npm - @medplum/cdk - Versions diffs - 2.0.24 → 2.0.25 - Mend

@medplum/cdk 2.0.24 → 2.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/cjs/index.cjs CHANGED Viewed

@@ -1,854 +1,2 @@
-'use strict';
-var awsCdkLib = require('aws-cdk-lib');
-var fs = require('fs');
-var path = require('path');
-var awsEcr = require('aws-cdk-lib/aws-ecr');
-var awsRds = require('aws-cdk-lib/aws-rds');
-var constructs = require('constructs');
-var cdkServerlessClamscan = require('cdk-serverless-clamscan');
-// Based on https://gist.github.com/statik/f1ac9d6227d98d30c7a7cec0c83f4e64
-const awsManagedRules = [
-    // Common Rule Set aligns with major portions of OWASP Core Rule Set
-    // https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html
-    {
-        name: 'AWS-AWSManagedRulesCommonRuleSet',
-        priority: 10,
-        statement: {
-            managedRuleGroupStatement: {
-                vendorName: 'AWS',
-                name: 'AWSManagedRulesCommonRuleSet',
-                // Excluding generic RFI body rule for sns notifications
-                // https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
-                excludedRules: [
-                    { name: 'NoUserAgent_HEADER' },
-                    { name: 'UserAgent_BadBots_HEADER' },
-                    { name: 'SizeRestrictions_QUERYSTRING' },
-                    { name: 'SizeRestrictions_Cookie_HEADER' },
-                    { name: 'SizeRestrictions_BODY' },
-                    { name: 'SizeRestrictions_URIPATH' },
-                    { name: 'EC2MetaDataSSRF_BODY' },
-                    { name: 'EC2MetaDataSSRF_COOKIE' },
-                    { name: 'EC2MetaDataSSRF_URIPATH' },
-                    { name: 'EC2MetaDataSSRF_QUERYARGUMENTS' },
-                    { name: 'GenericLFI_QUERYARGUMENTS' },
-                    { name: 'GenericLFI_URIPATH' },
-                    { name: 'GenericLFI_BODY' },
-                    { name: 'RestrictedExtensions_URIPATH' },
-                    { name: 'RestrictedExtensions_QUERYARGUMENTS' },
-                    { name: 'GenericRFI_QUERYARGUMENTS' },
-                    { name: 'GenericRFI_BODY' },
-                    { name: 'GenericRFI_URIPATH' },
-                    { name: 'CrossSiteScripting_COOKIE' },
-                    { name: 'CrossSiteScripting_QUERYARGUMENTS' },
-                    { name: 'CrossSiteScripting_BODY' },
-                    { name: 'CrossSiteScripting_URIPATH' },
-                ],
-            },
-        },
-        overrideAction: {
-            count: {},
-        },
-        visibilityConfig: {
-            sampledRequestsEnabled: true,
-            cloudWatchMetricsEnabled: true,
-            metricName: 'AWS-AWSManagedRulesCommonRuleSet',
-        },
-    },
-    // AWS IP Reputation list includes known malicious actors/bots and is regularly updated
-    // https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
-    {
-        name: 'AWS-AWSManagedRulesAmazonIpReputationList',
-        priority: 20,
-        statement: {
-            managedRuleGroupStatement: {
-                vendorName: 'AWS',
-                name: 'AWSManagedRulesAmazonIpReputationList',
-                excludedRules: [{ name: 'AWSManagedIPReputationList' }, { name: 'AWSManagedReconnaissanceList' }],
-            },
-        },
-        overrideAction: {
-            count: {},
-        },
-        visibilityConfig: {
-            sampledRequestsEnabled: true,
-            cloudWatchMetricsEnabled: true,
-            metricName: 'AWSManagedRulesAmazonIpReputationList',
-        },
-    },
-    // Blocks common SQL Injection
-    // https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-sql-db
-    {
-        name: 'AWSManagedRulesSQLiRuleSet',
-        priority: 30,
-        visibilityConfig: {
-            sampledRequestsEnabled: true,
-            cloudWatchMetricsEnabled: true,
-            metricName: 'AWSManagedRulesSQLiRuleSet',
-        },
-        overrideAction: {
-            count: {},
-        },
-        statement: {
-            managedRuleGroupStatement: {
-                vendorName: 'AWS',
-                name: 'AWSManagedRulesSQLiRuleSet',
-                excludedRules: [
-                    { name: 'SQLi_QUERYARGUMENTS' },
-                    { name: 'SQLiExtendedPatterns_QUERYARGUMENTS' },
-                    { name: 'SQLi_BODY' },
-                    { name: 'SQLiExtendedPatterns_BODY' },
-                    { name: 'SQLi_COOKIE' },
-                    { name: 'SQLi_URIPATH' },
-                ],
-            },
-        },
-    },
-    // Blocks attacks targeting LFI(Local File Injection) for linux systems
-    // https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-linux-os
-    {
-        name: 'AWSManagedRuleLinux',
-        priority: 40,
-        visibilityConfig: {
-            sampledRequestsEnabled: true,
-            cloudWatchMetricsEnabled: true,
-            metricName: 'AWSManagedRuleLinux',
-        },
-        overrideAction: {
-            count: {},
-        },
-        statement: {
-            managedRuleGroupStatement: {
-                vendorName: 'AWS',
-                name: 'AWSManagedRulesLinuxRuleSet',
-                excludedRules: [{ name: 'LFI_URIPATH' }, { name: 'LFI_QUERYSTRING' }, { name: 'LFI_COOKIE' }],
-            },
-        },
-    },
-];
-/**
- * Based on: https://github.com/aws-samples/http-api-aws-fargate-cdk/blob/master/cdk/singleAccount/lib/fargate-vpclink-stack.ts
- *
- * RDS config: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-rds-readme.html
- */
-class BackEnd extends constructs.Construct {
-    constructor(scope, config) {
-        super(scope, 'BackEnd');
-        const name = config.name;
-        // VPC
-        let vpc;
-        if (config.vpcId) {
-            // Lookup VPC by ARN
-            vpc = awsCdkLib.aws_ec2.Vpc.fromLookup(this, 'VPC', { vpcId: config.vpcId });
-        }
-        else {
-            // VPC Flow Logs
-            const vpcFlowLogs = new awsCdkLib.aws_logs.LogGroup(this, 'VpcFlowLogs', {
-                logGroupName: '/medplum/flowlogs/' + name,
-                removalPolicy: awsCdkLib.RemovalPolicy.DESTROY,
-            });
-            // Create VPC
-            vpc = new awsCdkLib.aws_ec2.Vpc(this, 'VPC', {
-                maxAzs: config.maxAzs,
-                flowLogs: {
-                    cloudwatch: {
-                        destination: awsCdkLib.aws_ec2.FlowLogDestination.toCloudWatchLogs(vpcFlowLogs),
-                        trafficType: awsCdkLib.aws_ec2.FlowLogTrafficType.ALL,
-                    },
-                },
-            });
-        }
-        // Bot Lambda Role
-        const botLambdaRole = new awsCdkLib.aws_iam.Role(this, 'BotLambdaRole', {
-            assumedBy: new awsCdkLib.aws_iam.ServicePrincipal('lambda.amazonaws.com'),
-        });
-        // RDS
-        let rdsCluster = undefined;
-        let rdsSecretsArn = config.rdsSecretsArn;
-        if (!rdsSecretsArn) {
-            // See: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds-readme.html#migrating-from-instanceprops
-            const instanceProps = {
-                instanceType: config.rdsInstanceType ? new awsCdkLib.aws_ec2.InstanceType(config.rdsInstanceType) : undefined,
-                enablePerformanceInsights: true,
-                isFromLegacyInstanceProps: true,
-            };
-            let readers = undefined;
-            if (config.rdsInstances > 1) {
-                readers = [];
-                for (let i = 0; i < config.rdsInstances - 1; i++) {
-                    readers.push(awsRds.ClusterInstance.provisioned('Instance' + (i + 2), {
-                        ...instanceProps,
-                    }));
-                }
-            }
-            rdsCluster = new awsCdkLib.aws_rds.DatabaseCluster(this, 'DatabaseCluster', {
-                engine: awsCdkLib.aws_rds.DatabaseClusterEngine.auroraPostgres({
-                    version: awsCdkLib.aws_rds.AuroraPostgresEngineVersion.VER_12_9,
-                }),
-                credentials: awsCdkLib.aws_rds.Credentials.fromGeneratedSecret('clusteradmin'),
-                defaultDatabaseName: 'medplum',
-                storageEncrypted: true,
-                vpc: vpc,
-                vpcSubnets: {
-                    subnetType: awsCdkLib.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS,
-                },
-                writer: awsRds.ClusterInstance.provisioned('Instance1', {
-                    ...instanceProps,
-                }),
-                readers,
-                backup: {
-                    retention: awsCdkLib.Duration.days(7),
-                },
-                cloudwatchLogsExports: ['postgresql'],
-                instanceUpdateBehaviour: awsCdkLib.aws_rds.InstanceUpdateBehaviour.ROLLING,
-            });
-            rdsSecretsArn = rdsCluster.secret.secretArn;
-        }
-        // Redis
-        // Important: For HIPAA compliance, you must specify TransitEncryptionEnabled as true, an AuthToken, and a CacheSubnetGroup.
