raindancers-cloudfront 0.0.0 → 0.0.1

package/lib/cloudfront/lambda/webacl/index.py

@@ -0,0 +1,356 @@
+import json
+import boto3
+from typing import Any, Dict, List
+
+wafv2 = boto3.client('wafv2', region_name='us-east-1')
+
+def handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
+    """
+    Custom resource handler for creating WAF WebACLs in us-east-1.
+    """
+    print(f"Event: {json.dumps(event)}")
+    
+    try:
+        request_type = event['RequestType']
+        props = event['ResourceProperties']
+        
+        name = props['Name']
+        enable_managed_rules = props.get('EnableManagedRules', 'true')
+        # Convert string to boolean
+        if isinstance(enable_managed_rules, str):
+            enable_managed_rules = enable_managed_rules.lower() == 'true'
+        rate_limit = int(props.get('RateLimit', 2000))
+        path_rate_limits_str = props.get('PathRateLimits', '[]')
+        path_rate_limits = json.loads(path_rate_limits_str) if isinstance(path_rate_limits_str, str) else path_rate_limits_str
+        allowed_countries = props.get('AllowedCountries', [])
+        blocked_countries = props.get('BlockedCountries', [])
+        
+        print(f"Processing {request_type} for WebACL: {name}")
+        
+        if request_type == 'Create':
+            return create_webacl(name, enable_managed_rules, rate_limit, path_rate_limits, allowed_countries, blocked_countries)
+        elif request_type == 'Update':
+            webacl_id = event['PhysicalResourceId']
+            return update_webacl(webacl_id, name, enable_managed_rules, rate_limit, path_rate_limits, allowed_countries, blocked_countries)
+        elif request_type == 'Delete':
+            webacl_id = event['PhysicalResourceId']
+            return delete_webacl(webacl_id, name)
+        
+        return {
+            'PhysicalResourceId': event.get('PhysicalResourceId', 'unknown'),
+            'Data': {}
+        }
+    except Exception as e:
+        print(f"ERROR: {str(e)}")
+        import traceback
+        traceback.print_exc()
+        raise
+
+def create_webacl(name: str, enable_managed_rules: bool, rate_limit: int, path_rate_limits: List[Dict[str, Any]], allowed_countries: List[str], blocked_countries: List[str]) -> Dict[str, Any]:
+    """Create a WAF WebACL."""
+    
+    rules = build_rules(enable_managed_rules, rate_limit, path_rate_limits, allowed_countries, blocked_countries)
+    
+    print(f"Creating WebACL with {len(rules)} rules")
+    
+    response = wafv2.create_web_acl(
+        Name=name,
+        Scope='CLOUDFRONT',
+        DefaultAction={'Allow': {}},
+        Rules=rules,
+        VisibilityConfig={
+            'SampledRequestsEnabled': True,
+            'CloudWatchMetricsEnabled': True,
+            'MetricName': name
+        }
+    )
+    
+    webacl_arn = response['Summary']['ARN']
+    webacl_id = response['Summary']['Id']
+    
+    print(f"WebACL created: {webacl_arn}")
+    
+    return {
+        'PhysicalResourceId': webacl_id,
+        'Data': {
+            'WebAclArn': webacl_arn,
+            'WebAclId': webacl_id
+        }
+    }
+
+def update_webacl(webacl_id: str, name: str, enable_managed_rules: bool, rate_limit: int, path_rate_limits: List[Dict[str, Any]], allowed_countries: List[str], blocked_countries: List[str]) -> Dict[str, Any]:
+    """Update a WAF WebACL."""
+    
+    # Get current WebACL to get lock token
+    response = wafv2.get_web_acl(
+        Name=name,
+        Scope='CLOUDFRONT',
+        Id=webacl_id
+    )
+    
+    lock_token = response['LockToken']
+    webacl_arn = response['WebACL']['ARN']
+    
+    rules = build_rules(enable_managed_rules, rate_limit, path_rate_limits, allowed_countries, blocked_countries)
+    
+    print(f"Updating WebACL with {len(rules)} rules")
+    
+    wafv2.update_web_acl(
+        Name=name,
+        Scope='CLOUDFRONT',
+        Id=webacl_id,
+        DefaultAction={'Allow': {}},
+        Rules=rules,
+        VisibilityConfig={
+            'SampledRequestsEnabled': True,
+            'CloudWatchMetricsEnabled': True,
+            'MetricName': name
+        },
+        LockToken=lock_token
+    )
+    
+    print(f"WebACL updated: {webacl_arn}")
+    
+    return {
+        'PhysicalResourceId': webacl_id,
+        'Data': {
+            'WebAclArn': webacl_arn,
+            'WebAclId': webacl_id
+        }
+    }
+
+def delete_webacl(webacl_id: str, name: str) -> Dict[str, Any]:
+    """Delete a WAF WebACL."""
