@medplum/cdk 2.1.1 → 2.1.3

package/src/index.ts

@@ -1,51 +1,15 @@
 import { MedplumInfraConfig } from '@medplum/core';
-import { App, Stack, Tags } from 'aws-cdk-lib';
+import { App } from 'aws-cdk-lib';
 import { readFileSync } from 'fs';
 import { resolve } from 'path';
-import { BackEnd } from './backend';
-import { FrontEnd } from './frontend';
-import { Storage } from './storage';
-import { CloudTrailAlarms } from './cloudtrail';
+import { MedplumStack } from './stack';
 
-class MedplumStack {
-  primaryStack: Stack;
-  backEnd: BackEnd;
-  frontEnd: FrontEnd;
-  storage: Storage;
-  cloudTrail: CloudTrailAlarms;
-
-  constructor(scope: App, config: MedplumInfraConfig) {
-    this.primaryStack = new Stack(scope, config.stackName, {
-      env: {
-        region: config.region,
-        account: config.accountNumber,
-      },
-    });
-    Tags.of(this.primaryStack).add('medplum:environment', config.name);
-
-    this.backEnd = new BackEnd(this.primaryStack, config);
-    this.frontEnd = new FrontEnd(this.primaryStack, config, config.region);
-    this.storage = new Storage(this.primaryStack, config, config.region);
-    this.cloudTrail = new CloudTrailAlarms(this.primaryStack, config);
-
-    if (config.region !== 'us-east-1') {
-      // Some resources must be created in us-east-1
-      // For example, CloudFront distributions and ACM certificates
-      // If the primary region is not us-east-1, create these resources in us-east-1
-      const usEast1Stack = new Stack(scope, config.stackName + '-us-east-1', {
-        env: {
-          region: 'us-east-1',
-          account: config.accountNumber,
-        },
-      });
-      Tags.of(usEast1Stack).add('medplum:environment', config.name);
-
-      this.frontEnd = new FrontEnd(usEast1Stack, config, 'us-east-1');
-      this.storage = new Storage(usEast1Stack, config, 'us-east-1');
-      this.cloudTrail = new CloudTrailAlarms(usEast1Stack, config);
-    }
-  }
-}
+export * from './backend';
+export * from './cloudtrail';
+export * from './frontend';
+export * from './stack';
+export * from './storage';
+export * from './waf';
 
 export function main(context?: Record<string, string>): void {
   const app = new App({ context });
@@ -60,12 +24,7 @@ export function main(context?: Record<string, string>): void {
   const config = JSON.parse(readFileSync(resolve(configFileName), 'utf-8')) as MedplumInfraConfig;
 
   const stack = new MedplumStack(app, config);
-
   console.log('Stack', stack.primaryStack.stackId);
-  console.log('BackEnd', stack.backEnd.node.id);
-  console.log('FrontEnd', stack.frontEnd.node.id);
-  console.log('Storage', stack.storage.node.id);
-  console.log('CloudTrail', stack.cloudTrail.node.id);
 
   app.synth();
 }

package/src/oai.ts

@@ -11,13 +11,15 @@ import { aws_cloudfront as cloudfront, aws_iam as iam, aws_s3 as s3 } from 'aws-
  * However, if importing an S3 bucket via `s3.Bucket.fromBucketAttributes()`, that does not work.
  *
  * See: https://stackoverflow.com/a/60917015
+ *
  * @param bucket The S3 bucket.
  * @param identity The CloudFront Origin Access Identity.
+ * @returns The policy statement.
  */
 export function grantBucketAccessToOriginAccessIdentity(
   bucket: s3.IBucket,
   identity: cloudfront.OriginAccessIdentity
-): void {
+): iam.PolicyStatement {
   const policyStatement = new iam.PolicyStatement();
   policyStatement.addActions('s3:GetObject*');
   policyStatement.addActions('s3:GetBucket*');
@@ -26,4 +28,5 @@ export function grantBucketAccessToOriginAccessIdentity(
   policyStatement.addResources(`${bucket.bucketArn}/*`);
   policyStatement.addCanonicalUserPrincipal(identity.cloudFrontOriginAccessIdentityS3CanonicalUserId);
   bucket.addToResourcePolicy(policyStatement);
+  return policyStatement;
 }