-        const redisSubnetGroup = new awsCdkLib.aws_elasticache.CfnSubnetGroup(this, 'RedisSubnetGroup', {
-            description: 'Redis Subnet Group',
-            subnetIds: vpc.privateSubnets.map((subnet) => subnet.subnetId),
-        });
-        const redisSecurityGroup = new awsCdkLib.aws_ec2.SecurityGroup(this, 'RedisSecurityGroup', {
-            vpc,
-            description: 'Redis Security Group',
-            allowAllOutbound: false,
-        });
-        const redisPassword = new awsCdkLib.aws_secretsmanager.Secret(this, 'RedisPassword', {
-            generateSecretString: {
-                secretStringTemplate: '{}',
-                generateStringKey: 'password',
-                excludeCharacters: '@%*()_+=`~{}|[]\\:";\'?,./',
-            },
-        });
-        const redisCluster = new awsCdkLib.aws_elasticache.CfnReplicationGroup(this, 'RedisCluster', {
-            engine: 'Redis',
-            engineVersion: '6.x',
-            cacheNodeType: config.cacheNodeType ?? 'cache.t2.medium',
-            replicationGroupDescription: 'RedisReplicationGroup',
-            authToken: redisPassword.secretValueFromJson('password').toString(),
-            transitEncryptionEnabled: true,
-            atRestEncryptionEnabled: true,
-            multiAzEnabled: true,
-            cacheSubnetGroupName: redisSubnetGroup.ref,
-            numNodeGroups: 1,
-            replicasPerNodeGroup: 1,
-            securityGroupIds: [redisSecurityGroup.securityGroupId],
-        });
-        redisCluster.node.addDependency(redisPassword);
-        const redisSecrets = new awsCdkLib.aws_secretsmanager.Secret(this, 'RedisSecrets', {
-            generateSecretString: {
-                secretStringTemplate: JSON.stringify({
-                    host: redisCluster.attrPrimaryEndPointAddress,
-                    port: redisCluster.attrPrimaryEndPointPort,
-                    password: redisPassword.secretValueFromJson('password').toString(),
-                    tls: {},
-                }),
-                generateStringKey: 'unused',
-            },
-        });
-        redisSecrets.node.addDependency(redisPassword);
-        redisSecrets.node.addDependency(redisCluster);
-        // ECS Cluster
-        const cluster = new awsCdkLib.aws_ecs.Cluster(this, 'Cluster', {
-            vpc: vpc,
-        });
-        // Task Policies
-        const taskRolePolicies = new awsCdkLib.aws_iam.PolicyDocument({
-            statements: [
-                // CloudWatch Logs: Create streams and put events
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
-                    resources: ['arn:aws:logs:*'],
-                }),
-                // Secrets Manager: Read only access to secrets
-                // https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: [
-                        'secretsmanager:GetResourcePolicy',
-                        'secretsmanager:GetSecretValue',
-                        'secretsmanager:DescribeSecret',
-                        'secretsmanager:ListSecrets',
-                        'secretsmanager:ListSecretVersionIds',
-                    ],
-                    resources: ['arn:aws:secretsmanager:*'],
-                }),
-                // Parameter Store: Read only access
-                // https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: ['ssm:GetParametersByPath', 'ssm:GetParameters', 'ssm:GetParameter', 'ssm:DescribeParameters'],
-                    resources: ['arn:aws:ssm:*'],
-                }),
-                // SES: Send emails
-                // https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-policy-examples.html
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: ['ses:SendEmail', 'ses:SendRawEmail'],
-                    resources: ['arn:aws:ses:*'],
-                }),
-                // S3: Read and write access to buckets
-                // https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: ['s3:ListBucket', 's3:GetObject', 's3:PutObject', 's3:DeleteObject'],
-                    resources: ['arn:aws:s3:::*'],
-                }),
-                // IAM: Pass role to innvoke lambda functions
-                // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: ['iam:ListRoles', 'iam:GetRole', 'iam:PassRole'],
-                    resources: [botLambdaRole.roleArn],
-                }),
-                // Lambda: Create, read, update, delete, and invoke functions
-                // https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html
-                new awsCdkLib.aws_iam.PolicyStatement({
-                    effect: awsCdkLib.aws_iam.Effect.ALLOW,
-                    actions: [
-                        'lambda:CreateFunction',
-                        'lambda:GetFunction',
-                        'lambda:GetFunctionConfiguration',
-                        'lambda:UpdateFunctionCode',
-                        'lambda:UpdateFunctionConfiguration',
-                        'lambda:ListLayerVersions',
-                        'lambda:GetLayerVersion',
-                        'lambda:InvokeFunction',
-                    ],
-                    resources: ['arn:aws:lambda:*'],
-                }),
-            ],
-        });
-        // Task Role
-        const taskRole = new awsCdkLib.aws_iam.Role(this, 'TaskExecutionRole', {
-            assumedBy: new awsCdkLib.aws_iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
-            description: 'Medplum Server Task Execution Role',
-            inlinePolicies: {
-                TaskExecutionPolicies: taskRolePolicies,
-            },
-        });
-        // Task Definitions
-        const taskDefinition = new awsCdkLib.aws_ecs.FargateTaskDefinition(this, 'TaskDefinition', {
-            memoryLimitMiB: config.serverMemory,
-            cpu: config.serverCpu,
-            taskRole: taskRole,
-        });
-        // Log Groups
-        const logGroup = new awsCdkLib.aws_logs.LogGroup(this, 'LogGroup', {
-            logGroupName: '/ecs/medplum/' + name,
-            removalPolicy: awsCdkLib.RemovalPolicy.DESTROY,
-        });
-        const logDriver = new awsCdkLib.aws_ecs.AwsLogDriver({
-            logGroup: logGroup,
-            streamPrefix: 'Medplum',
-        });
-        // Task Containers
-        const serviceContainer = taskDefinition.addContainer('MedplumTaskDefinition', {
-            image: this.getContainerImage(config, config.serverImage),
-            command: [config.region === 'us-east-1' ? `aws:/medplum/${name}/` : `aws:${config.region}:/medplum/${name}/`],
-            logging: logDriver,
-        });
-        serviceContainer.addPortMappings({
-            containerPort: config.apiPort,
-            hostPort: config.apiPort,
-        });
-        if (config.additionalContainers) {
-            for (const container of config.additionalContainers) {
-                taskDefinition.addContainer('AdditionalContainer-' + container.name, {
-                    containerName: container.name,
-                    image: this.getContainerImage(config, container.image),
-                    command: container.command,
-                    environment: container.environment,
-                    logging: logDriver,
-                });
-            }
-        }
-        // Security Groups
-        const fargateSecurityGroup = new awsCdkLib.aws_ec2.SecurityGroup(this, 'ServiceSecurityGroup', {