+    
+    try:
+        # Get current WebACL to get lock token
+        response = wafv2.get_web_acl(
+            Name=name,
+            Scope='CLOUDFRONT',
+            Id=webacl_id
+        )
+        
+        lock_token = response['LockToken']
+        
+        wafv2.delete_web_acl(
+            Name=name,
+            Scope='CLOUDFRONT',
+            Id=webacl_id,
+            LockToken=lock_token
+        )
+        
+        print(f"WebACL deleted: {webacl_id}")
+    except wafv2.exceptions.WAFNonexistentItemException:
+        print(f"WebACL not found: {webacl_id}")
+    except Exception as e:
+        print(f"Error deleting WebACL: {e}")
+        import traceback
+        traceback.print_exc()
+        # Don't raise on delete - best effort cleanup
+    
+    return {
+        'PhysicalResourceId': webacl_id,
+        'Data': {}
+    }
+
+def build_rules(enable_managed_rules: bool, rate_limit: int, path_rate_limits: List[Dict[str, Any]], allowed_countries: List[str], blocked_countries: List[str]) -> List[Dict[str, Any]]:
+    """Build the rules list for the WebACL."""
+    
+    rules = []
+    priority = 0
+    
+    # Geo-blocking rules (highest priority)
+    if allowed_countries:
+        print(f"Adding geo-allow rule for countries: {allowed_countries}")
+        rules.append({
+            'Name': 'GeoAllowRule',
+            'Priority': priority,
+            'Statement': {
+                'NotStatement': {
+                    'Statement': {
+                        'GeoMatchStatement': {
+                            'CountryCodes': allowed_countries
+                        }
+                    }
+                }
+            },
+            'Action': {
+                'Block': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': 'GeoAllowRule'
+            }
+        })
+        priority += 1
+    
+    if blocked_countries:
+        print(f"Adding geo-block rule for countries: {blocked_countries}")
+        rules.append({
+            'Name': 'GeoBlockRule',
+            'Priority': priority,
+            'Statement': {
+                'GeoMatchStatement': {
+                    'CountryCodes': blocked_countries
+                }
+            },
+            'Action': {
+                'Block': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': 'GeoBlockRule'
+            }
+        })
+        priority += 1
+    
+    # Path-specific rate limiting rules (before general rate limit)
+    for idx, path_limit in enumerate(path_rate_limits):
+        path = path_limit['path']
+        limit = int(path_limit['rateLimit'])
+        rule_name = path_limit.get('name', f"PathRateLimit{idx}")
+        
+        print(f"Adding path-specific rate limit: {path} = {limit} req/5min")
+        
+        rules.append({
+            'Name': rule_name,
+            'Priority': priority,
+            'Statement': {
+                'RateBasedStatement': {
+                    'Limit': limit,
+                    'AggregateKeyType': 'IP',
+                    'ScopeDownStatement': {
+                        'ByteMatchStatement': {
+                            'SearchString': path,
+                            'FieldToMatch': {
+                                'UriPath': {}
+                            },
+                            'TextTransformations': [{
+                                'Priority': 0,
+                                'Type': 'NONE'
+                            }],
+                            'PositionalConstraint': 'STARTS_WITH' if not '*' in path else 'CONTAINS'
+                        }
+                    }
+                }
+            },
+            'Action': {
+                'Block': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': rule_name
+            }
+        })
+        priority += 1
+    
+    # General rate limiting rule
+    rules.append({
+        'Name': 'RateLimitRule',
+        'Priority': priority,
+        'Statement': {
+            'RateBasedStatement': {
+                'Limit': rate_limit,
+                'AggregateKeyType': 'IP'
