@medplum/cdk 2.1.0 → 2.1.2

package/src/frontend.ts

@@ -3,6 +3,7 @@ import {
   aws_certificatemanager as acm,
   aws_cloudfront as cloudfront,
   Duration,
+  aws_iam as iam,
   aws_cloudfront_origins as origins,
   RemovalPolicy,
   aws_route53 as route53,
@@ -21,14 +22,21 @@ import { awsManagedRules } from './waf';
  * Route53 alias record, and ACM certificate.
  */
 export class FrontEnd extends Construct {
+  appBucket: s3.IBucket;
+  responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+  waf?: wafv2.CfnWebACL;
+  apiOriginCachePolicy?: cloudfront.ICachePolicy;
+  originAccessIdentity?: cloudfront.OriginAccessIdentity;
+  originAccessPolicyStatement?: iam.PolicyStatement;
+  distribution?: cloudfront.IDistribution;
+  dnsRecord?: route53.IRecordSet;
+
   constructor(parent: Construct, config: MedplumInfraConfig, region: string) {
     super(parent, 'FrontEnd');
 
-    let appBucket: s3.IBucket;
-
     if (region === config.region) {
       // S3 bucket
-      appBucket = new s3.Bucket(this, 'AppBucket', {
+      this.appBucket = new s3.Bucket(this, 'AppBucket', {
         bucketName: config.appDomainName,
         publicReadAccess: false,
         blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
@@ -39,7 +47,7 @@ export class FrontEnd extends Construct {
       });
     } else {
       // Otherwise, reference the bucket by name and region
-      appBucket = s3.Bucket.fromBucketAttributes(this, 'AppBucket', {
+      this.appBucket = s3.Bucket.fromBucketAttributes(this, 'AppBucket', {
         bucketName: config.appDomainName,
         region: config.region,
       });
@@ -47,7 +55,7 @@ export class FrontEnd extends Construct {
 
     if (region === 'us-east-1') {
       // HTTP response headers policy
-      const responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
+      this.responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
         securityHeadersBehavior: {
           contentSecurityPolicy: {
             contentSecurityPolicy: [
@@ -85,7 +93,7 @@ export class FrontEnd extends Construct {
       });
 
       // WAF
-      const waf = new wafv2.CfnWebACL(this, 'FrontEndWAF', {
+      this.waf = new wafv2.CfnWebACL(this, 'FrontEndWAF', {
         defaultAction: { allow: {} },
         scope: 'CLOUDFRONT',
         name: `${config.stackName}-FrontEndWAF`,
@@ -98,7 +106,7 @@ export class FrontEnd extends Construct {
       });
 
       // API Origin Cache Policy
-      const apiOriginCachePolicy = new cloudfront.CachePolicy(this, 'ApiOriginCachePolicy', {
+      this.apiOriginCachePolicy = new cloudfront.CachePolicy(this, 'ApiOriginCachePolicy', {
         cachePolicyName: `${config.stackName}-ApiOriginCachePolicy`,
         cookieBehavior: cloudfront.CacheCookieBehavior.all(),
         headerBehavior: cloudfront.CacheHeaderBehavior.allowList(
@@ -115,15 +123,20 @@ export class FrontEnd extends Construct {
       });
 
       // Origin access identity
-      const originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
-      grantBucketAccessToOriginAccessIdentity(appBucket, originAccessIdentity);
+      this.originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
+      this.originAccessPolicyStatement = grantBucketAccessToOriginAccessIdentity(
+        this.appBucket,
+        this.originAccessIdentity
+      );
 
       // CloudFront distribution
-      const distribution = new cloudfront.Distribution(this, 'AppDistribution', {
+      this.distribution = new cloudfront.Distribution(this, 'AppDistribution', {
         defaultRootObject: 'index.html',
         defaultBehavior: {
-          origin: new origins.S3Origin(appBucket, { originAccessIdentity }),
-          responseHeadersPolicy,
+          origin: new origins.S3Origin(this.appBucket, {
+            originAccessIdentity: this.originAccessIdentity,
+          }),
+          responseHeadersPolicy: this.responseHeadersPolicy,
           viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
         },
         additionalBehaviors: config.appApiProxy
@@ -131,7 +144,7 @@ export class FrontEnd extends Construct {
               '/api/*': {
                 origin: new origins.HttpOrigin(config.apiDomainName),
                 allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
-                cachePolicy: apiOriginCachePolicy,
+                cachePolicy: this.apiOriginCachePolicy,
                 viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
               },
             }
@@ -150,7 +163,7 @@ export class FrontEnd extends Construct {
             responsePagePath: '/index.html',
           },
         ],
-        webAclId: waf.attrArn,
+        webAclId: this.waf.attrArn,
         logBucket: config.appLoggingBucket
           ? s3.Bucket.fromBucketName(this, 'LoggingBucket', config.appLoggingBucket)
           : undefined,
@@ -158,22 +171,18 @@ export class FrontEnd extends Construct {
       });
 
