@medplum/cdk 2.1.17 → 2.1.19

package/src/config.ts

@@ -1,202 +0,0 @@
-import { GetParameterCommand, SSMClient } from '@aws-sdk/client-ssm';
-import {
-  ExternalSecret,
-  ExternalSecretPrimitive,
-  ExternalSecretPrimitiveType,
-  MedplumInfraConfig,
-  MedplumSourceInfraConfig,
-  OperationOutcomeError,
-  badRequest,
-  validationError,
-} from '@medplum/core';
-
-const VALID_PRIMITIVE_TYPES = ['string', 'boolean', 'number'];
-const ssmClients = {} as Record<string, SSMClient>;
-
-export class InfraConfigNormalizer {
-  private config: MedplumSourceInfraConfig;
-  private clients: { ssm: SSMClient };
-  constructor(config: MedplumSourceInfraConfig) {
-    const { region } = config;
-    if (!region) {
-      throw new OperationOutcomeError(validationError("'region' must be defined as a string literal in config."));
-    }
-    if (!ssmClients[region]) {
-      ssmClients[region] = new SSMClient({ region });
-    }
-    this.config = config;
-    this.clients = { ssm: ssmClients[region] };
-  }
-
-  async fetchParameterStoreSecret(key: string): Promise<string> {
-    const response = await this.clients.ssm.send(
-      new GetParameterCommand({
-        Name: key,
-        WithDecryption: true,
-      })
-    );
-    const param = response.Parameter;
-    if (!param) {
-      throw new OperationOutcomeError(
-        badRequest(
-          `Key '${key}' not found. Make sure your key is correct and that it is defined in your Parameter Store.`
-        )
-      );
-    }
-    const paramValue = param.Value;
-    if (!paramValue) {
-      throw new OperationOutcomeError(
-        badRequest(
-          `Key '${key}' found but has no value. Make sure your key is correct and that it is defined in your Parameter Store.`
-        )
-      );
-    }
-    return paramValue;
-  }
-
-  async fetchExternalSecret(externalSecret: ExternalSecret): Promise<ExternalSecretPrimitive> {
-    assertValidExternalSecret(externalSecret);
-    const { system, key, type } = externalSecret;
-    let rawValue: ExternalSecretPrimitive;
-    switch (system) {
-      case 'aws_ssm_parameter_store': {
-        rawValue = await this.fetchParameterStoreSecret(key);
-        break;
-      }
-      default:
-        throw new OperationOutcomeError(
-          validationError(`Unknown system '${system}' for ExternalSecret. Unable to fetch the secret for key '${key}'.`)
-        );
-    }
-    return normalizeFetchedValue(key, rawValue, type);
-  }
-
-  async normalizeInfraConfigArray(currentVal: any[]): Promise<ExternalSecretPrimitive[] | Record<string, any>[]> {
-    // ------ case 3a: primitives or `ExternalSecret`
-    const firstEle = currentVal[0];
-    let newArray: ExternalSecretPrimitive[] | Record<string, any>[];
-    if ((typeof firstEle !== 'object' && firstEle !== null) || isExternalSecretLike(firstEle)) {
-      newArray = new Array(currentVal.length) as ExternalSecretPrimitive[];
-      for (let i = 0; i < currentVal.length; i++) {
-        const currIdxVal = currentVal[i] as unknown as ExternalSecretPrimitive | ExternalSecret;
-        if (typeof currIdxVal !== 'object') {
-          newArray[i] = currIdxVal;
-          continue;
-        }
-        const fetchedVal = await this.fetchExternalSecret(currIdxVal);
-        newArray[i] = fetchedVal;
-      }
-    }
-    // ------ case 3b: other objects (recurse)
-    else {
-      newArray = new Array(currentVal.length) as Record<string, any>[];
-      for (let i = 0; i < currentVal.length; i++) {
-        newArray[i] = await this.normalizeObjectInInfraConfig(currentVal[i]);
-      }
-    }
-    return newArray;
-  }
-
-  async normalizeValueForKey(obj: Record<string, any>, key: string): Promise<void> {
-    const currentVal = obj[key];
-    // cases:
-    // --- case 1: primitive
-    if (typeof currentVal !== 'object') {
-      obj[key] = currentVal;
-    }
-    // --- case 2: object conforming to `ExternalSecret` schema
-    else if (isExternalSecretLike(currentVal)) {
-      obj[key] = await this.fetchExternalSecret(currentVal);
-    }
-    // --- case 3: an array of:
-    else if (Array.isArray(currentVal) && currentVal.length) {
-      obj[key] = await this.normalizeInfraConfigArray(currentVal);
-    }
-    // --- case 4: other object (recurse)
-    else if (typeof currentVal === 'object') {
-      obj[key] = await this.normalizeObjectInInfraConfig(currentVal);
-    }
-  }
-
-  async normalizeObjectInInfraConfig(obj: Record<string, any>): Promise<Record<string, any>> {
-    const normalizedObj = { ...obj };
-    // walk config object
-    for (const key of Object.keys(normalizedObj)) {
-      await this.normalizeValueForKey(normalizedObj, key);
-    }
-    return normalizedObj;
-  }
-
-  async normalizeConfig(): Promise<MedplumInfraConfig> {
-    return this.normalizeObjectInInfraConfig(this.config) as Promise<MedplumInfraConfig>;
-  }
-}
-
-export function normalizeFetchedValue(
-  key: string,
-  rawValue: ExternalSecretPrimitive,
-  expectedType: ExternalSecretPrimitiveType
-): ExternalSecretPrimitive {
-  const typeOfVal = typeof rawValue;
-  // Return raw type if type is string and value is of type string, or if type isn't string and typeof val isn't string
-  if (!VALID_PRIMITIVE_TYPES.includes(typeOfVal)) {
-    throw new OperationOutcomeError(
-      validationError(
-        `Invalid value found for type; expected either ${VALID_PRIMITIVE_TYPES.join(', or')} but got ${typeOfVal}`
-      )
-    );
-  }
-  if (typeOfVal === expectedType) {
-    return rawValue;
-  } else if (typeOfVal === 'string' && expectedType === 'boolean') {
-    const normalized = (rawValue as string).toLowerCase() as 'true' | 'false';
-    if (normalized !== 'true' && normalized !== 'false') {
-      throw new OperationOutcomeError(
-        validationError(`Invalid value found for key '${key}'; expected boolean value but got '${rawValue}'`)
-      );
-    }
-    return normalized === 'true';
-  } else if (typeOfVal === 'string' && expectedType === 'number') {
-    const parsed = parseInt(rawValue as string, 10);
-    if (Number.isNaN(parsed)) {
-      throw new OperationOutcomeError(
-        validationError(`Invalid value found for key '${key}'; expected integer value but got '${rawValue}'`)
-      );
-    }
-    return parsed;
-  } else {
-    throw new OperationOutcomeError(
-      validationError(`Invalid value found for type; expected ${expectedType} value but got value of type ${typeOfVal}`)
-    );
-  }
-}
-
-export function isExternalSecretLike(obj: Record<string, any>): obj is ExternalSecret {
-  return (
-    typeof obj === 'object' &&
-    typeof obj.system === 'string' &&
-    typeof obj.key === 'string' &&
-    typeof obj.type === 'string'
-  );
-}
-
-export function isExternalSecret(obj: Record<string, any>): obj is ExternalSecret {
-  return (
-    typeof obj === 'object' &&
-    typeof obj.system === 'string' &&
-    typeof obj.key === 'string' &&
-    VALID_PRIMITIVE_TYPES.includes(obj.type)
-  );
-}
-
-export function assertValidExternalSecret(obj: Record<string, any>): asserts obj is ExternalSecret {
-  if (!isExternalSecret(obj)) {
-    throw new OperationOutcomeError(
-      validationError('obj is not a valid `ExternalSecret`, must contain a valid `system`, `key`, and `type` prop.')
-    );
-  }
-}
-
-export async function normalizeInfraConfig(config: MedplumSourceInfraConfig): Promise<MedplumInfraConfig> {
-  return new InfraConfigNormalizer(config).normalizeConfig();
-}

package/src/frontend.ts

@@ -1,188 +0,0 @@
-import { MedplumInfraConfig } from '@medplum/core';
-import {
-  aws_certificatemanager as acm,
-  aws_cloudfront as cloudfront,
-  Duration,
-  aws_iam as iam,
-  aws_cloudfront_origins as origins,
-  RemovalPolicy,
-  aws_route53 as route53,
-  aws_s3 as s3,
-  aws_route53_targets as targets,
-  aws_wafv2 as wafv2,
-} from 'aws-cdk-lib';
-import { Construct } from 'constructs';
-import { grantBucketAccessToOriginAccessIdentity } from './oai';
-import { awsManagedRules } from './waf';
-
-/**
- * Static app infrastructure, which deploys app content to an S3 bucket.
- *
- * The app redirects from HTTP to HTTPS, using a CloudFront distribution,
- * Route53 alias record, and ACM certificate.