-            allowAllOutbound: true,
-            securityGroupName: 'MedplumSecurityGroup',
-            vpc: vpc,
-        });
-        // Fargate Services
-        const fargateService = new awsCdkLib.aws_ecs.FargateService(this, 'FargateService', {
-            cluster: cluster,
-            taskDefinition: taskDefinition,
-            assignPublicIp: false,
-            vpcSubnets: {
-                subnetType: awsCdkLib.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS,
-            },
-            desiredCount: config.desiredServerCount,
-            securityGroups: [fargateSecurityGroup],
-        });
-        // Add dependencies - make sure Fargate service is created after RDS and Redis
-        if (rdsCluster) {
-            fargateService.node.addDependency(rdsCluster);
-        }
-        fargateService.node.addDependency(redisCluster);
-        // Load Balancer Target Group
-        const targetGroup = new awsCdkLib.aws_elasticloadbalancingv2.ApplicationTargetGroup(this, 'TargetGroup', {
-            vpc: vpc,
-            port: config.apiPort,
-            protocol: awsCdkLib.aws_elasticloadbalancingv2.ApplicationProtocol.HTTP,
-            healthCheck: {
-                path: '/healthcheck',
-                interval: awsCdkLib.Duration.seconds(30),
-                timeout: awsCdkLib.Duration.seconds(3),
-                healthyThresholdCount: 2,
-                unhealthyThresholdCount: 5,
-            },
-            targets: [fargateService],
-        });
-        // Load Balancer
-        const loadBalancer = new awsCdkLib.aws_elasticloadbalancingv2.ApplicationLoadBalancer(this, 'LoadBalancer', {
-            vpc: vpc,
-            internetFacing: config.apiInternetFacing !== false,
-            http2Enabled: true,
-        });
-        if (config.loadBalancerLoggingBucket) {
-            // Load Balancer logging
-            loadBalancer.logAccessLogs(awsCdkLib.aws_s3.Bucket.fromBucketName(this, 'LoggingBucket', config.loadBalancerLoggingBucket), config.loadBalancerLoggingPrefix);
-        }
-        // HTTPS Listener
-        // Forward to the target group
-        loadBalancer.addListener('HttpsListener', {
-            port: 443,
-            certificates: [
-                {
-                    certificateArn: config.apiSslCertArn,
-                },
-            ],
-            sslPolicy: awsCdkLib.aws_elasticloadbalancingv2.SslPolicy.FORWARD_SECRECY_TLS12_RES_GCM,
-            defaultAction: awsCdkLib.aws_elasticloadbalancingv2.ListenerAction.forward([targetGroup]),
-        });
-        // WAF
-        const waf = new awsCdkLib.aws_wafv2.CfnWebACL(this, 'BackEndWAF', {
-            defaultAction: { allow: {} },
-            scope: 'REGIONAL',
-            name: `${config.stackName}-BackEndWAF`,
-            rules: awsManagedRules,
-            visibilityConfig: {
-                cloudWatchMetricsEnabled: true,
-                metricName: `${config.stackName}-BackEndWAF-Metric`,
-                sampledRequestsEnabled: false,
-            },
-        });
-        // Create an association between the load balancer and the WAF
-        const wafAssociation = new awsCdkLib.aws_wafv2.CfnWebACLAssociation(this, 'LoadBalancerAssociation', {
-            resourceArn: loadBalancer.loadBalancerArn,
-            webAclArn: waf.attrArn,
-        });
-        // Grant RDS access to the fargate group
-        if (rdsCluster) {
-            rdsCluster.connections.allowDefaultPortFrom(fargateSecurityGroup);
-        }
-        // Grant Redis access to the fargate group
-        redisSecurityGroup.addIngressRule(fargateSecurityGroup, awsCdkLib.aws_ec2.Port.tcp(6379));
-        // DNS
-        let record = undefined;
-        if (!config.skipDns) {
-            // Route 53
-            const zone = awsCdkLib.aws_route53.HostedZone.fromLookup(this, 'Zone', {
-                domainName: config.domainName.split('.').slice(-2).join('.'),
-            });
-            // Route53 alias record for the load balancer
-            record = new awsCdkLib.aws_route53.ARecord(this, 'LoadBalancerAliasRecord', {
-                recordName: config.apiDomainName,
-                target: awsCdkLib.aws_route53.RecordTarget.fromAlias(new awsCdkLib.aws_route53_targets.LoadBalancerTarget(loadBalancer)),
-                zone: zone,
-            });
-        }
-        // SSM Parameters
-        const databaseSecrets = new awsCdkLib.aws_ssm.StringParameter(this, 'DatabaseSecretsParameter', {
-            tier: awsCdkLib.aws_ssm.ParameterTier.STANDARD,
-            parameterName: `/medplum/${name}/DatabaseSecrets`,
-            description: 'Database secrets ARN',
-            stringValue: rdsSecretsArn,
-        });
-        const redisSecretsParameter = new awsCdkLib.aws_ssm.StringParameter(this, 'RedisSecretsParameter', {
-            tier: awsCdkLib.aws_ssm.ParameterTier.STANDARD,
-            parameterName: `/medplum/${name}/RedisSecrets`,
-            description: 'Redis secrets ARN',
-            stringValue: redisSecrets.secretArn,
-        });
-        const botLambdaRoleParameter = new awsCdkLib.aws_ssm.StringParameter(this, 'BotLambdaRoleParameter', {
-            tier: awsCdkLib.aws_ssm.ParameterTier.STANDARD,
-            parameterName: `/medplum/${name}/botLambdaRoleArn`,
-            description: 'Bot lambda execution role ARN',
-            stringValue: botLambdaRole.roleArn,
-        });
-        // Debug
-        console.log('ARecord', record?.domainName);
-        console.log('DatabaseSecretsParameter', databaseSecrets.parameterArn);
-        console.log('RedisSecretsParameter', redisSecretsParameter.parameterArn);
-        console.log('RedisCluster', redisCluster.attrPrimaryEndPointAddress);
-        console.log('BotLambdaRole', botLambdaRoleParameter.stringValue);
-        console.log('WAF', waf.attrArn);
-        console.log('WAF Association', wafAssociation.node.id);
-    }
-    /**
-     * Returns a container image for the given image name.
-     * If the image name is an ECR image, then the image will be pulled from ECR.
-     * Otherwise, the image name is assumed to be a Docker Hub image.
-     * @param config The config settings (account number and region).
-     * @param imageName The image name.
-     * @returns The container image.
-     */
-    getContainerImage(config, imageName) {
-        // Pull out the image name and tag from the image URI if it's an ECR image
-        const ecrImageUriRegex = new RegExp(`^${config.accountNumber}\\.dkr\\.ecr\\.${config.region}\\.amazonaws\\.com/(.*)[:@](.*)$`);
-        const nameTagMatches = imageName.match(ecrImageUriRegex);
-        const serverImageName = nameTagMatches?.[1];
-        const serverImageTag = nameTagMatches?.[2];
-        if (serverImageName && serverImageTag) {
-            // Creating an ecr repository image will automatically grant fine-grained permissions to ecs to access the image
-            const ecrRepo = awsEcr.Repository.fromRepositoryArn(this, 'ServerImageRepo', `arn:aws:ecr:${config.region}:${config.accountNumber}:repository/${serverImageName}`);
-            return awsCdkLib.aws_ecs.ContainerImage.fromEcrRepository(ecrRepo, serverImageTag);
-        }
-        // Otherwise, use the standard container image
-        return awsCdkLib.aws_ecs.ContainerImage.fromRegistry(imageName);
-    }
-}
-/**
- * Grants S3 bucket read access to the CloudFront Origin Access Identity (OAI).