       // DNS
-      let record = undefined;
       if (!config.skipDns) {
         const zone = route53.HostedZone.fromLookup(this, 'Zone', {
           domainName: config.domainName.split('.').slice(-2).join('.'),
         });
 
         // Route53 alias record for the CloudFront distribution
-        record = new route53.ARecord(this, 'AppAliasRecord', {
+        this.dnsRecord = new route53.ARecord(this, 'AppAliasRecord', {
           recordName: config.appDomainName,
-          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
+          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(this.distribution)),
           zone,
         });
       }
-
-      // Debug
-      console.log('ARecord', record?.domainName);
     }
   }
 }

package/src/index.test.ts

@@ -498,4 +498,42 @@ describe('Infra', () => {
     expect(() => main({ config: filename })).not.toThrow();
     unlinkSync(filename);
   });
+
+  test('CloudTrail alarms', () => {
+    const filename = resolve('./medplum.cloudtrail.config.json');
+    writeFileSync(
+      filename,
+      JSON.stringify({
+        name: 'cloudtrail',
+        stackName: 'MedplumCloudTrailStack',
+        accountNumber: '647991932601',
+        region: 'us-east-1',
+        domainName: 'medplum.com',
+        apiPort: 8103,
+        apiDomainName: 'api.medplum.com',
+        apiSslCertArn: 'arn:aws:acm:us-east-1:647991932601:certificate/08bf1daf-3a2b-4cbe-91a0-739b4364a1ec',
+        appDomainName: 'app.medplum.com',
+        appSslCertArn: 'arn:aws:acm:us-east-1:647991932601:certificate/fd21b628-b2c0-4a5d-b4f5-b5c9a6d63b1a',
+        storageBucketName: 'medplum-storage',
+        storageDomainName: 'storage.medplum.com',
+        storageSslCertArn: 'arn:aws:acm:us-east-1:647991932601:certificate/19d85245-0a1d-4bf5-9789-23082b1a15fc',
+        storagePublicKey: '-----BEGIN PUBLIC KEY-----\n-----END PUBLIC KEY-----',
+        maxAzs: 2,
+        rdsInstances: 1,
+        desiredServerCount: 1,
+        serverImage: 'medplum/medplum-server:staging',
+        serverMemory: 512,
+        serverCpu: 256,
+        cloudTrailAlarms: {
+          logGroupName: 'cloudtrail-logs',
+          logGroupCreate: true,
+          snsTopicName: 'cloudtrail-alarms',
+        },
+      }),
+      { encoding: 'utf-8' }
+    );
+
+    expect(() => main({ config: filename })).not.toThrow();
+    unlinkSync(filename);
+  });
 });

package/src/index.ts

@@ -1,47 +1,15 @@
 import { MedplumInfraConfig } from '@medplum/core';
-import { App, Stack, Tags } from 'aws-cdk-lib';
+import { App } from 'aws-cdk-lib';
 import { readFileSync } from 'fs';
 import { resolve } from 'path';
-import { BackEnd } from './backend';
-import { FrontEnd } from './frontend';
-import { Storage } from './storage';
+import { MedplumStack } from './stack';
 
-class MedplumStack {
-  primaryStack: Stack;
-  backEnd: BackEnd;
-  frontEnd: FrontEnd;
-  storage: Storage;
-
-  constructor(scope: App, config: MedplumInfraConfig) {
-    this.primaryStack = new Stack(scope, config.stackName, {
-      env: {
-        region: config.region,
-        account: config.accountNumber,
-      },
-    });
-    Tags.of(this.primaryStack).add('medplum:environment', config.name);
-
-    this.backEnd = new BackEnd(this.primaryStack, config);
-    this.frontEnd = new FrontEnd(this.primaryStack, config, config.region);
-    this.storage = new Storage(this.primaryStack, config, config.region);
-
-    if (config.region !== 'us-east-1') {
-      // Some resources must be created in us-east-1
-      // For example, CloudFront distributions and ACM certificates
-      // If the primary region is not us-east-1, create these resources in us-east-1
-      const usEast1Stack = new Stack(scope, config.stackName + '-us-east-1', {
-        env: {
-          region: 'us-east-1',
-          account: config.accountNumber,
-        },
-      });
-      Tags.of(usEast1Stack).add('medplum:environment', config.name);
-
-      this.frontEnd = new FrontEnd(usEast1Stack, config, 'us-east-1');
-      this.storage = new Storage(usEast1Stack, config, 'us-east-1');
-    }
-  }
-}
+export * from './backend';
+export * from './cloudtrail';
+export * from './frontend';
+export * from './stack';
+export * from './storage';
+export * from './waf';
 