- */
-export class FrontEnd extends Construct {
-  appBucket: s3.IBucket;
-  responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
-  waf?: wafv2.CfnWebACL;
-  apiOriginCachePolicy?: cloudfront.ICachePolicy;
-  originAccessIdentity?: cloudfront.OriginAccessIdentity;
-  originAccessPolicyStatement?: iam.PolicyStatement;
-  distribution?: cloudfront.IDistribution;
-  dnsRecord?: route53.IRecordSet;
-
-  constructor(parent: Construct, config: MedplumInfraConfig, region: string) {
-    super(parent, 'FrontEnd');
-
-    if (region === config.region) {
-      // S3 bucket
-      this.appBucket = new s3.Bucket(this, 'AppBucket', {
-        bucketName: config.appDomainName,
-        publicReadAccess: false,
-        blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
-        removalPolicy: RemovalPolicy.DESTROY,
-        encryption: s3.BucketEncryption.S3_MANAGED,
-        enforceSSL: true,
-        versioned: true,
-      });
-    } else {
-      // Otherwise, reference the bucket by name and region
-      this.appBucket = s3.Bucket.fromBucketAttributes(this, 'AppBucket', {
-        bucketName: config.appDomainName,
-        region: config.region,
-      });
-    }
-
-    if (region === 'us-east-1') {
-      // HTTP response headers policy
-      this.responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
-        securityHeadersBehavior: {
-          contentSecurityPolicy: {
-            contentSecurityPolicy: [
-              `default-src 'none'`,
-              `base-uri 'self'`,
-              `child-src 'self'`,
-              `connect-src 'self' ${config.apiDomainName} *.google.com`,
-              `font-src 'self' fonts.gstatic.com`,
-              `form-action 'self' *.gstatic.com *.google.com`,
-              `frame-ancestors 'none'`,
-              `frame-src 'self' *.medplum.com *.gstatic.com *.google.com`,
-              `img-src 'self' data: ${config.storageDomainName} *.gstatic.com *.google.com *.googleapis.com`,
-              `manifest-src 'self'`,
-              `media-src 'self' ${config.storageDomainName}`,
-              `script-src 'self' *.medplum.com *.gstatic.com *.google.com`,
-              `style-src 'self' 'unsafe-inline' *.medplum.com *.gstatic.com *.google.com`,
-              `worker-src 'self' blob: *.gstatic.com *.google.com`,
-              `upgrade-insecure-requests`,
-            ].join('; '),
-            override: true,
-          },
-          contentTypeOptions: { override: true },
-          frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
-          strictTransportSecurity: {
-            accessControlMaxAge: Duration.seconds(63072000),
-            includeSubdomains: true,
-            override: true,
-          },
-          xssProtection: {
-            protection: true,
-            modeBlock: true,
-            override: true,
-          },
-        },
-      });
-
-      // WAF
-      this.waf = new wafv2.CfnWebACL(this, 'FrontEndWAF', {
-        defaultAction: { allow: {} },
-        scope: 'CLOUDFRONT',
-        name: `${config.stackName}-FrontEndWAF`,
-        rules: awsManagedRules,
-        visibilityConfig: {
-          cloudWatchMetricsEnabled: true,
-          metricName: `${config.stackName}-FrontEndWAF-Metric`,
-          sampledRequestsEnabled: false,
-        },
-      });
-
-      // API Origin Cache Policy
-      this.apiOriginCachePolicy = new cloudfront.CachePolicy(this, 'ApiOriginCachePolicy', {
-        cachePolicyName: `${config.stackName}-ApiOriginCachePolicy`,
-        cookieBehavior: cloudfront.CacheCookieBehavior.all(),
-        headerBehavior: cloudfront.CacheHeaderBehavior.allowList(
-          'Authorization',
-          'Content-Encoding',
-          'Content-Type',
-          'If-None-Match',
-          'Origin',
-          'Referer',
-          'User-Agent',
-          'X-Medplum'
-        ),
-        queryStringBehavior: cloudfront.CacheQueryStringBehavior.all(),
-      });
-
-      // Origin access identity
-      this.originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OriginAccessIdentity', {});
-      this.originAccessPolicyStatement = grantBucketAccessToOriginAccessIdentity(
-        this.appBucket,
-        this.originAccessIdentity
-      );
-
-      // CloudFront distribution
-      this.distribution = new cloudfront.Distribution(this, 'AppDistribution', {
-        defaultRootObject: 'index.html',
-        defaultBehavior: {
-          origin: new origins.S3Origin(this.appBucket, {
-            originAccessIdentity: this.originAccessIdentity,
-          }),
-          responseHeadersPolicy: this.responseHeadersPolicy,
-          viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-        },
-        additionalBehaviors: config.appApiProxy
-          ? {
-              '/api/*': {
-                origin: new origins.HttpOrigin(config.apiDomainName),
-                allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
-                cachePolicy: this.apiOriginCachePolicy,
-                viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-              },
-            }
-          : undefined,
-        certificate: acm.Certificate.fromCertificateArn(this, 'AppCertificate', config.appSslCertArn),
-        domainNames: [config.appDomainName],
-        errorResponses: [
-          {
-            httpStatus: 403,
-            responseHttpStatus: 200,
-            responsePagePath: '/index.html',
-          },
-          {
-            httpStatus: 404,
-            responseHttpStatus: 200,
-            responsePagePath: '/index.html',
-          },
-        ],
-        webAclId: this.waf.attrArn,
-        logBucket: config.appLoggingBucket
-          ? s3.Bucket.fromBucketName(this, 'LoggingBucket', config.appLoggingBucket)
-          : undefined,
-        logFilePrefix: config.appLoggingPrefix,
-      });
-
-      // DNS
-      if (!config.skipDns) {
-        const zone = route53.HostedZone.fromLookup(this, 'Zone', {
-          domainName: config.domainName.split('.').slice(-2).join('.'),
-        });
-
-        // Route53 alias record for the CloudFront distribution
-        this.dnsRecord = new route53.ARecord(this, 'AppAliasRecord', {
-          recordName: config.appDomainName,
-          target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(this.distribution)),
-          zone,
-        });
-      }
-    }
-  }
-}