- *
- * Under normal circumstances, where CDK creates both the S3 bucket and the OAI,
- * you can achieve this same behavior by simply calling:
- *
- *     bucket.grantRead(identity);
- *
- * However, if importing an S3 bucket via `s3.Bucket.fromBucketAttributes()`, that does not work.
- *
- * See: https://stackoverflow.com/a/60917015
- * @param bucket The S3 bucket.
- * @param identity The CloudFront Origin Access Identity.
- */
-function grantBucketAccessToOriginAccessIdentity(bucket, identity) {
-    const policyStatement = new awsCdkLib.aws_iam.PolicyStatement();
-    policyStatement.addActions('s3:GetObject*');
-    policyStatement.addActions('s3:GetBucket*');
-    policyStatement.addActions('s3:List*');
-    policyStatement.addResources(bucket.bucketArn);
-    policyStatement.addResources(`${bucket.bucketArn}/*`);
-    policyStatement.addCanonicalUserPrincipal(identity.cloudFrontOriginAccessIdentityS3CanonicalUserId);
-    bucket.addToResourcePolicy(policyStatement);
-}
-/**
- * Static app infrastructure, which deploys app content to an S3 bucket.
- *
- * The app redirects from HTTP to HTTPS, using a CloudFront distribution,
- * Route53 alias record, and ACM certificate.
- */
-class FrontEnd extends constructs.Construct {
-    constructor(parent, config, region) {
-        super(parent, 'FrontEnd');
-        let appBucket;
-        if (region === config.region) {
-            // S3 bucket
-            appBucket = new awsCdkLib.aws_s3.Bucket(this, 'AppBucket', {
-                bucketName: config.appDomainName,
-                publicReadAccess: false,
-                blockPublicAccess: awsCdkLib.aws_s3.BlockPublicAccess.BLOCK_ALL,
-                removalPolicy: awsCdkLib.RemovalPolicy.DESTROY,
-                encryption: awsCdkLib.aws_s3.BucketEncryption.S3_MANAGED,
-                enforceSSL: true,
-                versioned: true,
-            });
-        }
-        else {
-            // Otherwise, reference the bucket by name and region
-            appBucket = awsCdkLib.aws_s3.Bucket.fromBucketAttributes(this, 'AppBucket', {
-                bucketName: config.appDomainName,
-                region: config.region,
-            });
-        }
-        if (region === 'us-east-1') {
-            // HTTP response headers policy
-            const responseHeadersPolicy = new awsCdkLib.aws_cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
-                securityHeadersBehavior: {
-                    contentSecurityPolicy: {
-                        contentSecurityPolicy: [
-                            `default-src 'none'`,
-                            `base-uri 'self'`,
-                            `child-src 'self'`,
-                            `connect-src 'self' ${config.apiDomainName} *.google.com`,
-                            `font-src 'self' fonts.gstatic.com`,
-                            `form-action 'self' *.gstatic.com *.google.com`,
-                            `frame-ancestors 'none'`,
-                            `frame-src 'self' *.medplum.com *.gstatic.com *.google.com`,
-                            `img-src 'self' data: ${config.storageDomainName} *.gstatic.com *.google.com *.googleapis.com`,
-                            `manifest-src 'self'`,
-                            `media-src 'self' ${config.storageDomainName}`,
-                            `script-src 'self' *.medplum.com *.gstatic.com *.google.com`,
-                            `style-src 'self' 'unsafe-inline' *.medplum.com *.gstatic.com *.google.com`,
-                            `worker-src 'self' blob: *.gstatic.com *.google.com`,
-                            `upgrade-insecure-requests`,
-                        ].join('; '),
-                        override: true,
-                    },
-                    contentTypeOptions: { override: true },
-                    frameOptions: { frameOption: awsCdkLib.aws_cloudfront.HeadersFrameOption.DENY, override: true },
-                    strictTransportSecurity: {
-                        accessControlMaxAge: awsCdkLib.Duration.seconds(63072000),
-                        includeSubdomains: true,
-                        override: true,
-                    },
-                    xssProtection: {
-                        protection: true,
-                        modeBlock: true,
-                        override: true,
-                    },
-                },
-            });
-            // WAF
-            const waf = new awsCdkLib.aws_wafv2.CfnWebACL(this, 'FrontEndWAF', {
-                defaultAction: { allow: {} },
-                scope: 'CLOUDFRONT',
-                name: `${config.stackName}-FrontEndWAF`,
-                rules: awsManagedRules,
-                visibilityConfig: {
-                    cloudWatchMetricsEnabled: true,
-                    metricName: `${config.stackName}-FrontEndWAF-Metric`,
-                    sampledRequestsEnabled: false,
-                },
-            });
-            // API Origin Cache Policy
-            const apiOriginCachePolicy = new awsCdkLib.aws_cloudfront.CachePolicy(this, 'ApiOriginCachePolicy', {
-                cachePolicyName: `${config.stackName}-ApiOriginCachePolicy`,
-                cookieBehavior: awsCdkLib.aws_cloudfront.CacheCookieBehavior.all(),
-                headerBehavior: awsCdkLib.aws_cloudfront.CacheHeaderBehavior.allowList('Authorization', 'Content-Encoding', 'Content-Type', 'If-None-Match', 'Origin', 'Referer', 'User-Agent', 'X-Medplum'),
-                queryStringBehavior: awsCdkLib.aws_cloudfront.CacheQueryStringBehavior.all(),
-            });
-            // Origin access identity
-            const originAccessIdentity = new awsCdkLib.aws_cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
-            grantBucketAccessToOriginAccessIdentity(appBucket, originAccessIdentity);
-            // CloudFront distribution
-            const distribution = new awsCdkLib.aws_cloudfront.Distribution(this, 'AppDistribution', {
-                defaultRootObject: 'index.html',
-                defaultBehavior: {
-                    origin: new awsCdkLib.aws_cloudfront_origins.S3Origin(appBucket, { originAccessIdentity }),
-                    responseHeadersPolicy,
-                    viewerProtocolPolicy: awsCdkLib.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-                },
-                additionalBehaviors: config.appApiProxy
-                    ? {
-                        '/api/*': {
-                            origin: new awsCdkLib.aws_cloudfront_origins.HttpOrigin(config.apiDomainName),
-                            allowedMethods: awsCdkLib.aws_cloudfront.AllowedMethods.ALLOW_ALL,
-                            cachePolicy: apiOriginCachePolicy,
-                            viewerProtocolPolicy: awsCdkLib.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-                        },
-                    }
-                    : undefined,
-                certificate: awsCdkLib.aws_certificatemanager.Certificate.fromCertificateArn(this, 'AppCertificate', config.appSslCertArn),
-                domainNames: [config.appDomainName],
-                errorResponses: [
-                    {
-                        httpStatus: 403,
-                        responseHttpStatus: 200,
-                        responsePagePath: '/index.html',
-                    },
-                    {
-                        httpStatus: 404,
-                        responseHttpStatus: 200,
-                        responsePagePath: '/index.html',
-                    },
-                ],
-                webAclId: waf.attrArn,
-                logBucket: config.appLoggingBucket
-                    ? awsCdkLib.aws_s3.Bucket.fromBucketName(this, 'LoggingBucket', config.appLoggingBucket)
-                    : undefined,
-                logFilePrefix: config.appLoggingPrefix,
-            });
-            // DNS
-            let record = undefined;
-            if (!config.skipDns) {
-                const zone = awsCdkLib.aws_route53.HostedZone.fromLookup(this, 'Zone', {
-                    domainName: config.domainName.split('.').slice(-2).join('.'),
-                });
-                // Route53 alias record for the CloudFront distribution
-                record = new awsCdkLib.aws_route53.ARecord(this, 'AppAliasRecord', {
-                    recordName: config.appDomainName,
-                    target: awsCdkLib.aws_route53.RecordTarget.fromAlias(new awsCdkLib.aws_route53_targets.CloudFrontTarget(distribution)),
-                    zone,
-                });
-            }
-            // Debug
-            console.log('ARecord', record?.domainName);
-        }
-    }
-}
-/**
- * Binary storage bucket and CloudFront distribution.