 export function main(context?: Record<string, string>): void {
   const app = new App({ context });
@@ -56,11 +24,7 @@ export function main(context?: Record<string, string>): void {
   const config = JSON.parse(readFileSync(resolve(configFileName), 'utf-8')) as MedplumInfraConfig;
 
   const stack = new MedplumStack(app, config);
-
   console.log('Stack', stack.primaryStack.stackId);
-  console.log('BackEnd', stack.backEnd.node.id);
-  console.log('FrontEnd', stack.frontEnd.node.id);
-  console.log('Storage', stack.storage.node.id);
 
   app.synth();
 }

package/src/oai.ts

@@ -11,13 +11,15 @@ import { aws_cloudfront as cloudfront, aws_iam as iam, aws_s3 as s3 } from 'aws-
  * However, if importing an S3 bucket via `s3.Bucket.fromBucketAttributes()`, that does not work.
  *
  * See: https://stackoverflow.com/a/60917015
+ *
  * @param bucket The S3 bucket.
  * @param identity The CloudFront Origin Access Identity.
+ * @returns The policy statement.
  */
 export function grantBucketAccessToOriginAccessIdentity(
   bucket: s3.IBucket,
   identity: cloudfront.OriginAccessIdentity
-): void {
+): iam.PolicyStatement {
   const policyStatement = new iam.PolicyStatement();
   policyStatement.addActions('s3:GetObject*');
   policyStatement.addActions('s3:GetBucket*');
@@ -26,4 +28,5 @@ export function grantBucketAccessToOriginAccessIdentity(
   policyStatement.addResources(`${bucket.bucketArn}/*`);
   policyStatement.addCanonicalUserPrincipal(identity.cloudFrontOriginAccessIdentityS3CanonicalUserId);
   bucket.addToResourcePolicy(policyStatement);
+  return policyStatement;
 }

package/src/stack.ts

@@ -0,0 +1,65 @@
+import { MedplumInfraConfig } from '@medplum/core';
+import { App, Stack, Tags } from 'aws-cdk-lib';
+import { BackEnd } from './backend';
+import { CloudTrailAlarms } from './cloudtrail';
+import { FrontEnd } from './frontend';
+import { Storage } from './storage';
+
+export class MedplumStack {
+  primaryStack: MedplumPrimaryStack;
+  globalStack?: MedplumGlobalStack;
+
+  constructor(scope: App, config: MedplumInfraConfig) {
+    this.primaryStack = new MedplumPrimaryStack(scope, config);
+
+    if (config.region !== 'us-east-1') {
+      // Some resources must be created in us-east-1
+      // For example, CloudFront distributions and ACM certificates
+      // If the primary region is not us-east-1, create these resources in us-east-1
+      this.globalStack = new MedplumGlobalStack(scope, config);
+      this.globalStack.addDependency(this.primaryStack);
+    }
+  }
+}
+
+export class MedplumPrimaryStack extends Stack {
+  backEnd: BackEnd;
+  frontEnd: FrontEnd;
+  storage: Storage;
+  cloudTrail: CloudTrailAlarms;
+
+  constructor(scope: App, config: MedplumInfraConfig) {
+    super(scope, config.stackName, {
+      env: {
+        region: config.region,
+        account: config.accountNumber,
+      },
+    });
+    Tags.of(this).add('medplum:environment', config.name);
+
+    this.backEnd = new BackEnd(this, config);
+    this.frontEnd = new FrontEnd(this, config, config.region);
+    this.storage = new Storage(this, config, config.region);
+    this.cloudTrail = new CloudTrailAlarms(this, config);
+  }
+}
+
+export class MedplumGlobalStack extends Stack {
+  frontEnd: FrontEnd;
+  storage: Storage;
+  cloudTrail: CloudTrailAlarms;
+
+  constructor(scope: App, config: MedplumInfraConfig) {
+    super(scope, config.stackName + '-us-east-1', {
+      env: {
+        region: 'us-east-1',
+        account: config.accountNumber,
+      },
+    });
+    Tags.of(this).add('medplum:environment', config.name);
+
+    this.frontEnd = new FrontEnd(this, config, 'us-east-1');
+    this.storage = new Storage(this, config, 'us-east-1');
+    this.cloudTrail = new CloudTrailAlarms(this, config);
+  }
+}

package/src/storage.ts

@@ -3,6 +3,7 @@ import {
   aws_certificatemanager as acm,
   aws_cloudfront as cloudfront,
   Duration,
+  aws_iam as iam,
   aws_cloudfront_origins as origins,
   aws_route53 as route53,
   aws_s3 as s3,
@@ -18,14 +19,21 @@ import { awsManagedRules } from './waf';
  * Binary storage bucket and CloudFront distribution.
  */
 export class Storage extends Construct {
+  storageBucket: s3.IBucket;
+  keyGroup?: cloudfront.IKeyGroup;
+  responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+  waf?: wafv2.CfnWebACL;
+  originAccessIdentity?: cloudfront.OriginAccessIdentity;
+  originAccessPolicyStatement?: iam.PolicyStatement;
+  distribution?: cloudfront.IDistribution;
+  dnsRecord?: route53.IRecordSet;
+
   constructor(parent: Construct, config: MedplumInfraConfig, region: string) {
     super(parent, 'Storage');
 