+            }
+        },
+        'Action': {
+            'Block': {}
+        },
+        'VisibilityConfig': {
+            'SampledRequestsEnabled': True,
+            'CloudWatchMetricsEnabled': True,
+            'MetricName': 'RateLimitRule'
+        }
+    })
+    priority += 1
+    
+    if enable_managed_rules:
+        # Core Rule Set
+        rules.append({
+            'Name': 'AWSManagedRulesCommonRuleSet',
+            'Priority': priority,
+            'Statement': {
+                'ManagedRuleGroupStatement': {
+                    'VendorName': 'AWS',
+                    'Name': 'AWSManagedRulesCommonRuleSet'
+                }
+            },
+            'OverrideAction': {
+                'None': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': 'AWSManagedRulesCommonRuleSet'
+            }
+        })
+        priority += 1
+        
+        # Known Bad Inputs
+        rules.append({
+            'Name': 'AWSManagedRulesKnownBadInputsRuleSet',
+            'Priority': priority,
+            'Statement': {
+                'ManagedRuleGroupStatement': {
+                    'VendorName': 'AWS',
+                    'Name': 'AWSManagedRulesKnownBadInputsRuleSet'
+                }
+            },
+            'OverrideAction': {
+                'None': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': 'AWSManagedRulesKnownBadInputsRuleSet'
+            }
+        })
+        priority += 1
+        
+        # Amazon IP Reputation List
+        rules.append({
+            'Name': 'AWSManagedRulesAmazonIpReputationList',
+            'Priority': priority,
+            'Statement': {
+                'ManagedRuleGroupStatement': {
+                    'VendorName': 'AWS',
+                    'Name': 'AWSManagedRulesAmazonIpReputationList'
+                }
+            },
+            'OverrideAction': {
+                'None': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': 'AWSManagedRulesAmazonIpReputationList'
+            }
+        })
+        priority += 1
+        
+        # Anonymous IP List
+        rules.append({
+            'Name': 'AWSManagedRulesAnonymousIpList',
+            'Priority': priority,
+            'Statement': {
+                'ManagedRuleGroupStatement': {
+                    'VendorName': 'AWS',
+                    'Name': 'AWSManagedRulesAnonymousIpList'
+                }
+            },
+            'OverrideAction': {
+                'None': {}
+            },
+            'VisibilityConfig': {
+                'SampledRequestsEnabled': True,
+                'CloudWatchMetricsEnabled': True,
+                'MetricName': 'AWSManagedRulesAnonymousIpList'
+            }
+        })
+        priority += 1
+    
+    return rules

package/lib/cloudfront/logging/README.md

@@ -0,0 +1,144 @@
+# Audit Log Archive
+
+A reusable CDK construct for archiving CloudWatch Logs to S3 in Parquet format for long-term storage and analytics with Athena.
+
+## Features
+
+- **Parquet Format**: Columnar storage with Snappy compression (80-90% smaller than JSON)
+- **Intelligent-Tiering**: Automatic cost optimization for S3 storage
+- **Athena-Ready**: Pre-configured Glue database and table for immediate querying
+- **Partitioned**: Date-based partitioning (year/month/day) for efficient queries
+- **Encrypted**: KMS encryption for data at rest
+- **Configurable Retention**: Separate retention for CloudWatch Logs and S3 archive
+
+## Architecture
+
+```
+CloudWatch Logs → Subscription Filter → Kinesis Firehose → S3 (Parquet)
+                                              ↓
+                                        Glue Catalog
+                                              ↓
+                                          Athena
+```
+
+## Usage
+
+```typescript
+import { AuditLogArchive } from './constructs/cloudfront/logging';
+
+const auditLogs = new AuditLogArchive(this, 'AuditLogs', {
+  logGroupNames: [
+    '/aws/lambda/my-function-1',
+    '/aws/lambda/my-function-2',
+  ],
+  kmsKey: myKmsKey,