- */
-class Storage extends constructs.Construct {
-    constructor(parent, config, region) {
-        super(parent, 'Storage');
-        let storageBucket;
-        if (region === config.region) {
-            // S3 bucket
-            storageBucket = new awsCdkLib.aws_s3.Bucket(this, 'StorageBucket', {
-                bucketName: config.storageBucketName,
-                publicReadAccess: false,
-                blockPublicAccess: awsCdkLib.aws_s3.BlockPublicAccess.BLOCK_ALL,
-                encryption: awsCdkLib.aws_s3.BucketEncryption.S3_MANAGED,
-                enforceSSL: true,
-                versioned: true,
-            });
-            if (config.clamscanEnabled) {
-                // ClamAV serverless scan
-                const sc = new cdkServerlessClamscan.ServerlessClamscan(this, 'ServerlessClamscan', {
-                    defsBucketAccessLogsConfig: {
-                        logsBucket: awsCdkLib.aws_s3.Bucket.fromBucketName(this, 'LoggingBucket', config.clamscanLoggingBucket),
-                        logsPrefix: config.clamscanLoggingPrefix,
-                    },
-                });
-                sc.addSourceBucket(storageBucket);
-            }
-        }
-        else {
-            // Otherwise, reference the bucket by name
-            storageBucket = awsCdkLib.aws_s3.Bucket.fromBucketAttributes(this, 'StorageBucket', {
-                bucketName: config.storageBucketName,
-                region: config.region,
-            });
-        }
-        if (region === 'us-east-1') {
-            // Public key in PEM format
-            const publicKey = new awsCdkLib.aws_cloudfront.PublicKey(this, 'StoragePublicKey', {
-                encodedKey: config.storagePublicKey,
-            });
-            // Authorized key group for presigned URLs
-            const keyGroup = new awsCdkLib.aws_cloudfront.KeyGroup(this, 'StorageKeyGroup', {
-                items: [publicKey],
-            });
-            // HTTP response headers policy
-            const responseHeadersPolicy = new awsCdkLib.aws_cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
-                securityHeadersBehavior: {
-                    contentSecurityPolicy: {
-                        contentSecurityPolicy: "default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors *.medplum.com;",
-                        override: true,
-                    },
-                    contentTypeOptions: { override: true },
-                    frameOptions: { frameOption: awsCdkLib.aws_cloudfront.HeadersFrameOption.DENY, override: true },
-                    referrerPolicy: { referrerPolicy: awsCdkLib.aws_cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
-                    strictTransportSecurity: {
-                        accessControlMaxAge: awsCdkLib.Duration.seconds(63072000),
-                        includeSubdomains: true,
-                        override: true,
-                    },
-                    xssProtection: {
-                        protection: true,
-                        modeBlock: true,
-                        override: true,
-                    },
-                },
-            });
-            // WAF
-            const waf = new awsCdkLib.aws_wafv2.CfnWebACL(this, 'StorageWAF', {
-                defaultAction: { allow: {} },
-                scope: 'CLOUDFRONT',
-                name: `${config.stackName}-StorageWAF`,
-                rules: awsManagedRules,
-                visibilityConfig: {
-                    cloudWatchMetricsEnabled: true,
-                    metricName: `${config.stackName}-StorageWAF-Metric`,
-                    sampledRequestsEnabled: false,
-                },
-            });
-            // Origin access identity
-            const originAccessIdentity = new awsCdkLib.aws_cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
-            grantBucketAccessToOriginAccessIdentity(storageBucket, originAccessIdentity);
-            // CloudFront distribution
-            const distribution = new awsCdkLib.aws_cloudfront.Distribution(this, 'StorageDistribution', {
-                defaultBehavior: {
-                    origin: new awsCdkLib.aws_cloudfront_origins.S3Origin(storageBucket, { originAccessIdentity }),
-                    responseHeadersPolicy,
-                    viewerProtocolPolicy: awsCdkLib.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-                    trustedKeyGroups: [keyGroup],
-                },
-                certificate: awsCdkLib.aws_certificatemanager.Certificate.fromCertificateArn(this, 'StorageCertificate', config.storageSslCertArn),
-                domainNames: [config.storageDomainName],
-                webAclId: waf.attrArn,
-                logBucket: config.storageLoggingBucket
-                    ? awsCdkLib.aws_s3.Bucket.fromBucketName(this, 'LoggingBucket', config.storageLoggingBucket)
-                    : undefined,
-                logFilePrefix: config.storageLoggingPrefix,
-            });
-            // DNS
-            let record = undefined;
-            if (!config.skipDns) {
-                const zone = awsCdkLib.aws_route53.HostedZone.fromLookup(this, 'Zone', {
-                    domainName: config.domainName.split('.').slice(-2).join('.'),
-                });
-                // Route53 alias record for the CloudFront distribution
-                record = new awsCdkLib.aws_route53.ARecord(this, 'StorageAliasRecord', {
-                    recordName: config.storageDomainName,
-                    target: awsCdkLib.aws_route53.RecordTarget.fromAlias(new awsCdkLib.aws_route53_targets.CloudFrontTarget(distribution)),
-                    zone,
-                });
-            }
-            // Debug
-            console.log('ARecord', record?.domainName);
-        }
-    }
-}
-class MedplumStack {
-    constructor(scope, config) {
-        this.primaryStack = new awsCdkLib.Stack(scope, config.stackName, {
-            env: {
-                region: config.region,
-                account: config.accountNumber,
-            },
-        });
-        awsCdkLib.Tags.of(this.primaryStack).add('medplum:environment', config.name);
-        this.backEnd = new BackEnd(this.primaryStack, config);
-        this.frontEnd = new FrontEnd(this.primaryStack, config, config.region);
-        this.storage = new Storage(this.primaryStack, config, config.region);
-        if (config.region !== 'us-east-1') {
-            // Some resources must be created in us-east-1
-            // For example, CloudFront distributions and ACM certificates
-            // If the primary region is not us-east-1, create these resources in us-east-1
-            const usEast1Stack = new awsCdkLib.Stack(scope, config.stackName + '-us-east-1', {
-                env: {