-    let storageBucket: s3.IBucket;
-
     if (region === config.region) {
       // S3 bucket
-      storageBucket = new s3.Bucket(this, 'StorageBucket', {
+      this.storageBucket = new s3.Bucket(this, 'StorageBucket', {
         bucketName: config.storageBucketName,
         publicReadAccess: false,
         blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
@@ -42,11 +50,11 @@ export class Storage extends Construct {
             logsPrefix: config.clamscanLoggingPrefix,
           },
         });
-        sc.addSourceBucket(storageBucket);
+        sc.addSourceBucket(this.storageBucket);
       }
     } else {
-      // Otherwise, reference the bucket by name
-      storageBucket = s3.Bucket.fromBucketAttributes(this, 'StorageBucket', {
+      // Otherwise, reference the bucket by name and region
+      this.storageBucket = s3.Bucket.fromBucketAttributes(this, 'StorageBucket', {
         bucketName: config.storageBucketName,
         region: config.region,
       });
@@ -64,12 +72,12 @@ export class Storage extends Construct {
       }
 
       // Authorized key group for presigned URLs
-      const keyGroup = new cloudfront.KeyGroup(this, 'StorageKeyGroup', {
+      this.keyGroup = new cloudfront.KeyGroup(this, 'StorageKeyGroup', {
         items: [publicKey],
       });
 
       // HTTP response headers policy
-      const responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
+      this.responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
         securityHeadersBehavior: {
           contentSecurityPolicy: {
             contentSecurityPolicy:
@@ -93,7 +101,7 @@ export class Storage extends Construct {
       });
 
       // WAF
-      const waf = new wafv2.CfnWebACL(this, 'StorageWAF', {
+      this.waf = new wafv2.CfnWebACL(this, 'StorageWAF', {
         defaultAction: { allow: {} },
         scope: 'CLOUDFRONT',
         name: `${config.stackName}-StorageWAF`,
@@ -106,20 +114,25 @@ export class Storage extends Construct {
       });
 
       // Origin access identity
-      const originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
-      grantBucketAccessToOriginAccessIdentity(storageBucket, originAccessIdentity);
+      this.originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
+      this.originAccessPolicyStatement = grantBucketAccessToOriginAccessIdentity(
+        this.storageBucket,
+        this.originAccessIdentity
+      );
 
       // CloudFront distribution
-      const distribution = new cloudfront.Distribution(this, 'StorageDistribution', {
+      this.distribution = new cloudfront.Distribution(this, 'StorageDistribution', {
         defaultBehavior: {
-          origin: new origins.S3Origin(storageBucket, { originAccessIdentity }),
-          responseHeadersPolicy,
+          origin: new origins.S3Origin(this.storageBucket, {
+            originAccessIdentity: this.originAccessIdentity,
+          }),
+          responseHeadersPolicy: this.responseHeadersPolicy,
           viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-          trustedKeyGroups: [keyGroup],
+          trustedKeyGroups: [this.keyGroup],
         },
         certificate: acm.Certificate.fromCertificateArn(this, 'StorageCertificate', config.storageSslCertArn),
         domainNames: [config.storageDomainName],
-        webAclId: waf.attrArn,
+        webAclId: this.waf.attrArn,
         logBucket: config.storageLoggingBucket
           ? s3.Bucket.fromBucketName(this, 'LoggingBucket', config.storageLoggingBucket)
           : undefined,
@@ -127,22 +140,18 @@ export class Storage extends Construct {
       });
 
       // DNS
-      let record = undefined;
       if (!config.skipDns) {
         const zone = route53.HostedZone.fromLookup(this, 'Zone', {
           domainName: config.domainName.split('.').slice(-2).join('.'),
         });
 
         // Route53 alias record for the CloudFront distribution
-        record = new route53.ARecord(this, 'StorageAliasRecord', {
+        this.dnsRecord = new route53.ARecord(this, 'StorageAliasRecord', {
           recordName: config.storageDomainName,
-          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
+          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(this.distribution)),
           zone,
         });
       }
-
-      // Debug
-      console.log('ARecord', record?.domainName);
     }
   }
 }