+  retentionDays: 30,              // CloudWatch Logs retention (default: 30)
+  archiveRetentionDays: 365,      // S3 archive retention (default: 365)
+  bucketName: 'my-audit-logs',    // Optional
+  databaseName: 'audit_logs',     // Optional
+});
+```
+
+## Properties
+
+| Property | Type | Required | Default | Description |
+|----------|------|----------|---------|-------------|
+| `logGroupNames` | `string[]` | Yes | - | CloudWatch Log Groups to archive |
+| `kmsKey` | `IKey` | Yes | - | KMS key for encryption |
+| `retentionDays` | `number` | No | 30 | CloudWatch Logs retention in days |
+| `archiveRetentionDays` | `number` | No | 365 | S3 archive retention in days |
+| `bucketName` | `string` | No | Auto-generated | S3 bucket name |
+| `databaseName` | `string` | No | `audit_logs` | Glue database name |
+
+## Outputs
+
+- `bucket`: S3 Bucket for archive storage
+- `database`: Glue Database for Athena
+- `table`: Glue Table with Parquet schema
+- `deliveryStream`: Kinesis Firehose delivery stream
+
+## Querying with Athena
+
+### Example Queries
+
+```sql
+-- View all logs from the last 7 days
+SELECT * FROM audit_logs.logs
+WHERE year = '2024' AND month = '12'
+ORDER BY timestamp DESC
+LIMIT 100;
+
+-- Count logs by log group
+SELECT log_group, COUNT(*) as count
+FROM audit_logs.logs
+WHERE year = '2024' AND month = '12'
+GROUP BY log_group;
+
+-- Search for specific events
+SELECT timestamp, message, log_group
+FROM audit_logs.logs
+WHERE message LIKE '%authentication%'
+AND year = '2024' AND month = '12';
+
+-- Find logs for a specific user
+SELECT * FROM audit_logs.logs
+WHERE user_id = 'user@example.com'
+AND year = '2024' AND month = '12'
+ORDER BY timestamp DESC;
+```
+
+## Schema
+
+| Column | Type | Description |
+|--------|------|-------------|
+| `timestamp` | bigint | Log timestamp in milliseconds |
+| `message` | string | Log message |
+| `log_group` | string | CloudWatch log group name |
+| `log_stream` | string | CloudWatch log stream name |
+| `event_type` | string | Event type (extracted from message) |
+| `user_id` | string | User identifier (if available) |
+| `ip_address` | string | Client IP address (if available) |
+
+**Partition Keys**: `year`, `month`, `day`
+
+## Cost Optimization
+
+### Storage Costs (per GB/month)
+- CloudWatch Logs: $0.50
+- S3 Standard: $0.023
+- S3 Intelligent-Tiering (90+ days): $0.0125
+- S3 Intelligent-Tiering (180+ days): $0.004
+
+### Query Costs
+- Athena: $5 per TB scanned
+- Parquet reduces scan size by 80-90% vs JSON
+
+### Example Cost (1TB logs/year)
+- CloudWatch (30 days): ~$15/month
+- S3 Archive (365 days): ~$5-10/month
+- Athena queries: ~$0.50 per TB scanned (vs $5 for JSON)
+
+**Total**: ~$20-25/month for 1TB of logs with full year retention
+
+## Best Practices
+
+1. **Use Partitions**: Always filter by year/month/day in queries
+2. **Limit Columns**: Select only needed columns to reduce scan size
+3. **Batch Queries**: Combine multiple queries to reduce overhead
+4. **Monitor Costs**: Use AWS Cost Explorer to track Athena usage
+5. **Lifecycle Policies**: Adjust retention based on compliance requirements
+
+## Integration with CloudFront Auth
+
+The `CloudFrontWithAzureAuth` construct automatically creates an `AuditLogArchive` instance for all authentication-related Lambda functions:
+
+- OAuth callback logs
+- Secret rotation logs
+- Session revocation logs
+- Stream processor logs
+
+Access via:
+```typescript
+const authConstruct = new CloudFrontWithAzureAuth(this, 'Auth', { ... });
+const auditBucket = authConstruct.auditLogArchive?.bucket;
+```

package/lib/cloudfront/patterns/SPLIT_STACK_USAGE.md

@@ -0,0 +1,138 @@
+# Split-Stack CloudFront Auth Architecture
+
+## Overview
+
+This architecture splits CloudFront authentication resources across two regions:
+- **Regional Stack (ap-southeast-2)**: DynamoDB, Secrets Manager, KMS, Lambda functions, audit logging
+- **CloudFront Stack (us-east-1)**: CloudFront Distribution, Lambda@Edge, CloudFront Functions, ACM Certificate
+
+## Benefits
+
+- Lower latency for ANZ traffic (DynamoDB in ap-southeast-2)