-                    region: 'us-east-1',
-                    account: config.accountNumber,
-                },
-            });
-            awsCdkLib.Tags.of(usEast1Stack).add('medplum:environment', config.name);
-            this.frontEnd = new FrontEnd(usEast1Stack, config, 'us-east-1');
-            this.storage = new Storage(usEast1Stack, config, 'us-east-1');
-        }
-    }
-}
-function main(context) {
-    const app = new awsCdkLib.App({ context });
-    const configFileName = app.node.tryGetContext('config');
-    if (!configFileName) {
-        console.log('Missing "config" context variable');
-        console.log('Usage: cdk deploy -c config=my-config.json');
-        return;
-    }
-    const config = JSON.parse(fs.readFileSync(path.resolve(configFileName), 'utf-8'));
-    const stack = new MedplumStack(app, config);
-    console.log('Stack', stack.primaryStack.stackId);
-    console.log('BackEnd', stack.backEnd.node.id);
-    console.log('FrontEnd', stack.frontEnd.node.id);
-    console.log('Storage', stack.storage.node.id);
-    app.synth();
-}
-if (require.main === module) {
-    main();
-}
-exports.main = main;
+"use strict";var I=Object.defineProperty;var X=Object.getOwnPropertyDescriptor;var ee=Object.getOwnPropertyNames;var te=Object.prototype.hasOwnProperty;var ae=(i,o)=>{for(var e in o)I(i,e,{get:o[e],enumerable:!0})},re=(i,o,e,n)=>{if(o&&typeof o=="object"||typeof o=="function")for(let r of ee(o))!te.call(i,r)&&r!==e&&I(i,r,{get:()=>o[r],enumerable:!(n=X(o,r))||n.enumerable});return i};var se=i=>re(I({},"__esModule",{value:!0}),i);var oe={};ae(oe,{main:()=>V});module.exports=se(oe);var g=require("aws-cdk-lib"),U=require("fs"),H=require("path");var t=require("aws-cdk-lib"),G=require("aws-cdk-lib/aws-ecr"),N=require("aws-cdk-lib/aws-rds"),O=require("constructs");var R=[{name:"AWS-AWSManagedRulesCommonRuleSet",priority:10,statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesCommonRuleSet",excludedRules:[{name:"NoUserAgent_HEADER"},{name:"UserAgent_BadBots_HEADER"},{name:"SizeRestrictions_QUERYSTRING"},{name:"SizeRestrictions_Cookie_HEADER"},{name:"SizeRestrictions_BODY"},{name:"SizeRestrictions_URIPATH"},{name:"EC2MetaDataSSRF_BODY"},{name:"EC2MetaDataSSRF_COOKIE"},{name:"EC2MetaDataSSRF_URIPATH"},{name:"EC2MetaDataSSRF_QUERYARGUMENTS"},{name:"GenericLFI_QUERYARGUMENTS"},{name:"GenericLFI_URIPATH"},{name:"GenericLFI_BODY"},{name:"RestrictedExtensions_URIPATH"},{name:"RestrictedExtensions_QUERYARGUMENTS"},{name:"GenericRFI_QUERYARGUMENTS"},{name:"GenericRFI_BODY"},{name:"GenericRFI_URIPATH"},{name:"CrossSiteScripting_COOKIE"},{name:"CrossSiteScripting_QUERYARGUMENTS"},{name:"CrossSiteScripting_BODY"},{name:"CrossSiteScripting_URIPATH"}]}},overrideAction:{count:{}},visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWS-AWSManagedRulesCommonRuleSet"}},{name:"AWS-AWSManagedRulesAmazonIpReputationList",priority:20,statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesAmazonIpReputationList",excludedRules:[{name:"AWSManagedIPReputationList"},{name:"AWSManagedReconnaissanceList"}]}},overrideAction:{count:{}},visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRulesAmazonIpReputationList"}},{name:"AWSManagedRulesSQLiRuleSet",priority:30,visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRulesSQLiRuleSet"},overrideAction:{count:{}},statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesSQLiRuleSet",excludedRules:[{name:"SQLi_QUERYARGUMENTS"},{name:"SQLiExtendedPatterns_QUERYARGUMENTS"},{name:"SQLi_BODY"},{name:"SQLiExtendedPatterns_BODY"},{name:"SQLi_COOKIE"},{name:"SQLi_URIPATH"}]}}},{name:"AWSManagedRuleLinux",priority:40,visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRuleLinux"},overrideAction:{count:{}},statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesLinuxRuleSet",excludedRules:[{name:"LFI_URIPATH"},{name:"LFI_QUERYSTRING"},{name:"LFI_COOKIE"}]}}}];var h=class extends O.Construct{constructor(o,e){super(o,"BackEnd");let n=e.name,r;if(e.vpcId)r=t.aws_ec2.Vpc.fromLookup(this,"VPC",{vpcId:e.vpcId});else{let c=new t.aws_logs.LogGroup(this,"VpcFlowLogs",{logGroupName:"/medplum/flowlogs/"+n,removalPolicy:t.RemovalPolicy.DESTROY});r=new t.aws_ec2.Vpc(this,"VPC",{maxAzs:e.maxAzs,flowLogs:{cloudwatch:{destination:t.aws_ec2.FlowLogDestination.toCloudWatchLogs(c),trafficType:t.aws_ec2.FlowLogTrafficType.ALL}}})}let d=new t.aws_iam.Role(this,"BotLambdaRole",{assumedBy:new t.aws_iam.ServicePrincipal("lambda.amazonaws.com")}),l,u=e.rdsSecretsArn;if(!u){let c={instanceType:e.rdsInstanceType?new t.aws_ec2.InstanceType(e.rdsInstanceType):void 0,enablePerformanceInsights:!0,isFromLegacyInstanceProps:!0},k;if(e.rdsInstances>1){k=[];for(let v=0;v<e.rdsInstances-1;v++)k.push(N.ClusterInstance.provisioned("Instance"+(v+2),{...c}))}l=new t.aws_rds.DatabaseCluster(this,"DatabaseCluster",{engine:t.aws_rds.DatabaseClusterEngine.auroraPostgres({version:t.aws_rds.AuroraPostgresEngineVersion.VER_12_9}),credentials:t.aws_rds.Credentials.fromGeneratedSecret("clusteradmin"),defaultDatabaseName:"medplum",storageEncrypted:!0,vpc:r,vpcSubnets:{subnetType:t.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS},writer:N.ClusterInstance.provisioned("Instance1",{...c}),readers:k,backup:{retention:t.Duration.days(7)},cloudwatchLogsExports:["postgresql"],instanceUpdateBehaviour:t.aws_rds.InstanceUpdateBehaviour.ROLLING}),u=l.secret.secretArn}let A=new t.aws_elasticache.CfnSubnetGroup(this,"RedisSubnetGroup",{description:"Redis Subnet Group",subnetIds:r.privateSubnets.map(c=>c.subnetId)}),S=new t.aws_ec2.SecurityGroup(this,"RedisSecurityGroup",{vpc:r,description:"Redis Security Group",allowAllOutbound:!1}),p=new t.aws_secretsmanager.Secret(this,"RedisPassword",{generateSecretString:{secretStringTemplate:"{}",generateStringKey:"password",excludeCharacters:"@%*()_+=`~{}|[]\\:\";'?,./"}}),m=new t.aws_elasticache.CfnReplicationGroup(this,"RedisCluster",{engine:"Redis",engineVersion:"6.x",cacheNodeType:e.cacheNodeType??"cache.t2.medium",replicationGroupDescription:"RedisReplicationGroup",authToken:p.secretValueFromJson("password").toString(),transitEncryptionEnabled:!0,atRestEncryptionEnabled:!0,multiAzEnabled:!0,cacheSubnetGroupName:A.ref,numNodeGroups:1,replicasPerNodeGroup:1,securityGroupIds:[S.securityGroupId]});m.node.addDependency(p);let f=new t.aws_secretsmanager.Secret(this,"RedisSecrets",{generateSecretString:{secretStringTemplate:JSON.stringify({host:m.attrPrimaryEndPointAddress,port:m.attrPrimaryEndPointPort,password:p.secretValueFromJson("password").toString(),tls:{}}),generateStringKey:"unused"}});f.node.addDependency(p),f.node.addDependency(m);let $=new t.aws_ecs.Cluster(this,"Cluster",{vpc:r}),Y=new