipeline_name = event["detail"]["pipeline"]
-    state = event["detail"]["state"]
-    execution_id = event["detail"]["execution-id"]
-
-    if state in ("STARTED", "SUPERSEDED") and NOTIFICATION_LEVEL != "DEBUG":
-        return
-
-    if event["detail-type"] != "CodePipeline Pipeline Execution State Change":
-        print("Ignoring unknown event")
-        return
-
-    previous_pipeline_execution = get_previous_pipeline_execution(
-        pipeline_name, execution_id
-    )
-
-    previous_failed = (
-        previous_pipeline_execution is not None
-        and previous_pipeline_execution["status"] == "Failed"
-    )
-
-    # We still show succeeded for the first event or when
-    # the previous execution was not success.
-    if state == "SUCCEEDED" and (NOTIFICATION_LEVEL == "WARN"):
-        if previous_pipeline_execution is not None and not previous_failed:
-            print("Ignoring succeeded event")
-            return
-
-    pipeline_url = f"https://{region}.console.aws.amazon.com/codesuite/codepipeline/pipelines/{quote(pipeline_name, safe='')}/view"
-    execution_url = f"https://{region}.console.aws.amazon.com/codesuite/codepipeline/pipelines/{quote(pipeline_name, safe='')}/executions/{execution_id}/timeline"
-
-    account_friendly_name = f"in {ACCOUNT_FRIENDLY_NAME or account_id}"
-
-    state_text = state
-    if previous_failed and state == "SUCCEEDED":
-        state_text += " (previously failed)"
-
-    ci_metadata = get_metadata_from_trigger(pipeline_name, execution_id)
-
-    footer_text = get_footer_text(ci_metadata)
-
-    style = STYLES.get(
-        state, {"emoji_prefix": ":question:", "message_color": "#ffdf00"}
-    )
-
-    emoji_prefix = style["emoji_prefix"]
-    message_color = style["message_color"]
-
-    text_for_failed = get_text_for_failed(pipeline_name, execution_id, state)
-
-    text = "\n".join(
-        s
-        for s in [f"*Execution:* <{execution_url}|{execution_id}>", text_for_failed]
-        if s
-    )
-    pretext = " ".join(
-        s
-        for s in [
-            f"{emoji_prefix} Pipeline *<{pipeline_url}|{pipeline_name}>*",
-            f"*{state_text}*",
-            account_friendly_name,
-        ]
-        if s
-    )
-    fallback = f"Pipeline {pipeline_name} {state}"
-    attachments = [
-        {
-            "footer": footer_text,
-            "color": message_color,
-            "text": text,
-            "mrkdwn_in": ["text", "pretext"],
-            "pretext": pretext,
-            "fallback": fallback,
-        },
-    ]
-
-    slack_message = {
-        "attachments": attachments,
-    }
-
-    slack_url = get_secret(SLACK_URL_SECRET_NAME)
-
-    req = Request(slack_url, json.dumps(slack_message).encode("utf-8"))
-    print(f"Posting message to Slack URL {get_masked_slack_webhook_url(slack_url)}")
-    try:
-        response = urlopen(req)
-        response.read()
-    except HTTPError as e:
-        raise Exception(f"Request to slack failed: {e.code} {e.reason}")
-    except URLError as e:
-        raise Exception(f"Server connection to slack failed: {e.reason}")