package/src/stack.ts

@@ -0,0 +1,65 @@
+import { MedplumInfraConfig } from '@medplum/core';
+import { App, Stack, Tags } from 'aws-cdk-lib';
+import { BackEnd } from './backend';
+import { CloudTrailAlarms } from './cloudtrail';
+import { FrontEnd } from './frontend';
+import { Storage } from './storage';
+
+export class MedplumStack {
+  primaryStack: MedplumPrimaryStack;
+  globalStack?: MedplumGlobalStack;
+
+  constructor(scope: App, config: MedplumInfraConfig) {
+    this.primaryStack = new MedplumPrimaryStack(scope, config);
+
+    if (config.region !== 'us-east-1') {
+      // Some resources must be created in us-east-1
+      // For example, CloudFront distributions and ACM certificates
+      // If the primary region is not us-east-1, create these resources in us-east-1
+      this.globalStack = new MedplumGlobalStack(scope, config);
+      this.globalStack.addDependency(this.primaryStack);
+    }
+  }
+}
+
+export class MedplumPrimaryStack extends Stack {
+  backEnd: BackEnd;
+  frontEnd: FrontEnd;
+  storage: Storage;
+  cloudTrail: CloudTrailAlarms;
+
+  constructor(scope: App, config: MedplumInfraConfig) {
+    super(scope, config.stackName, {
+      env: {
+        region: config.region,
+        account: config.accountNumber,
+      },
+    });
+    Tags.of(this).add('medplum:environment', config.name);
+
+    this.backEnd = new BackEnd(this, config);
+    this.frontEnd = new FrontEnd(this, config, config.region);
+    this.storage = new Storage(this, config, config.region);
+    this.cloudTrail = new CloudTrailAlarms(this, config);
+  }
+}
+
+export class MedplumGlobalStack extends Stack {
+  frontEnd: FrontEnd;
+  storage: Storage;
+  cloudTrail: CloudTrailAlarms;
+
+  constructor(scope: App, config: MedplumInfraConfig) {
+    super(scope, config.stackName + '-us-east-1', {
+      env: {
+        region: 'us-east-1',
+        account: config.accountNumber,
+      },
+    });
+    Tags.of(this).add('medplum:environment', config.name);
+
+    this.frontEnd = new FrontEnd(this, config, 'us-east-1');
+    this.storage = new Storage(this, config, 'us-east-1');
+    this.cloudTrail = new CloudTrailAlarms(this, config);
+  }
+}

package/src/storage.ts

@@ -3,6 +3,7 @@ import {
   aws_certificatemanager as acm,
   aws_cloudfront as cloudfront,
   Duration,
+  aws_iam as iam,
   aws_cloudfront_origins as origins,
   aws_route53 as route53,
   aws_s3 as s3,
@@ -18,14 +19,21 @@ import { awsManagedRules } from './waf';
  * Binary storage bucket and CloudFront distribution.
  */
 export class Storage extends Construct {
+  storageBucket: s3.IBucket;
+  keyGroup?: cloudfront.IKeyGroup;
+  responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+  waf?: wafv2.CfnWebACL;
+  originAccessIdentity?: cloudfront.OriginAccessIdentity;
+  originAccessPolicyStatement?: iam.PolicyStatement;
+  distribution?: cloudfront.IDistribution;
+  dnsRecord?: route53.IRecordSet;
+
   constructor(parent: Construct, config: MedplumInfraConfig, region: string) {
     super(parent, 'Storage');
 