+- Reduced us-east-1 footprint
+- Better data locality
+- Regional Lambda functions closer to data
+
+## Usage Example
+
+```typescript
+import * as core from 'aws-cdk-lib';
+import { aws_s3 as s3, aws_cloudfront_origins as origins } from 'aws-cdk-lib';
+import * as local from '../constructs';
+
+// Regional Stack (ap-southeast-2)
+export class AuthRegionalStack extends core.Stack {
+  public readonly authInfra: local.cloudfront.patterns.AuthInfrastructure;
+
+  constructor(scope: core.App, id: string, props: core.StackProps) {
+    super(scope, id, props);
+
+    this.authInfra = new local.cloudfront.patterns.AuthInfrastructure(this, 'AuthInfra', {
+      domainNames: ['bicep-cdk.raindancers.cloud'],
+      redirectUri: 'https://bicep-cdk.raindancers.cloud/oauth2/callback',
+      hmacSecretRotationSchedule: core.Duration.hours(12),
+      autoRevokeOnReuse: true,
+      auditLogRetentionDays: 30,
+      auditArchiveRetentionDays: 365,
+    });
+  }
+}
+
+// CloudFront Stack (us-east-1)
+export class CloudFrontStack extends core.Stack {
+  constructor(
+    scope: core.App,
+    id: string,
+    props: core.StackProps & { 
+      regionalInfra: local.cloudfront.patterns.AuthInfrastructure;
+      jwtDecoderUrl: string;
+    }
+  ) {
+    super(scope, id, { ...props, crossRegionReferences: true });
+
+    const zone = new local.route53.PublicHostedZone(this, 'Zone', {
+      zoneName: 'bicep-cdk.raindancers.cloud',
+    });
+
+    const cert = new local.cloudfront.CloudFrontCertificate(this, 'Certificate', {
+      domainName: 'bicep-cdk.raindancers.cloud',
+      hostedZone: zone,
+    });
+
+    const webAcl = new local.cloudfront.CloudFrontWebAcl(this, 'WebAcl', {
+      rateLimit: 10000,
+      enableManagedRules: true,
+      allowedCountries: ['NewZealand', 'Australia'],
+    });
+
+    const bucket = new s3.Bucket(this, 'ContentBucket', {
+      encryption: s3.BucketEncryption.S3_MANAGED,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+    });
+
+    const authDistribution = new local.cloudfront.patterns.CloudFrontWithAzureAuthSplit(
+      this,
+      'AuthDistribution',
+      {
+        origin: origins.S3BucketOrigin.withOriginAccessControl(bucket),
+        domainNames: ['bicep-cdk.raindancers.cloud'],
+        certificate: cert.certificate,
+        webAclId: webAcl.webAclArn,
+        jwtDecoderUrl: props.jwtDecoderUrl,
+        regionalInfrastructure: props.regionalInfra,
+      }
+    );
+
+    new local.route53.CloudFrontAliasRecords(this, 'AliasRecords', {
+      zone: zone,
+      distribution: authDistribution.distribution,
+    });
+  }
+}
+
+// App
+const app = new core.App();
+
+const regionalStack = new AuthRegionalStack(app, 'AuthRegional', {
+  env: { region: 'ap-southeast-2', account: process.env.CDK_DEFAULT_ACCOUNT },
+});
+
+const cloudFrontStack = new CloudFrontStack(app, 'CloudFront', {
+  env: { region: 'us-east-1', account: process.env.CDK_DEFAULT_ACCOUNT },
+  crossRegionReferences: true,
+  regionalInfra: regionalStack.authInfra,
+  jwtDecoderUrl: 'https://example.com/jwt',
+});
+
+cloudFrontStack.addDependency(regionalStack);
+```
+
+## Migration from Single Stack
+
+If you're currently using `CloudFrontWithAzureAuth`:
+
+1. Create new regional stack with `AuthInfrastructure`
+2. Create new CloudFront stack with `CloudFrontWithAzureAuthSplit`
+3. Deploy regional stack first
+4. Deploy CloudFront stack
+5. Update DNS
+6. Delete old single-stack resources
+
+## Resource Locations
+
+### ap-southeast-2
+- DynamoDB Table
+- Secrets Manager Secret
+- KMS Key
+- Lambda Functions (copy, rotate, stream processor, revocation)
+- CloudWatch Log Groups
+- S3 Audit Archive Bucket
+- IAM Role (created here, used in us-east-1)
+
+### us-east-1
+- CloudFront Distribution
+- CloudFront Function
+- Lambda@Edge Function
+- CloudFront KeyValueStore
+- ACM Certificate
+- WAF WebACL

package/package.json

@@ -54,7 +54,7 @@
   },
   "main": "lib/index.js",
   "license": "Apache-2.0",
-  "version": "0.0.0",
+  "version": "0.0.1",
   "jest": {
     "coverageProvider": "v8",
     "testMatch": [