t.aws_iam.PolicyDocument({statements:[new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["logs:CreateLogStream","logs:PutLogEvents"],resources:["arn:aws:logs:*"]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["secretsmanager:GetResourcePolicy","secretsmanager:GetSecretValue","secretsmanager:DescribeSecret","secretsmanager:ListSecrets","secretsmanager:ListSecretVersionIds"],resources:["arn:aws:secretsmanager:*"]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["ssm:GetParametersByPath","ssm:GetParameters","ssm:GetParameter","ssm:DescribeParameters"],resources:["arn:aws:ssm:*"]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["ses:SendEmail","ses:SendRawEmail"],resources:["arn:aws:ses:*"]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["s3:ListBucket","s3:GetObject","s3:PutObject","s3:DeleteObject"],resources:["arn:aws:s3:::*"]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["iam:ListRoles","iam:GetRole","iam:PassRole"],resources:[d.roleArn]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["lambda:CreateFunction","lambda:GetFunction","lambda:GetFunctionConfiguration","lambda:UpdateFunctionCode","lambda:UpdateFunctionConfiguration","lambda:ListLayerVersions","lambda:GetLayerVersion","lambda:InvokeFunction"],resources:["arn:aws:lambda:*"]})]}),Q=new t.aws_iam.Role(this,"TaskExecutionRole",{assumedBy:new t.aws_iam.ServicePrincipal("ecs-tasks.amazonaws.com"),description:"Medplum Server Task Execution Role",inlinePolicies:{TaskExecutionPolicies:Y}}),b=new t.aws_ecs.FargateTaskDefinition(this,"TaskDefinition",{memoryLimitMiB:e.serverMemory,cpu:e.serverCpu,taskRole:Q}),z=new t.aws_logs.LogGroup(this,"LogGroup",{logGroupName:"/ecs/medplum/"+n,removalPolicy:t.RemovalPolicy.DESTROY}),_=new t.aws_ecs.AwsLogDriver({logGroup:z,streamPrefix:"Medplum"});if(b.addContainer("MedplumTaskDefinition",{image:this.getContainerImage(e,e.serverImage),command:[e.region==="us-east-1"?`aws:/medplum/${n}/`:`aws:${e.region}:/medplum/${n}/`],logging:_}).addPortMappings({containerPort:e.apiPort,hostPort:e.apiPort}),e.additionalContainers)for(let c of e.additionalContainers)b.addContainer("AdditionalContainer-"+c.name,{containerName:c.name,image:this.getContainerImage(e,c.image),command:c.command,environment:c.environment,logging:_});let E=new t.aws_ec2.SecurityGroup(this,"ServiceSecurityGroup",{allowAllOutbound:!0,securityGroupName:"MedplumSecurityGroup",vpc:r}),L=new t.aws_ecs.FargateService(this,"FargateService",{cluster:$,taskDefinition:b,assignPublicIp:!1,vpcSubnets:{subnetType:t.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS},desiredCount:e.desiredServerCount,securityGroups:[E],healthCheckGracePeriod:t.Duration.minutes(5)});l&&L.node.addDependency(l),L.node.addDependency(m);let K=new t.aws_elasticloadbalancingv2.ApplicationTargetGroup(this,"TargetGroup",{vpc:r,port:e.apiPort,protocol:t.aws_elasticloadbalancingv2.ApplicationProtocol.HTTP,healthCheck:{path:"/healthcheck",interval:t.Duration.seconds(30),timeout:t.Duration.seconds(3),healthyThresholdCount:2,unhealthyThresholdCount:5},targets:[L]}),P=new t.aws_elasticloadbalancingv2.ApplicationLoadBalancer(this,"LoadBalancer",{vpc:r,internetFacing:e.apiInternetFacing!==!1,http2Enabled:!0});e.loadBalancerLoggingBucket&&P.logAccessLogs(t.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.loadBalancerLoggingBucket),e.loadBalancerLoggingPrefix),P.addListener("HttpsListener",{port:443,certificates:[{certificateArn:e.apiSslCertArn}],sslPolicy:t.aws_elasticloadbalancingv2.SslPolicy.FORWARD_SECRECY_TLS12_RES_GCM,defaultAction:t.aws_elasticloadbalancingv2.ListenerAction.forward([K])});let T=new t.aws_wafv2.CfnWebACL(this,"BackEndWAF",{defaultAction:{allow:{}},scope:"REGIONAL",name:`${e.stackName}-BackEndWAF`,rules:R,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${e.stackName}-BackEndWAF-Metric`,sampledRequestsEnabled:!1}}),q=new t.aws_wafv2.CfnWebACLAssociation(this,"LoadBalancerAssociation",{resourceArn:P.loadBalancerArn,webAclArn:T.attrArn});l&&l.connections.allowDefaultPortFrom(E),S.addIngressRule(E,t.aws_ec2.Port.tcp(6379));let D;if(!e.skipDns){let c=t.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:e.domainName.split(".").slice(-2).join(".")});D=new t.aws_route53.ARecord(this,"LoadBalancerAliasRecord",{recordName:e.apiDomainName,target:t.aws_route53.RecordTarget.fromAlias(new t.aws_route53_targets.LoadBalancerTarget(P)),zone:c})}let j=new t.aws_ssm.StringParameter(this,"DatabaseSecretsParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${n}/DatabaseSecrets`,description:"Database secrets ARN",stringValue:u}),Z=new t.aws_ssm.StringParameter(this,"RedisSecretsParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${n}/RedisSecrets`,description:"Redis secrets ARN",stringValue:f.secretArn}),J=new t.aws_ssm.StringParameter(this,"BotLambdaRoleParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${n}/botLambdaRoleArn`,description:"Bot lambda execution role ARN",stringValue:d.roleArn});console.log("ARecord",D?.domainName),console.log("DatabaseSecretsParameter",j.parameterArn),console.log("RedisSecretsParameter",Z.parameterArn),console.log("RedisCluster",m.attrPrimaryEndPointAddress),console.log("BotLambdaRole",J.stringValue),console.log("WAF",T.attrArn),console.log("WAF Association",q.node.id)}getContainerImage(o,e){let n=new RegExp(`^${o.accountNumber}\\.dkr\\.ecr\\.${o.region}\\.amazonaws\\.com/(.*)[:@](.*)$`),r=e.match(n),d=r?.[1],l=r?.[2];if(d&&l){let u=G.Repository.fromRepositoryArn(this,"ServerImageRepo",`arn:aws:ecr:${o.region}:${o.accountNumber}:repository/${d}`);return t.aws_ecs.ContainerImage.fromEcrRepository(u,l)}return t.aws_ecs.ContainerImage.fromRegistry(e)}};var a=require("aws-cdk-lib"),F=require("constructs");var M=require("aws-cdk-lib");function C(i,o){let e=new M.aws_iam.PolicyStatement;e.addActions("s3:GetObject*"),e.addActions("s3:GetBucket*"),e.addActions("s3:List*"),e.addResources(i.bucketArn),e.addResources(`${i.bucketArn}/*`),e.addCanonicalUserPrincipal(o.cloudFrontOriginAccessIdentityS3CanonicalUserId),i.addToResourcePolicy(e)}var w=class extends F.Construct{constructor(o,e,n){super(o,"FrontEnd");let r;if(n===e.region?r=new a.aws_s3.Bucket(this,"AppBucket",{bucketName:e.appDomainName,publicReadAccess:!1,blockPublicAccess:a.aws_s3.BlockPublicAccess.BLOCK_ALL,removalPolicy:a.RemovalPolicy.DESTROY,encryption:a.aws_s3.BucketEncryption.S3_MANAGED,enforceSSL:!0,versioned:!0}):r=a.aws_s3.Bucket.fromBucketAttributes(this,"AppBucket",{bucketName:e.appDomainName,region:e.region}),n==="us-east-1"){let d=new a.aws_cloudfront.ResponseHeadersPolicy(this,"ResponseHeadersPolicy",{securityHeadersBehavior:{contentSecurityPolicy:{contentSecurityPolicy:["default-src 'none'","base-uri 'self'","child-src 'self'",`connect-src 'self' ${e.apiDomainName} *.google.com`,"font-src 'self' fonts.gstatic.com","form-action 'self' *.gstatic.com *.google.com","frame-ancestors 'none'","frame-src 'self' *.medplum.com *.gstatic.com *.google.com",`img-src 'self' data: ${e.storageDomainName} *.gstatic.com *.google.com *.googleapis.com`,"manifest-src 'self'",`media-src 'self' ${e.storageDomainName}`,"script-src 'self' *.medplum.com *.gstatic.com *.google.com","style-src 'self' 'unsafe-inline' *.medplum.com *.gstatic.com *.google.com","worker-src 'self' blob: *.gstatic.com *.google.com","upgrade-insecure-requests"].join("; "),override:!0},contentTypeOptions:{override:!0},frameOptions:{frameOption:a.aws_cloudfront.HeadersFrameOption.DENY,override:!0},strictTransportSecurity:{accessControlMaxAge:a.Duration.seconds(63072e3),includeSubdomains:!0,override:!0},xssProtection:{protection:!0,modeBlock:!0,override:!0}}}),l=new a.aws_wafv2.CfnWebACL(this,"FrontEndWAF",{defaultAction:{allow:{}},scope:"CLOUDFRONT",name:`${e.stackName}-FrontEndWAF`,rules:R,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${e.stackName}-FrontEndWAF-Metric`,sampledRequestsEnabled:!1}}),u=new a.aws_cloudfront.CachePolicy(this,"ApiOriginCachePolicy",{cachePolicyName:`${e.stackName}-ApiOriginCachePolicy`,cookieBehavior:a.aws_cloudfront.CacheCookieBehavior.all(),headerBehavior:a.aws_cloudfront.CacheHeaderBehavior.allowList("Authorization","Content-Encoding","Content-Type","If-None-Match","Origin","Referer","User-Agent","X-Medplum"),queryStringBehavior:a.aws_cloudfront.CacheQueryStringBehavior.all()}),A=new a.aws_cloudfront.OriginAccessIdentity(this,"OriginAccessIdentity",{});C(r,A);let S=new a.aws_cloudfront.Distribution(this,"AppDistribution",{defaultRootObject:"index.html",defaultBehavior:{origin:new a.aws_cloudfront_origins.S3Origin(r,{originAccessIdentity:A}),responseHeadersPolicy:d,viewerProtocolPolicy:a.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS},additionalBehaviors:e.appApiProxy?{"/api/*":{origin:new a.aws_cloudfront_origins.HttpOrigin(e.apiDomainName),allowedMethods:a.aws_cloudfront.AllowedMethods.ALLOW_ALL,cachePolicy:u,viewerProtocolPolicy:a.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS}}:void 0,certificate:a.aws_certificatemanager.Certificate.fromCertificateArn(this,"AppCertificate",e.appSslCertArn),domainNames:[e.appDomainName],errorResponses:[{httpStatus:403,responseHttpStatus:200,responsePagePath:"/index.html"},{httpStatus:404,responseHttpStatus:200,responsePagePath:"/index.html"}],webAclId:l.attrArn,logBucket:e.appLoggingBucket?a.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.appLoggingBucket):void 0,logFilePrefix:e.appLoggingPrefix}),p;if(!e.skipDns){let m=a.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:e.domainName.split(".").slice(-2).join(".")});p=new a.aws_route53.ARecord(this,"AppAliasRecord",{recordName:e.appDomainName,target:a.aws_route53.RecordTarget.fromAlias(new a.aws_route53_targets.CloudFrontTarget(S)),zone:m})}console.log("ARecord",p?.domainName)}}};var s=require("aws-cdk-lib"),W=require("cdk-serverless-clamscan"),x=require("constructs");var y=class extends x.Construct{constructor(o,e,n){super(o,"Storage");let r;if(n===e.region?(r=new s.aws_s3.Bucket(this,"StorageBucket",{bucketName:e.storageBucketName,publicReadAccess:!1,blockPublicAccess:s.aws_s3.BlockPublicAccess.BLOCK_ALL,encryption:s.aws_s3.BucketEncryption.S3_MANAGED,enforceSSL:!0,versioned:!0}),e.clamscanEnabled&&new W.ServerlessClamscan(this,"ServerlessClamscan",{defsBucketAccessLogsConfig:{logsBucket:s.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.clamscanLoggingBucket),logsPrefix:e.clamscanLoggingPrefix}}).addSourceBucket(r)):r=s.aws_s3.Bucket.fromBucketAttributes(this,"StorageBucket",{bucketName:e.storageBucketName,region:e.region}),n==="us-east-1"){let d=new s.aws_cloudfront.PublicKey(this,"StoragePublicKey",{encodedKey:e.storagePublicKey}),l=new s.aws_cloudfront.KeyGroup(this,"StorageKeyGroup",{items:[d]}),u=new s.aws_cloudfront.ResponseHeadersPolicy(this,"ResponseHeadersPolicy",{securityHeadersBehavior:{contentSecurityPolicy:{contentSecurityPolicy:"default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors *.medplum.com;",override:!0},contentTypeOptions:{override:!0},frameOptions:{frameOption:s.aws_cloudfront.HeadersFrameOption.DENY,override:!0},referrerPolicy:{referrerPolicy:s.aws_cloudfront.HeadersReferrerPolicy.NO_REFERRER,override:!0},strictTransportSecurity:{accessControlMaxAge:s.Duration.seconds(63072e3),includeSubdomains:!0,override:!0},xssProtection:{protection:!0,modeBlock:!0,override:!0}}}),A=new s.aws_wafv2.CfnWebACL(this,"StorageWAF",{defaultAction:{allow:{}},scope:"CLOUDFRONT",name:`${e.stackName}-StorageWAF`,rules:R,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${e.stackName}-StorageWAF-Metric`,sampledRequestsEnabled:!1}}),S=new s.aws_cloudfront.OriginAccessIdentity(this,"OriginAccessIdentity",{});C(r,S);let p=new s.aws_cloudfront.Distribution(this,"StorageDistribution",{defaultBehavior:{origin:new s.aws_cloudfront_origins.S3Origin(r,{originAccessIdentity:S}),responseHeadersPolicy:u,viewerProtocolPolicy:s.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,trustedKeyGroups:[l]},certificate:s.aws_certificatemanager.Certificate.fromCertificateArn(this,"StorageCertificate",e.storageSslCertArn),domainNames:[e.storageDomainName],webAclId:A.attrArn,logBucket:e.storageLoggingBucket?s.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.storageLoggingBucket):void 0,logFilePrefix:e.storageLoggingPrefix}),m;if(!e.skipDns){let f=s.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:e.domainName.split(".").slice(-2).join(".")});m=new s.aws_route53.ARecord(this,"StorageAliasRecord",{recordName:e.storageDomainName,target:s.aws_route53.RecordTarget.fromAlias(new s.aws_route53_targets.CloudFrontTarget(p)),zone:f})}console.log("ARecord",m?.domainName)}}};var B=class{constructor(o,e){if(this.primaryStack=new g.Stack(o,e.stackName,{env:{region:e.region,account:e.accountNumber}}),g.Tags.of(this.primaryStack).add("medplum:environment",e.name),this.backEnd=new h(this.primaryStack,e),this.frontEnd=new w(this.primaryStack,e,e.region),this.storage=new y(this.primaryStack,e,e.region),e.region!=="us-east-1"){let n=new g.Stack(o,e.stackName+"-us-east-1",{env:{region:"us-east-1",account:e.accountNumber}});g.Tags.of(n).add("medplum:environment",e.name),this.frontEnd=new w(n,e,"us-east-1"),this.storage=new y(n,e,"us-east-1")}}};function V(i){let o=new g.App({context:i}),e=o.node.tryGetContext("config");if(!e){console.log('Missing "config" context variable'),console.log("Usage: cdk deploy -c config=my-config.json");return}let n=JSON.parse((0,U.readFileSync)((0,H.resolve)(e),"utf-8")),r=new B(o,n);console.log("Stack",r.primaryStack.stackId),console.log("BackEnd",r.backEnd.node.id),console.log("FrontEnd",r.frontEnd.node.id),console.log("Storage",r.storage.node.id),o.synth()}require.main===module&&V();0&&(module.exports={main});
 //# sourceMappingURL=index.cjs.map