-    let storageBucket: s3.IBucket;
-
     if (region === config.region) {
       // S3 bucket
-      storageBucket = new s3.Bucket(this, 'StorageBucket', {
+      this.storageBucket = new s3.Bucket(this, 'StorageBucket', {
         bucketName: config.storageBucketName,
         publicReadAccess: false,
         blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
@@ -42,11 +50,11 @@ export class Storage extends Construct {
             logsPrefix: config.clamscanLoggingPrefix,
           },
         });
-        sc.addSourceBucket(storageBucket);
+        sc.addSourceBucket(this.storageBucket);
       }
     } else {
-      // Otherwise, reference the bucket by name
-      storageBucket = s3.Bucket.fromBucketAttributes(this, 'StorageBucket', {
+      // Otherwise, reference the bucket by name and region
+      this.storageBucket = s3.Bucket.fromBucketAttributes(this, 'StorageBucket', {
         bucketName: config.storageBucketName,
         region: config.region,
       });
@@ -64,12 +72,12 @@ export class Storage extends Construct {
       }
 
       // Authorized key group for presigned URLs
-      const keyGroup = new cloudfront.KeyGroup(this, 'StorageKeyGroup', {
+      this.keyGroup = new cloudfront.KeyGroup(this, 'StorageKeyGroup', {
         items: [publicKey],
       });
 
       // HTTP response headers policy
-      const responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
+      this.responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
         securityHeadersBehavior: {
           contentSecurityPolicy: {
             contentSecurityPolicy:
@@ -93,7 +101,7 @@ export class Storage extends Construct {
       });
 
       // WAF
-      const waf = new wafv2.CfnWebACL(this, 'StorageWAF', {
+      this.waf = new wafv2.CfnWebACL(this, 'StorageWAF', {
         defaultAction: { allow: {} },
         scope: 'CLOUDFRONT',
         name: `${config.stackName}-StorageWAF`,
@@ -106,20 +114,25 @@ export class Storage extends Construct {
       });
 
       // Origin access identity
-      const originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
-      grantBucketAccessToOriginAccessIdentity(storageBucket, originAccessIdentity);
+      this.originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
+      this.originAccessPolicyStatement = grantBucketAccessToOriginAccessIdentity(
+        this.storageBucket,
+        this.originAccessIdentity
+      );
 
       // CloudFront distribution
-      const distribution = new cloudfront.Distribution(this, 'StorageDistribution', {
+      this.distribution = new cloudfront.Distribution(this, 'StorageDistribution', {
         defaultBehavior: {
-          origin: new origins.S3Origin(storageBucket, { originAccessIdentity }),
-          responseHeadersPolicy,
+          origin: new origins.S3Origin(this.storageBucket, {
+            originAccessIdentity: this.originAccessIdentity,
+          }),
+          responseHeadersPolicy: this.responseHeadersPolicy,
           viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-          trustedKeyGroups: [keyGroup],
+          trustedKeyGroups: [this.keyGroup],
         },
         certificate: acm.Certificate.fromCertificateArn(this, 'StorageCertificate', config.storageSslCertArn),
         domainNames: [config.storageDomainName],
-        webAclId: waf.attrArn,
+        webAclId: this.waf.attrArn,
         logBucket: config.storageLoggingBucket
           ? s3.Bucket.fromBucketName(this, 'LoggingBucket', config.storageLoggingBucket)
           : undefined,
@@ -127,22 +140,18 @@ export class Storage extends Construct {
       });
 
       // DNS
-      let record = undefined;
       if (!config.skipDns) {
         const zone = route53.HostedZone.fromLookup(this, 'Zone', {
           domainName: config.domainName.split('.').slice(-2).join('.'),
         });
 
         // Route53 alias record for the CloudFront distribution
-        record = new route53.ARecord(this, 'StorageAliasRecord', {
+        this.dnsRecord = new route53.ARecord(this, 'StorageAliasRecord', {
           recordName: config.storageDomainName,
-          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
+          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(this.distribution)),
           zone,
         });
       }
-
-      // Debug
-      console.log('ARecord', record?.domainName);
     }
   }
 }